Smart contract standards: Making DeFi transactions on Ethereum more secure
Decentralized finance continues to make its impact on the crypto market, and with over $13 billion of total value of assets locked, DeFi projects are clearly resonating with eager crypto investors. Yet while the DeFi space has been progressing over the last year, a number of illegitimate projects have come to fruition, reminding some of the 2017 ICO boom and its subsequent bust.
For example, Harvest Finance, a major decentralized protocol, was recently hacked. The attacker made away with $24 million from Harvest Finance pools. Most recently, Value DeFi, the decentralized finance protocol, fell victim to a $6-million flash loan exploit. And of course, one of the biggest events of the year for DeFi involved SushiSwap, where the creator sold $13 million of dev funds, causing a market crash.
It’s important to point out that the majority of DeFi projects are built on the Ethereum blockchain. According to the website DeFiPrime, there are currently over 200 DeFi projects on the Ethereum network. Yet while Ethereum appears to be the most suitable platform for DeFi projects, the network’s vulnerabilities have played a large role in hacks and fraudulent activities.
Smart contract transactions on Ethereum require security
Specifically speaking, the smart contracts that power Ethereum are known for being fraught with security issues, which, in turn, have greatly impacted DeFi projects. In addition, smart contracts being applied to DeFi projects worth billions of dollars are often not audited beforehand.
Tom Lindeman, a previous veteran researcher at Microsoft and the former managing director of the Ethereum Trust Alliance — a group of blockchain companies working on a security system for smart contracts — told Cointelegraph that there is currently no good ways to identify whether a smart contract is secure before initiating a transaction:
“The DeFi space is worth billions of dollars now, but so many of those smart contracts being used are never audited. As such, the DeFi sector continues to see a flurry of activity that has individuals and organizations approving token contracts, swapping tokens, and adding liquidity to pools in quick succession without being able to easily check contract security.”In an attempt to solve the security challenges related to smart contracts, Lindeman has joined the Enterprise Ethereum Alliance’s newly formed “EthTrust Security Levels Working Group” as its co-chair. According to Lindeman, the working group’s mission will be to continue the advances initially started by the Ethereum Trust Alliance, or ETA, which are aimed to set standards for secure, smart contract transactions conducted on the Ethereum blockchain.
A registry system for rated smart contracts
Lindeman explained that the ETA has been working on its EthTrust project for close to a year, even before the DeFi space started to expose the vulnerabilities of Ethereum smart contracts. Coincidentally, the EthTrust project joined forces with the Enterprise Ethereum Alliance just as the DeFi space was gaining traction.
Daniel Burnett, executive director of the Enterprise Ethereum Alliance, told Cointelegraph that the timing for the new working group has been purely coincidental in regards to the rise of DeFi. According to Burnett, the new EthTrust project further demonstrates that the Ethereum network is maturing. “We want to help solve the problems many of our members have expressed in regards to Ethereum,” he said.
Specifically, the new working group plans to address security vulnerabilities in smart contracts by creating a standard and registry system to help users gain greater awareness of how to differentiate which contracts have gone through rigorous security checks. While the project is still a work in progress, the goal is to define certain requirements that smart contracts must exhibit in order to be deemed secure.
For example, Pierre-Alain Mouy, an Enterprise Ethereum Alliance member, former ETA product owner and managing director at NVISO Security in Germany, told Cointelegraph that there are three levels of validation that a smart contract can achieve to help individuals understand its level of trust:
“We started the project by including three different levels of badges that smart contracts can earn to prove its level of trust. Level one consists of a smart contract undergoing work through automation. Levels two and three are manual audits by humans to ensure that contracts are safe and secure.”Mouy shared that in order for a smart contract to achieve a level one badge, an automated security scanning tool will be run against the contract. The AI-powered tool is designed to check for a specific set of requirements that the working group is currently defining.
If a smart contract continues to level two, individuals will perform a security audit. “There will be definitions for audit companies, explaining how long they need to dig into these smart contracts,” said Mouy, adding further: “Eventually, an audit report will be created for the working group to manually review. We are not auditors, however. The working group serves as a router to verify that these steps are taken.”
Finally, if a smart contract makes it to level three, additional specifications and test cases written to verify properties in the contract will be performed. According to Mouy, this is called the “formal verification process.”
Once a smart contract has undergone this step-by-step verification process, the initiative’s registry system will enable exchanges, for example, to request a specific rating level before new tokens are listed. This system could also be applied to a multi-member consortium that relies on smart contracts for business purposes.
Growing interest for secure smart contracts
According to Lindeman, the EthTrust project has already sparked interest from daily Ethereum users who want to see new things, such as yield farming. He further shared that Big Four firm PricewaterhouseCoopers has expressed interest in using this system to provide smart contract ratings for companies interested in the blockchain space.
The growing interest in secure smart contracts is especially important as the Ethereum infrastructure progresses and the promised benefits of Ethereum 2.0 come to fruition. Burnett believes the Ethereum ecosystem will see increased trust moving forward, which will be exhibited by new projects being used by businesses, such as the work being done by the Baseline Protocol.
While innovative, it’s important to point out that the Enterprise Ethereum Alliance’s new working group and the EthTrust project are not the first to tackle challenges related to the security of smart contracts. For example, blockchain security firm Quantstamp has been performing smart contract audits and security checks for blockchain companies since 2017. The firm’s clients include major players in the space such as Binance and eToro. Quantstamp recently announced that it will audit a new DeFi project on the Polkadot blockchain.
In addition to security firms performing audits, companies are also finding ways to ensure secure smart contracts. For example, Vaiot, a blockchain company that uses artificial intelligence to create digital services for enterprises, leverages AI to provide software security and performance in smart contracts. Jakub Kobeldys, the lead developer at Vaiot, told Cointelegraph that while no amount of AI can fully protect against flaws in code, the technology can aid developers significantly:
“Unsupervised learning techniques could track down new flaws in an automated way, or at least narrow down the search area and give some hints for human experts. It could also lead to the more dynamic development of frameworks that help developers code in a secure manner.”