Anthony Eufemio (CTO)
The increasing amount of complexity in our storage contracts has caused the contract code to become too large to be deployed without going over the 4265730 gas limit in Ethereum. Splitting the storage contract into smaller parts exposes us to potential security flaws with regards to gas and stack depth exhaustion attacks which we are addressing in several different ways:
- Changing the business logic to reduce the number of operations per function call so we can use the saved gas as well as execution stack space for security related checks.
- Reorganizing the storage contracts data structures in a way that operations on Assets and Tokens can happen atomically (within the same storage contract).
- Doing further optimizations in our Solidity code to cut down our deployed code size.
While researching on solutions on how to solve the above issue we also discovered a potentially major bug in TestRPC where the extcodesize operation on its EVM simulator implementation produces a different output from the full client implementations (geth and parity).
We have opened up an issue on the ethereumjs github 19 days ago (see https://github.com/ethereumjs/testrpc/issues/289) are still awaiting a response from the ethereumjs team. This bug is very concerning as we do rely on TestRPC for the bulk of our development testing. Furthermore if there are other similar issues in this vein then we become less confident of the results of our development testing. Thankfully we are able to do verifications using our Kovan testnet.
We will continue looking for candidates who can do our third party security audit properly. As our codebase is quite complex, we need to look for capable and meticulous code auditors who have the ability to patiently sift through our codebase line by line, and who also have the in-depth knowledge of the types of security vulnerabilities we might encounter (including the ones I have described above). I will be engaging with a few more candidates this week to find the best possible auditor for Digix.
With regards to the ETC refund which we had previously mentioned we are now in the process of performing a code review on our refund contracts. We still need to sort out replay attack prevention strategies as the refund will require us to move the DigixDAO crowdsale funds into a new contract where it will be held until we are able to deliver the DigixDAO governance contracts where it will reside.
Chris Hitchcott (Core Dev)
This week has been mishmash of work on the ETC refund and Spectrum.
With the ETC refund, I’ve been writing unit tests for the redemption contract and fleshing out the balance-collection and redemption token minting scripts. I will be dedicating next week of my development time to the ETC refund process; the contract, scripts and documentation. We target to have thisready for public review by the end of the next sprint.
With regards to Spectrum, I added a selection of UX enhancements to the transactions view:
- The ability to specify gas and gas price
- A ‘Send All’ button
- For Ether (taking gas and gas price into account to end up with a 0 balance)
- And ERC20 tokens
- An inline price ticker info for various currencies (thanks to https://www.cryptocompare.com/api/, which has over 1000 crypto currencies to… compare)
- A warning message to dissuade users from manually typing out an address
The Spectrum demo should also be working on iOS now; a bug was fixed in the build process, caused by over-eager ‘mangling’ of variables (that Apple’s iOS implementation of webkit is kind enough to not support) — although as mentioned before, the offline caching and QR code scanning feature is unlikely to be working any time soon on iOS webview #SafariIsTheNewIE.
I’ve also added a new feature to the Spectrum roadmap: “transaction sniping”. The idea is to be able to sign a transaction and then have it be automatically published when a certain time or block number is reached — for those who are extra anxious about getting in early on ICOs or other time-sensitive transactions.
Compare prices as you make transactions
Option to send entire balance, and (under advanced settings) set gas / gas price
Warning if user tries to manually type out the address
- 7e52a8f — [wip] fix whitespace
- 2644a21 — [wip] update readme
- d98b608 — [wip] more tests, minting script, refactor scripts
- cb44370 — [feature] initial commit; baisc mvp
- b2e119a — [wip] show warning message when manually typing address
- c5dbca6 — [wip] add crypto prices dropdown, update deps
- 5a5c741 — [wip] gas input
- 2621816 — [wip] hide startup overlay
- 4243351 — [wip] sendAll for tokens
- d37e441 — [wip] don’t show sendall if balance is 0
- 2fb1c6d — [wip] ValueInput for baseToken, option to send all & gasPrice input
- 60b6e97 — [wip] use web3Connect in favor of top-level web3redux
- f4aaa20 — [wip] disable digix assets for now
- e3b4e5e — [bugfix] work on ios by setting uglify `mangle: flase`
- 27a2b7d — [wip] fix typo