First written: June 18th 2023
Hi everyone,
Join us for another edition of Coffee With Calyptus, where we bring you captivating perspectives on the ever-changing terrain of web3 development and top web3 jobs.
This week, we caught up with Stefan Beyer, Managing Partner at Oak Security, a leading cyber security consulting firm that offers security auditing services for a number of blockchains, with a special focus on third-generation blockchains and protocols. He offers valuable insights on the impact of evolving blockchain trends and standards on web3 security and shares top web3 job tips for aspiring auditors.
Blockchain platforms evolve over time. How does this affect the security of smart contracts? What measures should be taken to ensure ongoing security as the underlying technology changes?
Blockchain technology evolves at several levels, due to being a relatively new technology (still). Projects should assume that the underlying protocol may change. In the past, changes to the EVM have led to problems with already deployed contracts on the Ethereum network. The only thing teams can do to mitigate the risk related to this is to keep their contracts simple and follow basic best practice design patterns. Assumptions, such as assuming certain gas consumption for operations are asking for trouble.
At a higher level, we keep discovering new ways to interact with financial protocols and new paradigms appear. Existing protocols may suddenly become insecure when confronted with unforeseen use cases. For example, flash loans were a new concept that suddenly disrupted some protocols. Again, the solution is sticking to simple patterns and not making any assumptions. Failsafes and the ability to migrate to a new version are good ideas. However, the challenge in this is not to introduce centralization.
Are there any emerging standards or protocols that aim to improve smart contract security? How do they contribute to the overall ecosystem?
There have been a few attempts to standardize certain aspects of smart contract design in the interest of security. The most formal standards I am aware of are the EEA EthTrust Security Levels Specification (https://entethalliance.github.io/eta-registry/security-levels-spec.html) and, at a higher level, Cryptocurrency Security Standard (https://cryptoconsortium.org/standards-2/).
What I consider most valuable is the large body of knowledge on security and best practices documented by the community.
Awesome Smart Contract Security is a good collection of resources (https://github.com/saeidshirazi/Awesome-Smart-Contract-Security).
Vulnerability databases, such as the SWC Registry are incredibly useful.
What are the implications of upgradability in smart contracts for security? How can developers balance the need for upgradability with the importance of maintaining a secure contract?
Upgradability versus immutability is an eternal debate and it’s hard to give a clear answer since it is a fact that everything changes, and immutable code may be problematic in combination with protocol changes and new paradigms emerging (see question 1).
In my opinion, complex upgradability patterns, such as the popular proxy/delegatecall pattern are unnecessary overkill and should be considered an antipattern. The best way to keep a smart contract architect upgradable, or migratable, is to have a very modular design and just point things to versions when an upgrade is required.
Implementing upgradability in a decentralized manner is challenging but can be done.
Do you have any tips for an aspiring auditor ? What kind of skills, experience, traits do you look out for?
If you check out any of the top web3 job boards out there like Calyptus, you will see the top auditing firms are looking for candidates with a detailed knowledge of the underlying technologies, such as Solidity and the EVM, in the case of Ethereum. However, these things can be learned. It’s much harder to acquire what we call an “auditor mindset”. This means thinking like an adversary and attention to minute details, which may border on obsessiveness.
Beyond that, it’s important to stay up to date, know all the existing exploits, analyse new attacks when they become public, and be aware of the latest trends.
Capture the flag exercises are also a very good starting point.
