Smart contract standards: Making DeFi transactions on Ethereum more secure

Published at: Nov. 21, 2020

Decentralized finance continues to make its impact on the crypto market, and with over $13 billion of total value of assets locked, DeFi projects are clearly resonating with eager crypto investors. Yet while the DeFi space has been progressing over the last year, a number of illegitimate projects have come to fruition, reminding some of the 2017 ICO boom and its subsequent bust.

For example, Harvest Finance, a major decentralized protocol, was recently hacked. The attacker made away with $24 million from Harvest Finance pools. Most recently, Value DeFi, the decentralized finance protocol, fell victim to a $6-million flash loan exploit. And of course, one of the biggest events of the year for DeFi involved SushiSwap, where the creator sold $13 million of dev funds, causing a market crash.

It’s important to point out that the majority of DeFi projects are built on the Ethereum blockchain. According to the website DeFiPrime, there are currently over 200 DeFi projects on the Ethereum network. Yet while Ethereum appears to be the most suitable platform for DeFi projects, the network’s vulnerabilities have played a large role in hacks and fraudulent activities.

Smart contract transactions on Ethereum require security

Specifically speaking, the smart contracts that power Ethereum are known for being fraught with security issues, which, in turn, have greatly impacted DeFi projects. In addition, smart contracts being applied to DeFi projects worth billions of dollars are often not audited beforehand.

Tom Lindeman, a previous veteran researcher at Microsoft and the former managing director of the Ethereum Trust Alliance — a group of blockchain companies working on a security system for smart contracts — told Cointelegraph that there is currently no good ways to identify whether a smart contract is secure before initiating a transaction:

“The DeFi space is worth billions of dollars now, but so many of those smart contracts being used are never audited. As such, the DeFi sector continues to see a flurry of activity that has individuals and organizations approving token contracts, swapping tokens, and adding liquidity to pools in quick succession without being able to easily check contract security.”

In an attempt to solve the security challenges related to smart contracts, Lindeman has joined the Enterprise Ethereum Alliance’s newly formed “EthTrust Security Levels Working Group” as its co-chair. According to Lindeman, the working group’s mission will be to continue the advances initially started by the Ethereum Trust Alliance, or ETA, which are aimed to set standards for secure, smart contract transactions conducted on the Ethereum blockchain.

A registry system for rated smart contracts

Lindeman explained that the ETA has been working on its EthTrust project for close to a year, even before the DeFi space started to expose the vulnerabilities of Ethereum smart contracts. Coincidentally, the EthTrust project joined forces with the Enterprise Ethereum Alliance just as the DeFi space was gaining traction.

Daniel Burnett, executive director of the Enterprise Ethereum Alliance, told Cointelegraph that the timing for the new working group has been purely coincidental in regards to the rise of DeFi. According to Burnett, the new EthTrust project further demonstrates that the Ethereum network is maturing. “We want to help solve the problems many of our members have expressed in regards to Ethereum,” he said.

Specifically, the new working group plans to address security vulnerabilities in smart contracts by creating a standard and registry system to help users gain greater awareness of how to differentiate which contracts have gone through rigorous security checks. While the project is still a work in progress, the goal is to define certain requirements that smart contracts must exhibit in order to be deemed secure.

For example, Pierre-Alain Mouy, an Enterprise Ethereum Alliance member, former ETA product owner and managing director at NVISO Security in Germany, told Cointelegraph that there are three levels of validation that a smart contract can achieve to help individuals understand its level of trust:

“We started the project by including three different levels of badges that smart contracts can earn to prove its level of trust. Level one consists of a smart contract undergoing work through automation. Levels two and three are manual audits by humans to ensure that contracts are safe and secure.”

Mouy shared that in order for a smart contract to achieve a level one badge, an automated security scanning tool will be run against the contract. The AI-powered tool is designed to check for a specific set of requirements that the working group is currently defining.

If a smart contract continues to level two, individuals will perform a security audit. “There will be definitions for audit companies, explaining how long they need to dig into these smart contracts,” said Mouy, adding further: “Eventually, an audit report will be created for the working group to manually review. We are not auditors, however. The working group serves as a router to verify that these steps are taken.”

Finally, if a smart contract makes it to level three, additional specifications and test cases written to verify properties in the contract will be performed. According to Mouy, this is called the “formal verification process.”

Once a smart contract has undergone this step-by-step verification process, the initiative’s registry system will enable exchanges, for example, to request a specific rating level before new tokens are listed. This system could also be applied to a multi-member consortium that relies on smart contracts for business purposes.

Growing interest for secure smart contracts

According to Lindeman, the EthTrust project has already sparked interest from daily Ethereum users who want to see new things, such as yield farming. He further shared that Big Four firm PricewaterhouseCoopers has expressed interest in using this system to provide smart contract ratings for companies interested in the blockchain space.

The growing interest in secure smart contracts is especially important as the Ethereum infrastructure progresses and the promised benefits of Ethereum 2.0 come to fruition. Burnett believes the Ethereum ecosystem will see increased trust moving forward, which will be exhibited by new projects being used by businesses, such as the work being done by the Baseline Protocol.

While innovative, it’s important to point out that the Enterprise Ethereum Alliance’s new working group and the EthTrust project are not the first to tackle challenges related to the security of smart contracts. For example, blockchain security firm Quantstamp has been performing smart contract audits and security checks for blockchain companies since 2017. The firm’s clients include major players in the space such as Binance and eToro. Quantstamp recently announced that it will audit a new DeFi project on the Polkadot blockchain.

In addition to security firms performing audits, companies are also finding ways to ensure secure smart contracts. For example, Vaiot, a blockchain company that uses artificial intelligence to create digital services for enterprises, leverages AI to provide software security and performance in smart contracts. Jakub Kobeldys, the lead developer at Vaiot, told Cointelegraph that while no amount of AI can fully protect against flaws in code, the technology can aid developers significantly:

“Unsupervised learning techniques could track down new flaws in an automated way, or at least narrow down the search area and give some hints for human experts. It could also lead to the more dynamic development of frameworks that help developers code in a secure manner.”
Tags
Related Posts
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022
Crypto companies aim to build trust within future products and services
The cryptocurrency ecosystem underwent a turbulent year in 2022. Criticism inside and outside of the crypto industry was fueled following the collapse of FTX, Celsius, Three Arrows Capital and the Terra ecosystem. A number of losses have been recorded from these events. Blockchain analytics firm Chainalysis released a report in December of last year, which noted that the depegging of Terra’s stablecoin, Terra USD Classic (USTC), saw weekly-realized losses peak at $20.5 billion. Findings further show that the subsequent collapse of Three Arrows Capital and Celsius in June 2022 saw weekly-realized losses reach $33 billion. While these events may have …
Decentralization / Jan. 6, 2023
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023
Can Web3 be hacked? Is the decentralized internet safer?
Web3 came into existence posed as a blockchain-powered disruption to the current state of the internet. Yet, as a nascent technology, a fog of assumptions plagues discussions about the real capabilities of Web3 and its role in our day-to-day lives. Considering the promise of a decentralized internet using public blockchains, a complete transition to Web3 would require scrutiny across several factors. Out of the lot, security stands as one of the most crucial features as, in a Web3-powered world, tools and applications hosted over the blockchains go mainstream. Smart contract vulnerabilities While the blockchains that host Web3 applications remain impenetrable …
Adoption / Aug. 21, 2022