Smart contracts can have flaws that seriously affect their effectiveness.
Main threats facing Ethereum smart contracts and other blockchains. In addition, he provided a brief summary on how to prevent and deal with them, during his presentation at the Ethereum Rio 2022 conference, yesterday, March 15.
The proliferation of decentralized finance (DeFi) protocols has led to these platforms being targeted by numerous hackers in the past two years. As Tarditi explained in his speech, more than USD 1.3 billion was lost as a result of these computer thefts in 2021 .
Among the most important cases of DeFi hacks last year, the specialist cited what happened with Uranium , with losses of USD 50 million; Compound, with a negative balance of USD 90 million in misdistributed rewards in the month of October; and bZx, which lost $55 million in November to an email phishing attack and also suffered repeated attacks in 2020 .
Also in 2022 these events continue to happen, as happened to the Qubit, Wormhole and meter.io protocols. CriptoNoticias has reported on these cases quite frequently since mid-2020.
Regarding this topic, the speaker explained that his company has carried out more than 1,400 audits of smart contracts in the last six months, which produced a total of 16,400 problems, 5,300 of them of a critical nature for the security of the protocol .
The main risks for smart contracts on Ethereum
To dig deeper into this question, David Tarditi listed five vulnerabilities that decentralized finance protocols can face. He also told how to enhance security to reduce the risk of suffering from them.
Centralization
By far, it is the main problem found by Tarditi and his team in audited smart contracts. They found no less than 3,000 cases of centralization in 1,400 audits . That is, more than 2 errors or failures by contract.
Centralization in smart contracts in Ethereum occurs when there is an "owner" or centralized entity that can alter balances, distribute tokens, make fund withdrawals, update the contract or modify its parameters at will, among other sensitive functions, explained the speaker. .
Precisely, the essence of these contracts and DeFi , as its name indicates, is to eliminate the middleman . In other words, the operation of the protocol must be automated and governed by the code itself, with no possibility for the developer company or any other person to modify it according to their convenience and criteria. This centralization can be even more dangerous when a hacker takes control.
Some ways to prevent this from happening, according to Tardini, include removing that privileged role from code, securing private keys through a multi-signature wallet or time lock, and turning to a decentralized autonomous organization (DAO) for community decision- making .
Logic problems and correction
Logic and correctness failures in smart contracts have to do with those errors that prevent their expected operation . An example of this would be a bad calculation in the rewards for staking a cryptocurrency or the lack of updating of some variable. Programming errors in the code are also included here.
Of the cases analyzed, 1,209 problems of this style arose. This could fit the episodes of Uranium and Compound mentioned above. According to Tarditi, these occurred due to the "omission of a single character in the code" that led to a protocol malfunction that hackers were able to exploit.
What can be done to prevent these failures? The main thing is to be very accurate and meticulous with your design documents and whitepaper, conduct a code review, and develop tests to catch these potential issues.
Complications with withdrawals
The third threat to Ethereum smart contracts according to David Tarditi is failures or complications with withdrawals. This is a type of vulnerability that occurred much less in the cases studied; it was only detected in 142 contracts, that is, almost 10% of logic and correction failures.
An example in this third category would be the blocking of funds in a smart contract, without the possibility of removing them by the user. It is something that can be corrected by following the advice in the previous point when creating, testing and correcting the protocol code.
Access control
Access problems are the fourth threat listed by this expert. They detected it in 120 smart contracts during their audits.Similar to the first item on this list, the vulnerability occurs when anyone can perform a sensitive operation of the contract even though they should not be able to. In this case, it would not occur due to the fact that this user has a privileged role, but rather it occurs from a flaw in the code that allows him to gain that power.
Again, this is a problem that can be detected from the good practices already mentioned above. In this regard, Tarditi stressed that these processes must be repeated exhaustively each time a change is made to the code of a smart contract.
Lack of limits
Finally, the problem of lack of limits could occur in a smart contract. A potential case would be the establishment of tariffs; if these are not capped and go too high, a large portion of the value locked in the contract could be lost when executing a liquidation or other function.
As this medium reported, in 2021 Ethereum rates had very high prices due to the congestion experienced by the network.
The problem of the lack of limits in smart contracts occurred to a lesser extent according to Tarditi's research, since 96 failures of this style were detected.
Ethereum smart contracts, in search of optimization
If there is something that stands out about the Ethereum network, it is the security and scalability it offers to operate with tools such as smart contracts. It is what differentiates Bitcoin the most and what separates it from its main competitors , which never came to overshadow it.
However, it is clear that there are still things to improve, and that is what experts like David Tarditi are working on. From the knowledge of the dangers and the application of the previous recommendations, a more secure environment can be generated that mitigates the attacks and contributes to the growth of the adoption of this network. Ethereum Contracts are Reliable, Human Beings Are Not. Get an expert
Ethereum Smart Contract Audit from us and Certify your project.
