The use of Smart Contracts is on a meteoric rise. How safe and secure are they though?
This article was originally posted on CSO Online
By Andrew Douthwaite, Vice President of Managed Services
If you haven’t yet heard of a Smart Contract, just wait. You will.
Using blockchain technology – a secure, decentralized digital ledger, introduced in 2008 as the technology underpinning Bitcoin – Smart Contracts enable the exchange of money, property, shares or anything of value, in a transparent, conflict-free way while avoiding the services of a middleman. The most popular of the cryptocurrencies associated with Smart Contracts is Ethereum. It allows developers to write their own contracts which detail the responsibilities of each party and the self-executing payments that should be made based on fulfillment of these.
In any real-world situation where two parties form an agreement that becomes a contract, there is always the potential for one party to enter that contract at a disadvantage. A Smart Contract solves this. It is coded and built on the Ethereum blockchain, completely decentralized as a third-party entity and self-executes as it is programmed to do. Its self-executing and self-enforcing nature creates a fair environment for both parties involved, and therefore there is little room for conflict and costly litigation down the road.
Sounds almost perfect
With the technology expected to see an increasing number of use cases, it’s not unlikely that you might soon find yourself in a situation where a service, client or partner requests to use one. It’s therefore worth asking the question now: where’s the rub?
Just how secure are they? The short answer is, currently, not very
While the blockchain is inherently secure, Smart Contracts suffer through the code used to create them being prone to bugs. In June 2016, a hacker made off with over 50 million dollars of cryptocurrency by exploiting a bug in Smart Contract code and, even more recently, in July 2017 another bug was exploited in the code of a well-known Ethereum wallet to the tune of over 30 million dollars of cryptocurrency.
The level of bounty available offers an extremely lucrative incentive for hackers to invest the time and resources needed to find bugs and loopholes in Smart Contract codes.
Holy growth, Batman!
Although the technology remains in its infancy, the rate of adoption has been increasing at a rapid rate. Between June 2017 and October 2017, the number of Smart Contracts grew from 500,000 to over 2,000,000 with expectations that this could grow to around 10 million within another year. It is clear, therefore, that although this is currently a niche issue in the world of network security, Smart Contracts have the potential to become a far bigger consideration in the not too distant future.
Big pile, small shovel
Current efforts to validate Smart Contracts are inadequate. To adequately audit one, an organization would need to engage a network security consulting company and enlist experts in blockchain and Smart Contract coding. If this sounds impractical, that’s because it is. The process involves a host of specialist resources, is expensive and would still be prone to the “human element,” i.e. simple human error mistakes, bad actors or a simple lack of trust in the motivations of those auditing.
The growth in Smart Contract use and limited specialists able to properly vet such large amounts of code means that currently, organizations can struggle to properly protect themselves. Case in point, the Guardian recently reported that more than $300 million of cryptocurrency (in the form of Ether, the tradable currency that fuels Ethereum) has been lost accidentally due to changes in code from a developer.
A solution for every problem
For every growing tech problem, there are those who will look to create solutions and for Smart Contracts, one such solution seems to have taken a lead – the Quantstamp protocol. Self-described as “the first scalable security-audit protocol designed to find vulnerabilities in Ethereum smart contracts,” it uses a balance of automated and crowdsourcing methods and has the potential to provide security experts a cheap, inexpensive method of finding exploits and bugs in Smart Contract codes. The protocol is itself built on the Ethereum blockchain and provides token incentives for the contribution of verification software (submitted by security experts), for validating requests (processed by nodes on the blockchain) and for finding bugs that break Smart Contract codes.
The result is a system able to audit any Smart Contract submitted to it in a much more time and cost-effective way.
The good news?
At the time of writing, an estimated $3.2 billion is locked in Smart Contracts and this figure will obviously rise exponentially in line with increasing adoption. As these locked-in values continue to grow, the potential cost of vulnerabilities and attractiveness to hackers grows with it. The good news? For every motivated hacker, there is an equally motivated developer working to create solutions able to secure the latest innovation in the world of blockchain.
Check out the original article on CSO Online HERE.