The purpose of this post is to update my personal vision of Zeppelin and Zeppelin’s projects, as their founder and CTO. This is my own personal perspective, and some Zeppelin team members may not be aligned with my views. However, several people told me it would be helpful if they could read my understanding of this topic as a base for further discussions, to inform long-term planning and product design. If nothing else, it has been useful to write it as a personal log.
As an organization and team, we work to build technology that helps bring freedom to the world. I believe in the power of technology to change the world by enabling new ways of doing things and opening new doors. I see a unique opportunity today to empower people who have very few resources: writing code is almost free, and it can have a huge impact in the world. …
Few applications need blockchains. Distributed consensus makes each computational step very expensive. Only apps for which users are willing to pay such a cost will make sense in the new decentralized paradigm. But what makes an app need a blockchain?
The first such app was bitcoin, the first free currency. Why are the ~20M bitcoin users willing to pay the price of running a currency on top of a costly, slow platform such as a blockchain? Let’s explore the answer by analogy.
In 1982, why did my dad spend $150 at an obscure computer store in Buenos Aires to buy a Timex Sinclair 1000? He wanted to experiment with programming. …
Zeppelin is proud to be sponsoring Devcon3. To celebrate, we are releasing a CTF hacking game at the start of the conference, on November 1st.
The contest includes multiple stages consisting of security challenges and puzzles designed to test your smart contract hacking skills. Each consecutive stage increases in difficulty. Prizes totaling $10,000 USD will be distributed equally in ETH to the first five participants who successfully complete all challenges.
These are the kind of challenges our teams work on every day. …
Last week, we announced zeppelinOS, the operating system for smart contract applications.
We highlighted that “the rate of innovation in building decentralized applications is limited by the manual and duplicative efforts developers must make to ensure basic usability and security.”
zeppelinOS aims to solve this problem. Based on our experience working to secure dozens of projects in the space, we are now building an open-source, decentralized platform of tools and services on top of the EVM to help developers rapidly deploy, upgrade and manage secure smart contracts.
We have classified the features of the OS into 4 categories of services:
Last week, we saw one of the biggest hacks in the history of smart contract applications. ~30M USD were lost due to a simple programmer error, leaving critical functions open for anyone to call. It’s high time we get serious about writing secure contracts, if we want decentralized applications to reach their full potential.
In the early days of computing, writing code into machines was a difficult and inefficient endeavor. There were few tools and resources available for programmers, and specialized magazines were the main distribution media for software. Major operating systems were not yet available, so each computer model required machine-specific knowledge to be programmed. …
We’re excited to announce that our MANA token and crowdsale contracts are ready for review!
You can find the code in our official GitHub repository:
A professional audit will be performed by the Zeppelin Solutions team, but in the meantime, we invite you to review the code and provide feedback. Our bug bounty program pays you for your findings.
The scope of our bug bounty program includes all contracts related to the MANA token and crowdsale. This includes contracts from our official MANA GitHub repo and also the OpenZeppelin contracts they depend on.
Check out the Decentraland Token Sale Terms for more details on the sale. …
The Storj team asked us to review and audit their new Storj Token (STORJ) code. We looked at their contracts and now publish our results.
The audited contracts can be found in their storj-contracts repo. The version used for this report is commit
Code quality is very good. Functionality is properly modularized, and most lines of code and nearly all functions have accompanying comments stating their purpose and/or reasoning.
Here’s our assessment and recommendations, in order of importance.
EDIT: Most problems were addressed in the latest version of the code.
pay function in line 44 of PaymentForwarder.sol …
From the very first time I watched The Matrix as a 12 year old, I dreamed about the infinite possibilities of virtual worlds. I was fascinated at the thought of spending hours creating, and wandering through new universes with their own sets of rules.
However, the 12 year old in me is still not excited by the virtual worlds that are available today.
Nowadays, gamers spend nearly 20 hours a week in virtual worlds. Their time is spent building, gathering, teaming up with other gamers, and fighting over digital goods that cost real money within the virtual universe. Right now, all of these worlds are owned by central organizations like Facebook Spaces, World of Warcraft by Blizzard, and EVE Online by CCP Games, to name a few. …
The Brave team asked us to review and audit their new BAT Token contract code. We looked at their contracts and now publish our results.
The audited contracts can be found in their basic-attention-token-crowdsale repo. The version used for this report is commit 17a5f8440a256a6dc5d8dd894b9615182c2901b2.
Here’s our assessment and recommendations, in order of importance.
Update: Brave team followed most of our recommendations in the latest version of their code.
A fixed 300 million BAT tokens are assigned to Brave (specifically to the
batFundDeposit address) when the crowdsale contract is deployed. …
The Moeda team asked us to review and audit their new Moeda Token code. We looked at their contracts and now publish our results.
Overall the code is good and has only minor issues. Here’s our assessment and recommendations, in order of importance.
Update: The Moeda team implemented most of our recommendations in the latest version of their code.
We haven’t found any severe security problems with the code.
The formula used to calculate the token amount in line 116 is unnecessarily complicated. It could be replaced by a multiplication by the amount of tokens bought with one wei for each given tier. Consider making this change by replacing the token creation rates by
1 ether divided by the current values. This has a number of…