maurelian

4 min read - Posted 02 Feb 19

# === Smart Contract Security Newsletter - Number 13 ===

This is my weekly newsletter, on Kauri for the first time. Get them in your inbox every weekend.

Lots of interesting conferences this week, the Aragon Foundation's AraCon, GörliCon for the release of the Görli testnet (POA across Geth and Parity), and the Stanford Blockchain Conference (SBC).

I admit to having a lot of FOMO about SBC, so this newsletter is pretty focused on it.

Distilled News

Stanford Blockchain Conference 2019

I've been fortunate to catch some of the livestream from the Stanford Blockchain Conference this week, and the content is really fantastic. Here are a few of the talks that I've really enjoyed, or that someone smart has told me is really great:

Dan Robinson, HTLCs Considered Harmful [video / slides]

Hashed timelocked contracts are used to implement cross chain swaps. There's a few things wrong with them (also outlined here), ie. if the counterparty pulls out of the transaction, you've been grieffed, and you didn't have access to your funds for some period of time.

Dan describes "Packetized Payments", which are a bit more like a cross chain payment channel.

Patrick McCorry, State Channels as a Scaling Solution for Cryptocurrencies [video]

Patrick does a nice job of describing (application specific) state channels with a game of Battleship as an example. He describes the problem of the "Always online assumption", ie. all parties must remain online to detect and defend against cheating. That's a pretty strong assumption, especially when the other parties have an incentive to take you offline.

The proposed solution is "Pisa" (whitepaper), a protocol for incentivizing 3rd parties to do the monitoring for you, and to punish them if they don't. You might not be surprised to hear that it involves staking and slashing.

Building, and Building on, BulletProofs (part 1 / part 2 / slides)

Full disclosure, I have not yet watched this talk, but my colleague Dean was super excited about the second half, which described a zero knowledge virtual machine (and thus zk smart contracts).

Formal verification: the road to complete security of smart contracts (video / slides)

There's nothing like a good taxonomy to clarify your thinking. For me at least, Martin's "Four flavors of dapp behavior" were particularly illuminating, they are:

  1. Smart contract bytecode verification – What can happen over the course of one tx?
  2. Dapp/system invariants- What can happen over the course of a list of tx?
  3. “Blockchain specific” problems - What will happen in the case of eclipse attacks, frontrunning, chain reorderings, replay attacks, etc?
  4. Incentive reasoning - How will a self-interested, rational economic actor use this dapp?

Another great nugget on slide 14 are his suggestions for "how to write provable smart contracts".

And finally, he introduces Klab act, a specification language that abstracts away much of the boilerplate in the K-Framework's specification language.

Vlad and Vitalik, Ethereum's future

I haven't watch these yet, they were the last sessions today, but they start around here.

News


Thanks again to everyone for reading. I hope you found something useful in here.

Cheers, Maurelian

Want to help make this newsletter better? Join the '#maurelians-newsletter channel' in the MythX discord chat.


This newsletter is supported by ConsenSys Diligence, where I work. We can help with all things smart contract security; auditing, secure development guidance, and training.

article image

We're hiring!

Developer - Security Analysis Tools

Frontend and Dapp Engineer, MythXMarketing and Brand Manager, MythX

Security Engineer and Auditor - Smart Contracts

Senior Technical RecruiterSmart Contract Security Business Development LeadTechnical Product Manager, MythX

I know, I know, there's a crazy amount of whitespace at the bottom of this newsletter. Proably time to move off of TinyLetter anyways.

Created with Sketch.Content is"CC-BY-SA 4.0" licensed
Article On-chain
0 Comments
Related Articles
Fuzzing Smart Contracts Using Multiple Transactions

In previous posts, we introduced Harvey , a fuzzer for Ethereum smart contracts, and presented a novel input prediction technique to improve its effectiveness. Harvey is being developed by ConsenSys Diligence in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers the MythX analysis platform . Most real-world contracts transition through many different states (e.g., one for each user bidding during an auction or betting in a game) during their lifetime and it is c

MythX

02 Apr 19

MythX is Upping the Smart Contract Security Game

Ethereum is in a dire situation. No, I’m not talking about the price of ETH. I’m talking about the prevalence of high-profile hacks that are harming trust towards decentralized applications and providing talking points for Bitcoin maximalists and blockchain skeptics. What’s especially frustrating is that most, if not all, of the recent hacks that have impeded the growth of the Ethereum ecosystem could have been prevented. Security analyzers like Mythril Classic — an open-source tool for bug hunt

MythX

04 Apr 19