We’ve all heard about the benefits of smart contract technology – a trustless tool to boot out the middleman when exchanging money, assets, or anything of value. As revolutionary as blockchain’s latest buzzword may be, smart contract bugs are causing untold chaos.
Looking at the numbers, one might take Ethereum’s 3% smart contract failure rate as a tolerable loss, a proverbial drop in the ocean. Yet, when a safeguard fails to protect billions of dollars worth of currency, bad things can happen.
Take ICON’s June 2018 bug, which allowed any user—apart from the smart contract creator—to freely enable and disable transactions. The notion of immobilizing an $800+ million blockchain would worry most, but let’s not forget this blunder pales in comparison to past failures.
There have been countless colossal botches, but the king of them very well may be the Distributed Autonomous Organization (DAO) smart contract bug back in 2016. Seeing 3.6 million Ether drained via smart contract hacks, the DAO forced Ethereum’s founders to take radical measures and create a hard fork – the only possibility of salvaging the lost funds (15% of all Ether in circulation at the time).
It takes time to iron out the kinks in any brand-new technology, and smart contracts are no exception.
Can smart contracts be fixed?
Given that such flaws are compromising funds, sensitive data, and digitized assets of all description, one wouldn’t be wrong to ask if the technology was simply more trouble than it’s worth.
A fair question, but the fact remains that smart contract bugs are not unfixable. A number of projects have emerged to tackle the problem, and any one of them may well be the breath of fresh air needed to restore faith in the technology.
Solidified and Security have surfaced alongside a number of companies offering smart contract verification and auditing. Such labor-powered efforts currently dominate the market, costing thousands, even tens of thousands of dollars per audit. These solutions may be impactful on a case-by-case basis, but it’s obvious that a more cost and time-effective solution will be needed to meet the world’s growing appetite for blockchain. It would seem then, that decentralization may have the keys to the kingdom.
For one, Quantstamp—worth nearly half a billion dollars by market capitalization in January 2018—has devised a security-auditing protocol for smart contracts written in Solidity, the programming language championed by Ethereum. Through Quantstamp, clients have their smart contracts scrutinized by peer-submitted verification software and “Bug Finders.” While an effective solution, Quantstamp’s process is still overly labor-intensive – source code must be reviewed, and specifications written manually by humans.
Many of these projects have leapt towards solving the smart contract crisis, yet they all face the issue of scalability, not mentioning their inability to address the issues plaguing blockchain ecosystems as a whole – let’s not forget that decentralized applications (DApps) and blockchain code are equally vulnerable to bugs.
One company proposing an engineered solution is CertiK – an upcoming verification platform for all the components of a blockchain ecosystem, including smart contracts and DApps. Where its competitors rely on manual verification and the classic testing-based approach, CertiK would point to the fact that testing can only identify when bugs are present, and never certify their absence. Instead, CertiK’s platform will mathematically prove that any items are free of bugs and hacker-resistant.
According to CertiK, the answer to truly scalable verification is a layer-based system. Instead of testing—what the team describes as a “prohibitive” task reliant on human labor—CertiK uses modular verification to break tasks down into smaller ones, allowing them to be solved in a decentralized fashion. This style of work incentives and rewards the community to construct and validate proofs, improve solving algorithms, and maintain a resilient, cost-effective solution – all music to the ears to advocates of decentralization.
Having previously built one of the world’s first hacker-resistant operating systems, the CertiK team is a blend of academic and corporate verification experience – led by Yale and Columbia University professors, and backed by software engineers from Facebook, Google, and FreeWheel.
Blockchain itself may be trustless, immutable and incorruptible, but if we ignore the bugs present in them, they are as good as multi-billion dollar safes with faulty locks. As the technology pushes the globe towards new economic models, we will only demand more from smart contracts, DApps, and the verification solutions that uphold their integrity.