Smart contract developers not really focused on security. Who knew?
Bugs cost $680m in 2021, academics say, as devs have other concerns
Comment "Smart contracts," which consist of self-executing code on a blockchain, are not nearly as smart as the label suggests.
They are at least as error-prone as any other software, where historically the error rate has been about one bug per hundred lines of code.
And they may be shoddier still due to disinterest in security among smart contract developers, and perhaps inadequate technical resources.
Multi-million dollar losses attributed to smart contract bugs – around $31m stolen from MonoX via smart contract exploit and ~$34m locked into a contract forever due to bad increment math, to name a few – illustrate the consequences.
It's not the code, of course, that's clever. Whatever smarts exist in code contracts start with the software developer. And therein lies the problem. Smart contract creators just can't be bothered with security.
That's what four computer scientists from University of Illinois at Urbana-Champaign – Tanusree Sharma, Zhixuan Zhou, Andrew Miller, and Yang Wang – found when they interviewed a handful of smart contract programmers.
In a research paper titled, "Exploring Security Practices of Smart Contract Developers," the four boffins observe that $680m worth of digital assets controlled by smart contracts were lost as a result of security vulnerabilities in 2021. So they wondered how smart contract developers approach security, given that "security is a fundamental concern for smart contracts."
They went about interviewing 29 smart contract developers, 10 with less than a year of experience and 19 with 2-5 years of experience, to ask about security perceptions and practices. Twenty-four identified as male; five identified as female. Over a third of study participants were from the US, with the remainder from other countries, like India, China, Australia, Ghana, Egypt, Iran, UK, Canada, Germany, New Zealand, and Greece.
The researchers also evaluated how these individuals handled a code review. And the results – though hardly conclusive given the sample size – suggest why smart contracts fail so spectacularly.
When the survey participants were asked about their priorities in smart contract development, most respondents (83 per cent) did not say security was a top priority and offered three primary reasons: "(1) they need to ship projects fast and security becomes secondary, (2) their projects forked other popular projects (e.g., Uniswap), which are often already vetted by the community, and (3) someone else internally or externally will conduct security audits."
However, the researchers observed that the majority of respondents identified functional correctness (66 per cent) and gas (fee) optimization (48 per cent) as important priorities, both of which are related to security. Maybe that counts for something.
Five of the 29 surveyed devs also noted that "the Solidity language design has some inherent limitations for maintaining security."
That echoes the findings of a 2016 researcher paper [PDF], which argues smart contracts on the Ethereum blockchain are particularly likely to have errors. These bugs are attributed to the counterintuitive semantics of Solidity, a high-level programming language supported by Ethereum, and to the language's lack of constructs for dealing with the unpredictable ordering of blockchain transactions.
- Yet again, Cream Finance skimmed by crooks: $130m in crypto assets stolen
- Web3 'contains the seeds of a dystopian nightmare' says analyst firm
- Cryptocurrency 'rug pulls' cheated investors out of $8bn in 2021 – report
- The dark equation of harm versus good means blockchain's had its day
Asked about how they looked for security issues, eight (28 per cent) respondents said their main method was manual code inspection while nine (31 per cent) said they used smart contract tools for security purposes. Also, about a third said smart contract security tools are hard to use.
Presented with a code review of a smart contract to look for security issues, 16 (55 per cent) of the participants found at least one of the two security issues present. Eight (28 per cent) identified both bugs. And the experienced developers had a higher success rate (55 per cent) than the newbies (15 per cent).
Among the 16 who spotted at least one of the vulnerabilities, six managed to correctly fix the code flaws.
The researchers say that many smart contract developers depend on other people or external audits to take care of security and that when these devs do try to make their code more secure, they tend to do so manually, without resources or tools that would make the job easier.
"Given the recent rise of smart contract projects (e.g., decentralized finance) and their associated security attacks, providing better educational materials and tool support especially for novice developers is paramount for the healthy growth of this domain," they conclude.
Another option: when you see "smart contract," assume it's not. ®