12.5 C
New York

Enterprise Ethereum Alliance advances in smart contract security


The Enterprise Ethereum Alliance published a smart contract security audit specification which will ensure a consistent level of smart contract security.

Ethereum has become more active with boons being made in the development of the merge, as well as current advancements in smart contract security.  This comes as increased risk to security has been found, as many DeFi protocols have been left vulnerable to a series of scams. 

Chainanalysis findings indicated that crypto hacks increased by 58.3% from January to July of 2022.  The Chainanalysis report also shows $1.9 billion in losses due to hacks and scams. 

Many crypto ecosystems rely on open source code which has proven beneficial to the development of DeFi, but has also increased the risk of cyber attacks. These attacks have been mitigated by the smart contract security audits. 

Chairman of  EthTrust Security Levels Working Group at the EEA, Chris Cordi says that as the Ethereum blockchain industry grows, the need for a more mature framework to ensure the security of smart contracts will grow as well. 

Chaals Nevile a technical program director  at EEA said this in an interview:

“It is relevant to all EVM-based smart-contract platforms where developers use Solidity as a coding language. In a recent analysis by Splunk, this is well over 3/4 of mainnet contracts. But, there are also private networks and projects that are based on the Ethereum technology stack but running one their own chain. This specification is as useful to them as it is for mainnet users in helping to secure their work.”

He also explained the new specification has three levels of tests that organizations will have to consider for the consistent use of smart contract security audits. 

“Level [S] is designed so that for most cases, where common features of Solidity are used following well-known patterns, tested code can be certified by an automated ‘static analysis’ tool,” he said.

He also noted that the level [M] test will have a stricter static analysis, adding that it will also include requirements for the human auditor to ascertain whether the feature is necessary. 

Level [Q] will have an analysis of the business logic tested the code implements.

This is to ensure that the code does not exhibit known security vulnerabilities, while also making sure it correctly implements what it claims,” he said. There is also an optional “recommended good practices” test that can help enhance the security behind smart contracts. Nevile said:

“Using the latest compiler is one of the ‘recommended good practices.’ It’s a pretty straightforward one in most cases, but there are a lot of reasons why a contract might not have been deployed with the latest version. Other good practices include reporting new vulnerabilities so they can be addressed in an update to the spec and writing clean easy-to-read code.”

A total of 107 requirements fit within the entire spec according to nevill, who also stated that around 50 of them are level [S] requirements. 

Nevile pointed out that the EthTrust Security Levels Specification aims to aid auditors in showing its customers that they are running security at a level appropriate for the industry. 

“Auditors can point to this industry standard to establish basic credibility,” he said.

onghui Gu, CEO of CertIk, a blockchain security firm, said that these security measures will help ensure the fulfillment of these processes and guidelines. 

“It’s important to understand that not all smart contract auditors are equal. Smart contract auditing starts with understanding and experience of the specific ecosystem that a smart contract is being audited for, and the technology stack and code language being used. Not all code or chains are equal. Experience is important here for coverage and findings.”

A developer, and cofounder of Myco, Mark Beylin, said this:

“Currently, there are many scattered resources for smart contract security, but there isn’t a specific rulebook that auditors will follow when assessing a project’s security. Using this specification, both security auditors and their clients can be on the same page for what kind of security requirements will be checked.”

The specifications of the security levels are helping the development of the Ethereum ecosystem, establishing guidelines for smart contract audits. Nevil noted however, that the biggest challenge of the future would be anticipating the next exploit and how it could occur. 

“This specification doesn’t solve those challenges completely. What the spec does do, though, is identify certain steps, like documenting the architecture and the business logic behind contracts, that are important to enabling a thorough security audit.”

Gu is also under the impression that other chains will begin to develop other standards similar to this, with the development of Web3. To name an example, other Ethereum platforms have come up with a set of their own smart contract requirements. A rating system for these different smart contract security protocols has been created by chief technology officer at RTFKT, Samuel Cardillo, who posted the sheet on twitter. 

Related articles

Recent articles