Navigating the minefield of Token Offerings — Part 2

Last time we highlighted how critical trust is in a decentralized environment (ironically) and especially in Token Offerings. One aspect of the damaged trust between the end users and the decentralized ecosystem is cybersecurity. A decentralized system is usually built from many different building blocks (subsystems) and each one of them can have a negative impact on the overall system, when it gets compromised. A special category of building block is Smart Contracts. Smart Contracts are executable code that runs on a decentralized network, in an automated way. You can picture them as a vending machine that, once it’s programmed and filled with items, will keep serving the available items when someone drops a coin in it. Smart Contracts are the beating heart of a decentralized system. Αny kind of bug can be fatal to the overall system, since it will almost always have an impact on the funds of the Contract itself and its stakeholders.

The first major Smart Contract incident was the one of the DAO, which took place less than two months since its launch and affected 18,000 stakeholders who lost more than 3,6 million Ether. Another severe incident was the Parity wallet hack which resulted in more than 150,000 stolen Ether. Just these two incidents on the Smart Contract level, had an impact on funds that are currently valued close to $700,000,000.

The community is well aware of how critical Smart Contracts are, and has taken steps to improve their security. There are two directions to prevent security bugs, training and tools . In the first direction, security researchers have already collected the most common Smart Contract vulnerabilities and created “OWASP Top10 “— like wikis to raise awareness about them and to educate developers on how these common vulnerabilities should be mitigated. On the direction of providing tools to the Smart Contract developers, the Solidity compiler has already integrated security checks which show up as warnings when compiling a Smart Contract and the list of security tools for Smart Contracts keeps growing.

Of course no automation can beat human error, and that’s why we decided in Blocktopus to integrate Dedaub’s Contract Library when a Token Offering Smart Contract is registered, and to not allow any Token Offering that has warnings to be published on Blocktopus. That way Blocktopus makes a step further on building the trust between its end users and the Token Offerings that they get connected to.

A few words about Dedaub and Contract Library:

Contract library is an automated audit/analysis service of the full Ethereum mainnet and testnets. The contract library service decompiles contracts from deployed bytecode and runs specialized vulnerability analyses on them. The analyses capture, in high precision and completeness, possible threats to contract correctness, including reentrancy vulnerabilities, ability to change contract owners, bad patterns of randomness, and more. The emphasis of the service is on exhaustiveness: the analysis operates over all deployed code, unlike other decompilation and analysis tools that recover only code they can symbolically exercise.