Image for post
Image for post

The purpose of this post is to update my personal vision of Zeppelin and Zeppelin’s projects, as their founder and CTO. This is my own personal perspective, and some Zeppelin team members may not be aligned with my views. However, several people told me it would be helpful if they could read my understanding of this topic as a base for further discussions, to inform long-term planning and product design. If nothing else, it has been useful to write it as a personal log.

Zeppelin (the Company)

As an organization and team, we work to build technology that helps bring freedom to the world. I believe in the power of technology to change the world by enabling new ways of doing things and opening new doors. I see a unique opportunity today to empower people who have very few resources: writing code is almost free, and it can have a huge impact in the world. …


Few applications need blockchains. Distributed consensus makes each computational step very expensive. Only apps for which users are willing to pay such a cost will make sense in the new decentralized paradigm. But what makes an app need a blockchain?

Image for post
Image for post

A Brief History of Computer Innovation

The first such app was bitcoin, the first free currency. Why are the ~20M bitcoin users willing to pay the price of running a currency on top of a costly, slow platform such as a blockchain? Let’s explore the answer by analogy.

In 1982, why did my dad spend $150 at an obscure computer store in Buenos Aires to buy a Timex Sinclair 1000? He wanted to experiment with programming. …


Image for post
Image for post

Zeppelin is proud to be sponsoring Devcon3. To celebrate, we are releasing a CTF hacking game at the start of the conference, on November 1st.

The contest includes multiple stages consisting of security challenges and puzzles designed to test your smart contract hacking skills. Each consecutive stage increases in difficulty. Prizes totaling $10,000 USD will be distributed equally in ETH to the first five participants who successfully complete all challenges.

These are the kind of challenges our teams work on every day. …


Last week, we announced zeppelinOS, the operating system for smart contract applications.

We highlighted that “the rate of innovation in building decentralized applications is limited by the manual and duplicative efforts developers must make to ensure basic usability and security.”

zeppelinOS aims to solve this problem. Based on our experience working to secure dozens of projects in the space, we are now building an open-source, decentralized platform of tools and services on top of the EVM to help developers rapidly deploy, upgrade and manage secure smart contracts.

We have classified the features of the OS into 4 categories of services:

  • the zeppelinOS Kernel Standard…


Image for post
Image for post

Last week, we saw one of the biggest hacks in the history of smart contract applications. ~30M USD were lost due to a simple programmer error, leaving critical functions open for anyone to call. It’s high time we get serious about writing secure contracts, if we want decentralized applications to reach their full potential.

In the early days of computing, writing code into machines was a difficult and inefficient endeavor. There were few tools and resources available for programmers, and specialized magazines were the main distribution media for software. Major operating systems were not yet available, so each computer model required machine-specific knowledge to be programmed.


Reviewing our MANA token and crowdsale contracts.

Image for post
Image for post

We’re excited to announce that our MANA token and crowdsale contracts are ready for review!

You can find the code in our official GitHub repository:

A professional audit will be performed by the Zeppelin Solutions team, but in the meantime, we invite you to review the code and provide feedback. Our bug bounty program pays you for your findings.

Program Details

The scope of our bug bounty program includes all contracts related to the MANA token and crowdsale. This includes contracts from our official MANA GitHub repo and also the OpenZeppelin contracts they depend on.

Check out the Decentraland Token Sale Terms for more details on the sale. …


Image for post
Image for post

The Storj team asked us to review and audit their new Storj Token (STORJ) code. We looked at their contracts and now publish our results.

The audited contracts can be found in their storj-contracts repo. The version used for this report is commit 2bdeb27c0216d2f0889b6e7363d8a84b54cd7f39.

Code quality is very good. Functionality is properly modularized, and most lines of code and nearly all functions have accompanying comments stating their purpose and/or reasoning.

Here’s our assessment and recommendations, in order of importance.

EDIT: Most problems were addressed in the latest version of the code.

Severe

Problems with PaymentForwarder’s pay function

pay function in line 44 of PaymentForwarder.sol


VR will flourish when users can control their reality.

Image for post
Image for post

From the very first time I watched The Matrix as a 12 year old, I dreamed about the infinite possibilities of virtual worlds. I was fascinated at the thought of spending hours creating, and wandering through new universes with their own sets of rules.

However, the 12 year old in me is still not excited by the virtual worlds that are available today.

Nowadays, gamers spend nearly 20 hours a week in virtual worlds. Their time is spent building, gathering, teaming up with other gamers, and fighting over digital goods that cost real money within the virtual universe. Right now, all of these worlds are owned by central organizations like Facebook Spaces, World of Warcraft by Blizzard, and EVE Online by CCP Games, to name a few. …


Image for post
Image for post

The Brave team asked us to review and audit their new BAT Token contract code. We looked at their contracts and now publish our results.

The audited contracts can be found in their basic-attention-token-crowdsale repo. The version used for this report is commit 17a5f8440a256a6dc5d8dd894b9615182c2901b2.

Here’s our assessment and recommendations, in order of importance.

Update: Brave team followed most of our recommendations in the latest version of their code.

Severe

Brave can get an unfair refund if tokenCreationMin is not reached

A fixed 300 million BAT tokens are assigned to Brave (specifically to the batFundDeposit address) when the crowdsale contract is deployed. …


Image for post
Image for post

The Moeda team asked us to review and audit their new Moeda Token code. We looked at their contracts and now publish our results.

The audited contracts can be found in their moeda repo. The version used for this report is commit b2bf23119d563e251b6f16b29b642bac43e76a64. The main contracts are MoedaToken.sol and Crowdsale.sol.

Overall the code is good and has only minor issues. Here’s our assessment and recommendations, in order of importance.

Update: The Moeda team implemented most of our recommendations in the latest version of their code.

Severe

We haven’t found any severe security problems with the code.

Potential problems

Unnecessary complexity calculating token amount

The formula used to calculate the token amount in line 116 is unnecessarily complicated. It could be replaced by a multiplication by the amount of tokens bought with one wei for each given tier. Consider making this change by replacing the token creation rates by 1 ether divided by the current values. This has a number of…

About

Manuel Araoz

CTO at Zeppelin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store