by: Riccardo Malatesta, Security Consultant [Linkedin] date: 07/03/2022

More and more are the talks and articles about Blockchain, Bitcoin, Ethereum, cryptocurrencies, NFTs and Decentralized Apps. Given the growth and interest of the public and investors, many companies have decided to ride the new wave of innovation.

Those who want to create their own product often decide to rely on the Ethereum blockchain, being the most famous and secure solution. Businesses that want to develop products and services with Ethereum such as, for example, NFTs, apps or currencies, implement a Smart Contract on the network.

However, as new technologies emerge so will new vulnerabilities, issues and risks that need to be managed effectively.

In this article we introduce what smart contracts and decentralized applications are and some of the main risks of this new technology that make necessary a security strategy.

What are smart contracts?

Ethereum is a blockchain that popularized an incredible innovation: Smart Contracts. This new technology consists of a program, or collection of codes and data, that resides and operates in a specific address on the network. Thanks to this factor, it is defined as a “programmable blockchain”.

Numerous applications rely on smart contracts, such as tokens, defined as ERC-20, Non-Fungible Tokens, such as ERC-721, and more.

A Decentralized Application, also known as DApp, differs from others since instead of relying on a server, it is based on the blockchain technology with the many advantages that it offers. DApps are developed both with a user-friendly interface, such as a web, mobile or even desktop apps, and with a smart contract in the Ethereum blockchain, written in programming languages like Solidity or Vyper.

Numerous companies and realities were born thanks to smart contracts and DApps and two very profitable new sectors have become famous: Decentralized Finance (DeFi) and Non-Fungible Tokens (NFT).

Decentralized Finance (DeFi) refers to trading cryptocurrencies without a broker, all done through the blockchain.

Non-Fungible Token (NFT) means a category of unique tokens: one Euro is equal to another Euro, one $ETH is equal to another $ETH instead an NFT is unique. Thanks to this feature it is possible to represent the ownership of virtual and non-virtual assets.

Many entrepreneurs, innovators and investors have dived into this world generating billions of dollars in volume and profits.

This amount of money has also attracted the unwanted glances of those who want to create a profit by exploiting flaws in these new technologies and therefore it becomes necessary to be prepared against the most unpleasant scenarios.

Which are the main risks related to Smart Contracts?

Blockchains and smart contracts are not immune to cyber incidents. A very famous case concerns an attack that took place against Poly Network in which about 600 million dollars in crypto assets were stolen. However, it is not an isolated case. In 2021, 1.3 billion dollars were lost in the world of DeFi as a result of cyber-attacks.

For the creator of a smart contract, an incident like the preceding ones can lead to a huge loss of money and this can happen in many ways: stolen funds, drop in the price of the token of the DApp, loss of investors, partnerships and more. This can result in a total failure of the business.

Some peculiarities of Smart Contracts can generate unique vulnerabilities or facilitate their identification and exploitation.

An example is the public code: in most of classical applications, such as web applications, part of the source code (e.g., back-end) is hidden from the eyes of the users. In case of smart contracts, however, any aspect of the code is public. Indeed, contract source code can easily be uploaded for transparency on GitHub or other services like Etherscan. Note that, at the minimum, the bytecode of the compiled contract is deployed on the blockchain and could be relatively easily reverse engineered. This means that an attacker has all the necessary information about the provided functionalities and how to interact with them. He can analyze the data flow making easy to find out vulnerabilities, even those that are more difficult to identify if the source code is not accessible.

Moreover, every action is performed through a transaction, and every transaction has a fee that is calculated based on the resources necessary for the execution. For Ethereum, this fee is in the $ETH currency, and it is paid to the operators of the network. Since $ETH has a corresponding value in traditional currencies, this means that every operation has a real economic cost and therefore developers may be tempted to sacrifice security to save money.

Another aspect is immutability: once a contract has been deployed, you can’t go back. This is by design for blockchains. You don’t have a second chance to have a secure code, you have to act before the release and be sure that everything is fine. Of course, you could implement a “self kill” function that makes your old contract unavailable and transfers the funds to your new contract but note that deploying a new contract will cost a lot.

Last but not least, remember that new vulnerabilities don’t mean that old ones are gone.

What can be done to prevent the worst?

The first actions start from the foundations of the application. This translates into following best practices during the design and development of the Smart Contract. After that a Security Assessment (composed by a Penetration test and Secure Code review) is certainly advisable (if you want to know more take a look at our new service).

In the next article, we will analyze the main actions that can be taken to protect your blockchain business.

Be aware of the security of your Smart Contracts. BeDefended.

Thanks for reading.