Biggest Blockchain Exploits Show Weakness in Smart Contracts, Says Crypto Insider
Byron Murphy, an editor at Viewnodes, the developer of Metaverse, one of China’s earliest proof-of-work blockchain, says smart contract vulnerabilities remain a “clear and present danger.”
In a post published on Hackernoon, Murphy asks,
“The key question underlying the biggest blockchain exploits boils down to this: why do the best coders in the space make so many mistakes?”
In January of 2019, global public blockchain network Ethereum was forced to delay the Constantinople hard fork, or backwards incompatible upgrade, almost at the last minute due to a smart contract security flaw that could have been exploited to steal user funds. Ether dropped 11% in just a few hours after the bug was found.
[SECURITY ALERT] #Constantinople upgrade is temporarily postponed out of caution following a consensus decision by #Ethereum developers, security professionals and other community members. More information and instructions are below. https://t.co/p2znO8HGxf
— Ethereum (@ethereum) January 15, 2019
The Constantinople update, which eventually went live on February 28, included several points of code optimization, lower fees for storing smart contracts and reduced miner rewards from 3 ETH to 2 ETH. But the delay was triggered by the potential for “reentrancy attacks,” which would have allowed hackers to steal user funds in a worst case scenario. Notes Murphy,
“The security flaw in question was a potential for ‘reentrancy attacks’ exploiting code in EIP 1283, allowing attackers to steal funds in a worst case scenario. This has been theoretically possible for a long time, but the inhibitive price of smart contract storage prevented an attacker from pursuing this route. Constantinople would have reduced this price, and so developers were forced to delay the hard fork to work on a permanent solution.”
A previous hard fork of the Ethereum blockchain was performed in 2016 following the hack of The DAO, an Ethereum-based, decentralized autonomous organization that was an open-source initiative to raise capital for blockchain projects. The hard fork reversed the hacker’s transactions, which had led to approximately $70 million in Ether losses.
While a new crop of non-custodial exchanges such as Nash, SparkSwap and Arwen, are relying on smart contracts to handle trades, reports Forbes, in their efforts to thwart the security vulnerabilities that have plagued hacked centralized exchanges – i.e. Coincheck, Cryptopia, Zaif – they will have to contend with a different set of challenges.
“Smart contracts and decentralized virtual machines are an almost unfathomably incredible innovation, but will be ever overshadowed if exploits continue to occur.”
You can read Murphy’s full post here.