Here are the lessons we learned from contributing to OpenZeppelin

Doug Crescenzi
Jun 27, 2018 · 5 min read

Building secure smart contracts is really, really hard. The industry has been riddled with security breaches over the years and it is becoming increasingly evident that in order for blockchain technology to realize its full potential the security issues must be addressed.

OpenZeppelin is an incredible open source project that is taking these issues head on.

OpenZeppelin is a “battle-tested” open source framework comprised of reusable Ethereum smart contracts. The framework helps smart contract developers reduce the risk of vulnerabilities in their distributed applications (dapps) by using standard, tested, community-reviewed code. Today, its smart contracts power over $4.5 billion worth of digital assets.

Over the last few months our team has been contributing to OpenZeppelin. The most significant contribution we’ve made so far has been the development of a secure smart contract that can be used to execute the auction of non-fungible tokens (NFTs). Here’s a brief case study.

From our experiences, here are the most important lessons we’ve learned from contributing to OpenZeppelin:

Familiarize yourself with token standards

First and foremost, it’s particularly important to familiarize yourself with core token standards — particularly ERC20, ERC721, and ERC827. Doing so will help you see how different smart contracts that use these different standards interact.

For instance, we wasted a lot of time trying to use ERC721’s approve function in a situation where it didn’t make sense to do so. I.e., for our auction contract, we thought it would be necessary for our contract to approve the transfer of a user’s NFT. Instead, our contract required that a user who wanted to auction their NFT must first approve our auction contract’s address in order to facilitate the transfer of their NFT.

Here’s what that looks like on the front end:

await auction.startAuction(token.address, tokenId, _from);      await token.approve(auction.address, tokenId, _from });     

await auction.processBid({ from: bidder, value: bid });

Having a thorough understanding of the core token standards implemented in OpenZeppelin will make it easier for you to understand how your smart contracts should interact.

Make small contributions at first

We began to make modest contributions to the project after we acclimated ourselves with the core token standards. The OpenZeppelin team does a nice job labeling “Good first issues” for new contributors to address.

We found contributing to the documentation was particularly useful at the beginning. Doing so forced us to read through all of OpenZeppelin’s documentation and familiarize ourselves with their Contribution Guidelines as well as the Ethereum Natural Specification Format — a special form of comments that Solidity contracts can have. By submitting a few light weight pull requests, we were able to familiarize ourselves with the project’s workflow and create a rapport with the maintainers.

Join the OpenZeppelin community on Slack

As we began to make more meaningful contributions to the project, we encountered questions along the way. We found turning to the OpenZeppelin community on Slack was very helpful whenever we got stuck. The community is very active and more than willing to help. Everyone there wants to improve smart contract security in an effort to advance a decentralized, open economy.

Unit tests are your friend

If you plan to introduce new features to OpenZeppelin, you’ll come to rely heavily upon your unit tests. You could go through the process of actually manually testing your OpenZeppelin contract (here’s how), but it’s tedious and inefficient. Unit testing will save you a lot of time and ultimately improve your code’s quality.

To implement your unit tests, you’ll want to acquaint yourself with web3.js. Web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using HTTP. Additionally, you will benefit from reading up on Mocha, a JavaScript test framework, and Chai, an assertion library that can be paired with Mocha.

These tools coupled with your ability to reference other unit tests from existing OpenZeppelin smart contracts will help ensure the new contract(s) you want to introduce are thoroughly covered.

Play Ethernaut

As we mentioned earlier, security is a foremost priority to the OpenZeppelin project. All smart contracts that are submitted are rigorously tested through ongoing community-audits.

In order to familiarize ourselves with smart contract security we played Ethernaut, a Web3/Solidity based game that’s played in the Ethereum Virtual Machine. Each level in the game is a smart contract with a vulnerability that needs to be exploited in order to advance.

Playing the game made us aware of the most common mistakes developers make and what to avoid when building our own smart contracts.

Get comfortable with the Truffle framework

Last but certainly not least, before you dive into OpenZeppelin, you’ll want to gain experience using the Truffle framework. Truffle is the most popular development framework for Ethereum at this time. It provides built-in smart contract compilation, linking, deployment, binary management, and many other features. It’s touted as “The Ethereum Swiss Army Knife” and is used to power OpenZeppelin.


  • Building secure smart contracts is really, really hard.
  • OpenZeppelin, a “battle-tested” open source framework comprised of reusable Ethereum smart contracts exists to help advance tomorrow’s decentralized, open economy.
  • If you plan on contributing to OpenZeppelin you will want to have a thorough understanding of today’s core token standards: ERC20, ERC721, and ERC827.
  • It’s important to be aware of core token functionality and understand how users interact with smart contracts as well as how smart contracts interact with each other.
  • If you’re planning to contribute to OpenZeppelin, we encourage you to make small contributions at first. Check out the list of “Good first issues” on Github.
  • Engage with OpenZeppelin’s community on Slack — ask good questions and help out where you can.
  • Unit tests fueled by web3.js will save you a lot of time and help improve your code’s quality as you introduce new features.
  • Ethernaut, a Web3/Solidity based game, is a good way to acquaint yourself with the common smart contract security vulnerabilities that you’ll want to avoid.
  • Before you attempt to contribute to OpenZeppelin, you’ll want to have experience using the Truffle framework and understand how it helps streamline smart contract development.
  • Building secure smart contracts is hard, but the community is constantly working on tools, like OpenZeppelin, that empower developers and give them the tools they need to build secure and reliable smart contracts.

☞ To be up to date with our work on smart contract development, follow us on Medium and Twitter.

Upstate Interactive

We're a women-owned business that helps B2B organizations turn great ideas into software.

Doug Crescenzi

Written by

We build smart contracts and distributed applications @ Upstate Interactive - Founder @ Hack Upstate

Upstate Interactive

We're a women-owned business that helps B2B organizations turn great ideas into software.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade