Hosho Find 25% Smart Contracts Contain Critical Bugs
For every problem that smart contracts solve, they appear to introduce another. Security firm Hosho, which has forged a new partnership with community managers Amazix, has discovered that 25% projects contains critical vulnerabilities. In a week where EOS has made news for all the wrong reasons over a RAM vulnerability, a code auditor has revealed the prevalence of smart contract bugs.
$1 Billion Is No Guarantee Against Bugs
$1 billion. That’s the amount raised by the projects whose smart contracts Hosho has audited. The security firm claims to have audited more smart contracts than any other industry player. Despite the significant human and financial resources at their disposal, many of these projects could have been crippled had they neglected to have their code thoroughly scrutinized. 25% of the projects Hosho has audited were found to have critical bugs, and some 60% of all projects they saw had at least one security issue.
Ethereum, the ICO economy’s go-to launchpad, has been the worst affected, with stories abounding of exploitable code that’s led to millions of dollars of ether being stolen or locked up. While smart contract platforms such as Stratis are pushing the availability of debugging deployment suites and professional decompilers that come with using C#, Ethereum’s Turing-complete system leaves higher margin for error. Enlisting the support of a third party specializing in smart contract audits, while not foolproof, is the best bet against shipping bug-filled code. Identifying and eliminating all potential security holes is a Sisyphean task, and one which even experienced Solidity developers struggle with.
Smart Contract Testing as a Service
While it is industry practice to have smart contracts audited before a tokensale, projects which have yet to raise funds could be tempted to cut corners and skimp on this task. Doing so can prove fatal, however, with the worst bugs leading to wallets being drained, or buffer overflow exploits being manipulated to alter account balances. Several Ethereum-based projects have been forced to conduct token swaps after screwing up their 1st attempt at a smart contract.
In EOS land this week, all energies have been focused on patching a RAM exploit that’s recently been detected. It allows a malicious user to “install code on their account which will allow them to insert rows in the name of another account sending them tokens. This lets them lock up RAM by inserting large amounts of garbage into rows when dapps/users send them tokens.”
Amazix, the preeminent community management and consultancy firm within the token economy, has now partnered with Hosho to provide its clients smart contract auditing. “In the lack of industry standards, we see smart contract auditing and penetration testing to be essential elements of good security in blockchain systems,” stated Amazix CMO Kenneth Berthelsen. “In our view, there are no better qualified people to do this than Hosho engineers.” Proponents of cryptocurrencies find smart contracts eventually infiltrating everything from insurance to dispute resolution. Before that may happen, developing trust in the code that governs them will be crucial.