Enhanced Feedback On EOS Audit + Blue Paper

An Enhanced Feedback On EOS Audit + Blue Paper by a community member of Challengedac app, the Challengedac app which also runs on the same DApps as EOSIO, and the basic cryptocurrency of Challengedac is $CHL, my user id for both EOS and Challengedac is @opeyeminaija.
EOS.IO is able support thousands of commercial-scale DApps without hitting performance bottlenecks through its use of parallel execution and asynchronous communication methodology across the network.The efficiency is further boosted by separate modules that are involved in the working of DApps. For example, the authentication process is performed separately from the execution process.
EOS has key usability features-including a web toolkit for interface development, self-describing interfaces, self-describing database schemas, and a declarative permission scheme. All of these make the developer’s job of creating and maintaining the apps easier.
In more accepted levels EOS as usable assets by the developers, there are certain solutions available in the community.
Although there are some solutions available in the EOSIO community, despite this there is risk lack of foundational security oriented solutions. Below are some of the solutions available that and in active use.
a. Software development libraries.
EOSIO provides an eosio.contracts warehouse, which contains bios, system, msig, wrap and token contracts. Using the MIT License agreement, developers can use the code almost unlimitedly, and they can also master the EOS mainnet by learning these contracts including the governance parameters and economic models. There are also some general use SDKs available in the community: SX organization that has open sourced. DeFi-type smart contracts on Github, that contain good quality coding standards and some of them have passed the security audit, but it should be noted that these libraries do not indicate the copyright agreement to be followed.
At present, the community has a large list of open source coding examples, but the code that has undergone security audits is relatively small, and the amount is much smaller than that of Ethereum by several orders of magnitude. Most striking is that most of the code bases have been suspended for maintenance.
Since developers are one of the key roles in the development of blockchain. How to attract more developers to enter the EOSIO ecosystem is an important issue that the EOS community needs to think about. By developing and sharing a high-quality open source code base, the difficulty of development can be reduced, and developers with inexperience can quickly develop secure smart contracts, thereby increasing the adoption of EOS.
b. Klevoya Inspect
This is a tool that allows developers to upload their compiled WASM code and have it inspected for vulnerabilities based on unique patterns created by the Klevoya team. Inspect employs a technique called Static analysis. Static analysis is performed by reasoning about a computer program’s source-code, or some intermediate representation, without actually executing it. Under the hood, the uploaded WASM code and ABIs are uploaded into a proprietary intermediate representation that is loaded into a database. The patterns matcher is then run against the entities in the database looking for known vulnerabilities.

Although this feature is a paid for service and won’t guarantee to cover the same depth as a manual security audit, static analysis fuzzing is a very powerful tool and will give developers a unique opportunity to self diagnose and self resolve security issues, which ultimately over time will make them better at writing smart contracts that are more secure.
Asset Managers & Investment Funds
Cryptocurrency exchange liquidity can be much more volatile than traditional financial markets, while the volatility of assets and liquidity can exist along a very wide spectrum. Entering or exiting positions may entail significant sizes relative to average daily volumes. Frequent rebalancing of portfolios may also result in slippage and unforeseen execution costs. And most importantly, availability of liquidity during the most volatile markets is crucial.
Binance’s core offering is reliable and consistent liquidity throughout volatile markets, being the largest crypto liquidity pool in the world. Manage slippage and execution costs through direct OTC liquidity and our execution algos. Automate trading and integrate our liquidity directly into your OMS (order management system), EMS (execution management system) or other risk management systems.
Furthermore, there are certain solutions that exist in the community
Based on the research within the EOSIO community, some of the key parts that we feel are demanded by the community that would help improve the overall security of the EOSIO ecosystem are listed, they include the following,
a. Software libraries for secure smart contract development
Security hardened software development libraries (SDK) allow software developers to harness battle tested contract templates and libraries to minimize risks when developing smart contracts. They are just like your standard SDKs, but included within them are pre-built examples of performing certain actions that are built based on best security practices, so instead of having to create your function that performs a certain action you can utilize existing ones that you know have been tested for security issues.
Using such libraries will not only help minimize risk when creating smart contracts, as they help developers use existing methods that have already been scrutinized from a security point of view, but also allow you to include security testing within your unit testing. If all developers in EOSIO start using the same list of SDKs that are constantly updated to account for the latest security issues on EOSIO it helps to improve the overall security of smart contracts as it prevents developers from making the mistakes that are easily avoidable.
b. Bug Bounties

Bug bounties are monetary rewards given to ethical hackers who successfully discover a vulnerability in an application or piece of software. It is widely adapted across all chains it plays a very important part in ensuring your blockchain code is constantly scrutinised, especially if your code base constantly changes or has multiple flavours.
The EOS authorities recognize the importance of security researchers in helping keep the community safe. Responsible disclosure of security vulnerabilities via bug bounty program is highly recognized. The program is for the disclosure of software security vulnerabilities only
Bug bounties rule includes,
Making a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of businesses, including Denial of Services attacks.
Not exploit the vulnerability in any way.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.

Having a well run bug bounty programe will attract the best of the hacker community to improve the overall security of EOSIO. The lack of such a programme is discouraging the hacker community from investing time and effort to look into the EOSIO code base.
c. Contract upgrade authorization DAO
Blockchain technology is already radically transforming the financial system. However, properties such as trustlessness and immutability aren’t only useful in monetary applications. Another potential application is governance. Blockchains could enable entirely new types of organizations that can run autonomously without the need for coordination by a central entity.
DAO stands for “decentralized autonomous organization” and can be described as an open-source blockchain protocol governed by a set of rules, created by its elected members, that automatically execute certain actions without the need for intermediaries. In simple terms, a DAO is an organization that is governed by computer code and programs. As such, it has the ability to function autonomously, without the need for a central authority.
In EOSIO smart contracts are deployed to an active account and usually developers have full access to upgrade those smart contracts in the future. This creates a trust issue, because the users of that smart contract inherently need to trust the owner of the account that he will do no evil, regardless of the security audit status of the smart contract.
For the fact that there’s need a better way of managing contract authority to facilitate more trust between users and smart contract owners, whilst also allowing smart contact owners the ability to make updates to their software.
The community and smart contract owners both require this type of functionality. dApp owners want their user base to trust them but also have the flexibility to update their dApps as and when required. Although it’s never possible to fully promise that a dApp the community is using is not at risk from being hacked or that the owners have good or bad intentions, providing this additional layer of trust helps create more trust between the community and dApp owners.

Furthermore, the following are additional insights.

a. High-net worth individuals and proprietary traders

For high-net worth individuals and proprietary traders with significant crypto investments and assets, getting access to favourable prices and execution tools will have a significant impact on EOSIO portfolio value.
In order to receive white glove service for trading needs, accessing the large liquidity pool and get advice on the best algorithmic execution strategies for the trades from the community with years of institutional experience.

b. Crypto Miners
Crypto miners’ revenues and profits materialize through selling cryptocurrencies reaped from mining operations. Hedge crypto asset values and build a strategy of liquidating mining rewards in the most cost efficient and effective way. The algorithmic strategies simplify liquidation in order to attain the lowest execution costs and maximize revenue and profit streams. This will give the EOS more than just recognition but his specific worth in the recognize blockchains.

c. EOS As Crypto Projects
Project treasury management and selling of project tokens for funding needs while minimizing market impact are constant key objectives for EOS crypto projects.
In order to ensure that the EOS community and traders have access to deep liquidity to get pricing for immediate trading needs, or sell project tokens regularly over long durations with proven effectiveness and minimal market impact via marketing updates and logs.
In conclusion security analysis of EOSIO Smart Contracts
The EOSIO block chain, one of the representative Delegated Proof-of-Stake (DPoS) blockchain platforms, has grown rapidly recently. Meanwhile, a number of vulnerabilities and high-profile attacks against top EOSIO DApps and their smart contracts have also been discovered and observed in the wild, which may result in serious financial damages. Most of EOSIO's smart contracts are not open-sourced and they are typically compiled to Web Assembly (Wasm) bytecode, thus making it challenging to analyze and detect the presence of possible vulnerabilities. In as much as more research is made continuously, the risk of lower insecurity level can be avoided to a point, i.e encryption
Blockchain uses two types of cryptography algorithm to maintain data authenticity and protect it from foul play, which are-Asymmetric-key algorithm and Hash function encryption. In the asymmetric-key encryption, there are two keys involved – encryption key and decryption key, whereas, in the hash functions encryption, there are no keys just hash functions, which works only one-way. This is to say, if encrypted with the hash algorithm, no encrypted data could be reversed to its original plaintext in a blockchain. This protects blockchain from tampering and holds data integrity.

@ABDULSALAM RIDWAN ALADE