Cointime

Download App
iOS & Android

Eliminating the Problem of Smart Contracts Vulnerabilities

Cointime Official

By Pruvendo

Blockchain smart contracts is not new technology.

For 7 years people have been engaged in smart contract’s development for the most different types of projects, from DAOs to GameFi. But security problems, which were relevant 7 years ago, are still relevant now.

Why, despite the application of audit to almost every web3 project, the vast majority of smart contracts continue to be vulnerable and contain exploits?

The main reasons that most smart contracts are insecure:

  1. Technologies that do not meet modern realities.Due to the fact that most vulnerabilities are not obvious, it’s required an enormous amount of time to find them using most prevalent methods like testing or code review.
  2. Lack of time on production.Usually smart contracts are written in a short time to meet the TTM deadline. And often in such conditions, security is not the main goal, considering that the security check key point is audit.
  3. Insufficient tools.The fact that there are no tools or solutions in the smart contract developer’s toolset which could allow them to quickly detect vulnerabilities in smart contracts during the development process.
  4. The complexity of smart contract logic.Smart contracts often contain tens of thousands lines of code, a large number of functions and variables, which make it impossible to cover all probable scenarios that may trigger errors or vulnerabilities, when there are millions of possible combinations and interactions between them.

All this leads to the fact that vulnerabilities remain in smart contracts after the project is launched. And, due to that in most cases smart contracts are immutable, it’s nearly impossible to prevent the attack and money loss (usually the major problem is not even money, but reputational loss).

But what tool or method could help to avoid all these risks and would allow to create 100% secure-by-design smart contract, unavailable to be hacked or attacked?

The formal verification (FV).

How? — let’s analyze its application using examples of the most common vulnerabilities of smart contracts.

Integer Arithmetic Error

Shortly — the overflow of integers and the problem that there could be inaccuracy in values during the calculation process.

The way that FV prevents this error is simple — during the process of formal verification of the smart contract all possible values are tested. There couldn’t be an unexpected value, which may cause an error.

Missing Parameters

This occurs from sloppy designs in smart contracts and some other programming mistakes during the process. Application of the FV fixes the entire problem by checking every possible input and prerequisite for every operation. This solves the problem from its basics.

Smart Contract Security Audit

How about using actual audit (code review + testing) to verify security of formally verified smart contracts? The answer is already in the question: if the smart contract is formally verified, then methods, which are currently used by auditors will not find any bugs or exploits due to their absence.

Last thoughts

There are many ways to attack a smart contract. But all of them developed in a situation where smart contracts had many vulnerabilities and had no mechanisms to avoid this.

The application of formal verification changes the rules of the game between hackers and security engineers, invalidating hackers of ways to attack.

Comments

All Comments

Recommended for you

  • BuildBear Labs Raises $1.9M to Accelerate Development of Web3 Tools for Secure dApp Creation

    Singapore-based BuildBear Labs has secured $1.9m in funding from investors including Superscrypt, Tribe Capital, and 1kx, as well as angel investors such as Kris Kaczor and Ken Fromm. The funds will be used to speed up development of the company's flagship platform, which provides developers with testing and validation solutions for secure decentralized applications. BuildBear Labs' platform is dedicated to dApp development and testing, offering developers the ability to create customised Private Testnet sandboxes across multiple EVM and EVM-compatible blockchain networks, with features including private faucets for unlimited Native and ERC20 token minting.

  • Multiple incidents of stETH being stolen and cross-chained to the Blast mainnet were discovered. The victim’s mnemonic words/private keys may have been leaked.

    SlowMist founder, Yu Xian, posted on X platform stating that SlowMist and MistTrack have received at least four cases of stETH being stolen and cross-chain transferred to the Blast mainnet. The common feature is that a small amount of ETH transaction fee is sent from an address with obvious traces (including exchanges) to the stolen address, and then stETH is cross-chain transferred to the Blast mainnet for subsequent transfer, and finally the remaining small amount of ETH in the victim's address is transferred to different ETH addresses. The known loss exceeds 100 stETH, and it is likely a group event. The mnemonic phrase/private key of these victims must have been leaked, and the attackers lurked to start on the Blast mainnet. Previously, Scam Sniffer monitoring showed that a certain address lost over 10 BTC pledged on Aave and some PANDORA due to interaction (clicking on the signature authorization) with a fake Blast airdrop website, with a total loss of approximately $717,817.

  • Hong Kong has closed the application for virtual asset trading platform licenses, and a total of 22 virtual asset trading platforms are waiting for approval.

    The Hong Kong Securities and Futures Commission website shows that the deadline for virtual asset trading platform license applications was yesterday (29th). As of the update on February 28th, there were a total of 22 virtual asset trading platform applicants.The applicants include Bybit, OKX, Crypto.com, Gate.io, HTX, Bullish, and others.Ammbr, BitHarbour, and Huobi HK withdrew their applications, while Meex had its application returned by the Securities and Futures Commission.In addition, virtual asset trading platforms operating in Hong Kong that did not submit license applications to the Securities and Futures Commission by yesterday (29th) must end their business in Hong Kong by May 31, 2024, at the latest.

  • In February, NFT sales on the Bitcoin chain were approximately US$301 million, down nearly 10% from the previous month.

    According to cryptoslam data, the sales of NFTs on the Bitcoin blockchain in February reached $301,983,035.33, a decrease of nearly 10% from the previous month's $335,121,977.66, and the fourth-highest monthly sales to date. The total number of NFT transactions on the Bitcoin blockchain in February was approximately 203,000, a decrease of about 18.4% from the previous month. In addition, there were 67,139 independent buyers and 57,724 independent sellers of NFTs on the Bitcoin blockchain last month.

  • Attorneys general of many U.S. states: SEC is expanding the definition of “investment contract”

    Law enforcement officials from Montana, Arkansas, Iowa, Mississippi, Nebraska, Ohio, South Dakota, and Texas submitted a joint amicus brief (or friend of the court brief) to the United States Securities and Exchange Commission in the lawsuit against Kraken on Thursday. The brief states that the states are not supporting the exchange, but rather opposing federal regulatory agencies. If the SEC wins, it may prioritize state consumer protection laws and state regulations surrounding cryptocurrencies.

  • Ethereum mainnet interaction costs rise sharply

    On March 1st, due to the heat of the market and the rise in the price of Ethereum, the interaction cost on the Ethereum mainnet has significantly increased. In the past 24 hours, the lowest average value of Gas on the Ethereum mainnet was about 50 gwei, under which:

  • Blockchain data analysis company Octav completes US$4 million in strategic financing

    According to official sources, blockchain data analysis company Octav has announced the completion of a strategic investment of $4 million. The funding round was led by high net worth individuals in the cryptocurrency space, but their identities have not been disclosed. Currently, Octav is primarily focused on unlocking the potential of on-chain data using machine learning technology to improve the accuracy of data labeling and classification. Its clients include Gelato, Request Finance, and Alchemix.

  • Validation Cloud raises $5.8M in funding for its Web3 technology platform.

    Swiss Web3 tech company, Validation Cloud, has secured $5.8 million in its inaugural funding round. The investment was led by Cadenza Ventures, with participation from Blockchain Founders Fund, Bloccelerate, Blockwall, Side Door Ventures, Metamatic, GS Futures, and AP Capital. The funds will be used to expand the company's operations and development efforts. Validation Cloud's innovative system architecture, dubbed the "Cloudflare of Web3," provides scalable and intelligent Staking, Node API, and Data services, supporting a range of ecosystems from established networks like Chainlink and Hedera to emerging ones such as Aptos, Eigenlayer, and Berachain, laying the groundwork for enterprise adoption.

  • The daily trading volume of spot Bitcoin ETF is approximately US$4.7 billion, the second highest in history

    According to Bloomberg analyst James Seyffart's data, as of Thursday's US stock market close, the daily trading volume of the US spot Bitcoin ETF was about $4.7 billion, lower than the historical high of $7.7 billion set the previous day, ranking the second highest in history. Among them:

  • AI robot company Figure completed US$675 million in financing at a valuation of US$2.6 billion, with participation from Microsoft and others

    AI robot company Figure completed a financing round of $675 million with a valuation of $2.6 billion. This round of financing was participated by Microsoft, OpenAI Startup Fund, NVIDIA, Jeff Bezos (through Bezos Expedition), Parkway Venture Capital, Intel Capital, and Align Ventures.