• Latest
How Ethereum Applications Earn A+ Security Ratings

How Ethereum Applications Earn A+ Security Ratings

March 17, 2019
6 Questions for Rene Reinsberg of Celo – Cointelegraph Magazine

6 Questions for Rene Reinsberg of Celo – Cointelegraph Magazine

March 31, 2023
Judge denies SEC motion to keep Hinman docs secret in Ripple case

Judge denies SEC motion to keep Hinman docs secret in Ripple case

March 31, 2023
The ultimate guide to Miami – Cointelegraph Magazine

The ultimate guide to Miami – Cointelegraph Magazine

March 31, 2023
Dr. Jane Thomason – Cointelegraph Magazine

Dr. Jane Thomason – Cointelegraph Magazine

March 31, 2023
1658007797 celsius is bankrupt with 12b balance sheet hole su zhu.jpg

Celsius is bankrupt with $1.2B balance sheet hole, Su Zhu returns to Twitter and OpenSea purges 20% of employees: Hodler’s Digest, July 10-16

March 31, 2023
6 Questions for Lisa Fridman of Quadrata – Cointelegraph Magazine

6 Questions for Lisa Fridman of Quadrata – Cointelegraph Magazine

March 31, 2023
Jed McCaleb empties XRP wallet after eight-year selloff

Jed McCaleb empties XRP wallet after eight-year selloff

March 31, 2023
Celsius has finally filed for bankruptcy: Law Decoded, July 18-25

Celsius has finally filed for bankruptcy: Law Decoded, July 18-25

March 31, 2023
The ‘godfather of crypto’ risked lifetime in jail, laying foundation for Bitcoin – Cointelegraph Magazine

The ‘godfather of crypto’ risked lifetime in jail, laying foundation for Bitcoin – Cointelegraph Magazine

March 31, 2023
SEC objects to XRP holders aiding Ripple defense

SEC objects to XRP holders aiding Ripple defense

March 31, 2023
Blockchain technology is transforming the real estate market – Cointelegraph Magazine

Blockchain technology is transforming the real estate market – Cointelegraph Magazine

March 31, 2023
1658612147 nfts banned in minecraft sec lists 9 tokens as securities.jpg

NFTs banned in Minecraft, SEC lists 9 tokens as securities and 3AC founder blames cockyness for company meltdown: Hodler’s Digest, July 17-23

March 31, 2023
  • Home
  • Coin Market Cap
  • Bitcoin
  • Ethereum
  • Ripple
  • Litecoin
  • Alt Coin
  • Business
  • Trading
  • Mining
CoinNewsDaily
  • Home
  • Coin Market Cap
  • Bitcoin
  • Ethereum
  • Ripple
  • Litecoin
  • Alt Coin
  • Business
  • Trading
  • Mining
No Result
View All Result
  • Home
  • Coin Market Cap
  • Bitcoin
  • Ethereum
  • Ripple
  • Litecoin
  • Alt Coin
  • Business
  • Trading
  • Mining
No Result
View All Result
CoinNewsDaily
No Result
View All Result
Home Tech

How Ethereum Applications Earn A+ Security Ratings

coinnewsdaily by coinnewsdaily
March 17, 2019
in Tech
0
How Ethereum Applications Earn A+ Security Ratings
190
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter

Related articles

Bankman-Fried faces down roomful of futures industry insiders at CFTC roundtable

Bankman-Fried faces down roomful of futures industry insiders at CFTC roundtable

May 25, 2022
Central African Republic to launch official crypto hub ‘Sango’

Central African Republic to launch official crypto hub ‘Sango’

May 24, 2022

More than 1.2 million ethereum applications have used a little-known security tool to help them avoid the costly errors arising from self-executing lines of code known as smart contracts.

Launched by ethereum technology startup Amberdata back in October, the free tool is available for anyone in the general public to interpret the security of active applications on the ethereum blockchain. Smart contracts with bugs that have been exploited have led to huge losses, even to the tune of hundreds of millions.

The automated service scans for common vulnerabilities found in smart contract code and generates a letter grade rating (e.g. A, B, or C) for the security of a decentralized application (dapp).

The feature is one of the many tools encouraging best practice and increased transparency between dapp developers and end-users in the ethereum ecosystem.

What’s more, it’s a feature that has been around in the broader web space for quite some time. Privacy-minded browser DuckDuckGo recently launched a Chrome browser extension used to rate websites (not dapps) with a letter grade, giving users an easy insight into how well or poorly service administrators protect user privacy.

“Our vision is to raise the standard of trust online,” writes DuckDuckGo in a blog post from January 2017.

Similarly, the vision behind Amberdata’s security grading tool, as highlighted by Amberdata CEO Shawn Douglass in a press release, is to provide “greater access and enhanced visibility into smart contracts.”

He added:

“We hope that by providing these tools to the community, we can reduce outside dependencies and enable the community to develop faster and more safely.”

The ratings

But how exactly are these applications on ethereum rated on Amberdata?

Pointing to 13 types of vulnerabilities scanned for automatically by the program, Amberdata CTO Joanes Espanol likened each of these to “engine lights on [a car] dashboard.”

“It just means that I need to check what’s going on with the car. Any of these can result in security error,” explained Espanol to CoinDesk.

And the more security errors that are detected by Amberdata’s security scan, the lower the alphabet letter grade a dapp will receive. These ratings range from an A+ all the way to an F.

But they don’t strictly depend on the number of security errors. Each of the 13 vulnerabilities have varying degrees of severity, Espanol explains, that will impact a dapp’s final grade. Two common low severity vulnerabilities marked by Espanol include “delegate call to a user-supplied address” and “message call to external contract.”

The latter may pose a potential security risk if a dapp, rather than being self-contained in one smart contract, calls additional contracts possessing buggy code.

Similarly, a delegate call is another operation that is normally used to split smart contract code into multiple sub-contracts, so that any necessary upgrades to the software can be made piecemeal without terminating the whole application.

“That’s the good part of those delegate calls. But the bad part is that now as an owner of the contract, I could start doing bad things. So, I could start replacing contracts that change the behavior of the original [application,]” explained Espanol.

As such, on both counts, Espanol described the security audit as sending out “warnings,” rather than pointing out immediate code errors.

Indeed, one such dapp currently leveraging message call and formerly having deployed a smart contract upgrade using delegate call back in January is TrueUSD. Created by blockchain startup TrustToken, the USD-backed stablecoin on ethereum is currently ranked with a C letter grade.

While that doesn’t sound good, looking at the vulnerabilities flagged for TrueUSD, TrustToken security engineer William Morriss told CoinDesk in a former interview all identified concerns were actually not “critical.”

“The vulnerabilities that are being reported are not ways in which we can be attacked … We are aware of them and when people bring vulnerabilities to us we treat them very seriously,” said Morriss.

Elaborating on the matter of message calls specifically, Morriss added that for TrueUSD, all external contracts are owned and operated by the companies themselves as opposed to third parties with potentially lower security standards.

How to get an A+

Errors of “high” severity will hit the application’s security rating harder because they indicate a greater potential for code error and exploit.

One of the most common of these, “integer overflow,” indicates operations carried out within a smart contract could generate values exceeding code limitations, leading to wacky, unpredictable behavior that, in the worse case, could lead to loss of funds.

The flipside is “integer underflow,” another vulnerability of “high” severity, by which the exact reverse may happen and a value below the defined range similarly causes erroneous output.

There are also some features in Solidity that dapp developers should just avoid, according to Amberdata’s grading system, including “suicide()” and “tx.origin.” The latter is described by Espanol as “deprecated code” that may be removed from the Solidity language altogether at a future date, while the former poses risk of being hijacked by outside parties to freeze user funds – that they can never get back.

Since it doesn’t have any of these four vulnerabilities, the infamously popular ethereum dapp CryptoKitties currently has an A+ security rating on Amberdata. CryptoKitties software engineer Fabiano Soriani attributes this to “implementing as many tests as we can.”

Adding that “passive resources” such as written documentation and video tutorials on dapp development are not enough to build secure applications on ethereum, Soriani told CoinDesk:

“When someone runs an audit, they point out things for you. It’s a very good complementary resource [to passive resources] because developers coming from a more traditional background aren’t familiar with blockchain.”

‘It’s a new set of problems’

Indeed, when it comes to building dapps, the importance of airtight, impenetrable code cannot be understated. The core reasoning for this is two-fold.

First, unlike traditional applications, dapps are generally open-source computer programs and as Morriss explains, “a heightened level of caution” is required when running code that is “public.”

“If there’s any bug in a traditional application you might be able to get away with it for several years … but if you have a bug in your smart contract people are going to find it rather quickly and take advantage of it either to your destruction or to their benefit,” said Morriss.

Secondly, dapps on ethereum run exclusively on smart contracts. Specially coded in programming language Solidity and executed in the blockchain’s nerve center called the Ethereum Virtual Machine (EVM), a key strength of dapps is that they can’t be changed.

The downside to this is obvious. Programmers are not easily able to correct errors or bugs in the software once deployed on the blockchain.

Calling it a “grievous error” to skip a third-party security audit or scan for these reasons, Morriss told CoinDesk it was important for developers not to become victims of their own “hubris” and ensure that “tests are covering every branch of your code.”

“With ethereum, it’s a new set of problems that people aren’t aware of when coding in Solidity,” stressed Espanol to CoinDesk.

Programming image via Shutterstock

Credit: Source link

Share76Tweet48
Previous Post

XRP Voted Higher As Preferred Crypto in 2019 & Ripple Witnessed Faster

Next Post

Crypto Investment App Donut Raises $1.8 Million in Seed Funding

coinnewsdaily

coinnewsdaily

CoinNewsDaily.com is an online Crypto Coin News Website that aims to provide latest trendy news from market and around the world.

Related Posts

Bankman-Fried faces down roomful of futures industry insiders at CFTC roundtable
Tech

Bankman-Fried faces down roomful of futures industry insiders at CFTC roundtable

May 25, 2022
Central African Republic to launch official crypto hub ‘Sango’
Tech

Central African Republic to launch official crypto hub ‘Sango’

May 24, 2022
South Korean police request exchanges freeze LFG related funds
Tech

South Korean police request exchanges freeze LFG related funds

May 24, 2022
Bitcoin stands apart from other crypto, and what that means for US public policy
Tech

Bitcoin stands apart from other crypto, and what that means for US public policy

May 22, 2022
Needed: A massive education project to fight hacks and scams
Tech

Needed: A massive education project to fight hacks and scams

May 21, 2022
Commonwealth Bank puts crypto trading trial on ice as regulators dither
Tech

Commonwealth Bank puts crypto trading trial on ice as regulators dither

May 20, 2022
Load More
Next Post
Crypto Investment App Donut Raises $1.8 Million in Seed Funding

Crypto Investment App Donut Raises $1.8 Million in Seed Funding

Categories

  • Alt Coin
  • Bitcoin
  • Business
  • Ethereum
  • ICO
  • Litecoin
  • Mining
  • NFT
  • Ripple
  • Tech
  • Trading

What New here?

  • 6 Questions for Rene Reinsberg of Celo – Cointelegraph Magazine
  • Judge denies SEC motion to keep Hinman docs secret in Ripple case
  • The ultimate guide to Miami – Cointelegraph Magazine
  • About Us
  • Contact Us
  • Privacy & Policy

© 2018-2021 CoinNewsDaily.com by CoinNewsDaily Inc. Crafted with Love by iFtiDev

No Result
View All Result
  • Home
  • Coin Market Cap
  • Bitcoin
  • Ethereum
  • Ripple
  • Litecoin
  • Alt Coin
  • Business
  • Trading
  • Mining

© 2018-2021 CoinNewsDaily.com by CoinNewsDaily Inc. Crafted with Love by iFtiDev

  • bitcoinBitcoin(BTC)$28,475.000.18%
  • ethereumEthereum(ETH)$1,820.41-0.35%
  • tetherTether(USDT)$1.000.20%
  • binancecoinBNB(BNB)$315.23-0.39%
  • rippleXRP(XRP)$0.51-4.47%
  • cardanoCardano(ADA)$0.396406-1.56%
  • dogecoinDogecoin(DOGE)$0.0823577.18%
  • matic-networkPolygon(MATIC)$1.11-0.20%
  • solanaSolana(SOL)$21.050.40%
  • polkadotPolkadot(DOT)$6.29-0.42%
  • shiba-inuShiba Inu(SHIB)$0.0000116.04%
  • litecoinLitecoin(LTC)$92.643.30%
  • tronTRON(TRX)$0.0664410.89%
  • daiDai(DAI)$1.000.14%
  • chainlinkChainlink(LINK)$7.53-1.27%
  • cosmosCosmos Hub(ATOM)$11.371.83%
  • leo-tokenLEO Token(LEO)$3.39-2.15%
  • ethereum-classicEthereum Classic(ETC)$21.222.47%
  • stellarStellar(XLM)$0.109500-1.27%
  • moneroMonero(XMR)$155.52-1.31%
  • okbOKB(OKB)$41.57-0.68%
  • bitcoin-cashBitcoin Cash(BCH)$125.641.30%
  • filecoinFilecoin(FIL)$5.781.97%
  • crypto-com-chainCronos(CRO)$0.0690060.05%
  • vechainVeChain(VET)$0.023393-0.17%
  • algorandAlgorand(ALGO)$0.223092-0.64%
  • internet-computerInternet Computer(ICP)$5.23-0.02%
  • eosEOS(EOS)$1.19-1.59%
  • theta-tokenTheta Network(THETA)$1.074.16%
  • elrond-erd-2MultiversX(EGLD)$42.38-0.32%
  • aaveAave(AAVE)$74.201.49%
  • tezosTezos(XTZ)$1.130.73%
  • neoNEO(NEO)$12.40-0.68%
  • havvenSynthetix Network(SNX)$2.561.87%
  • paxos-standardPax Dollar(USDP)$1.000.14%
  • bitcoin-cash-svBitcoin SV(BSV)$36.010.14%
  • pancakeswap-tokenPancakeSwap(CAKE)$3.741.30%
  • dashDash(DASH)$58.941.15%
  • makerMaker(MKR)$692.410.67%
  • iotaIOTA(MIOTA)$0.2224523.74%
  • huobi-tokenHuobi(HT)$3.650.30%
  • zilliqaZilliqa(ZIL)$0.0309066.39%
  • basic-attention-tokenBasic Attention(BAT)$0.2742602.09%
  • zcashZcash(ZEC)$37.91-2.81%
  • nemNEM(XEM)$0.0405232.05%
  • Elrond ERDElrond ERD(ERD)$0.0259290.00%
  • qtumQtum(QTUM)$3.130.76%
  • kusamaKusama(KSM)$33.82-3.48%
  • compound-governance-tokenCompound(COMP)$43.430.86%
  • yearn-financeyearn.finance(YFI)$8,737.410.30%
  • bitcoin-goldBitcoin Gold(BTG)$16.161.20%
  • ftx-tokenFTX(FTT)$1.89-21.50%
  • golemGolem(GLM)$0.2454362.16%
  • omisegoOMG Network(OMG)$1.56-1.72%
  • ontologyOntology(ONT)$0.2427663.72%
  • wavesWaves(WAVES)$2.131.35%
  • sushiSushi(SUSHI)$1.09-0.71%
  • digibyteDigiByte(DGB)$0.0097981.50%
  • umaUMA(UMA)$2.142.19%
  • ethlendAave [OLD](LEND)$0.53-3.08%
  • UniswapUniswap(UNI)$2.4438.80%