The number of smart contracts is expected to reach 10 million in 2018. The smart contracts are accessible globally and store large amounts of value, which makes them an attractive target for hackers as was seen with The DAO and Parity wallet vulnerabilities. Once smart contracts are deployed, the code cannot be changed or patched easily, which has led to an immense need of audit. Diar speaks to Eduard Kotysh, CEO of Solidified, which is a comprehensive smart contract audit platform that has worked with Gnosis, Polymath, Bankera, Melonport amongst others.

The number of smart contracts is rapidly growing. Between June 2017 and October 2017, the number grew from 500,000 to over 2,000,000 with expectations to hit 10 million in 2018. The majority of smart contracts in Ethereum are written in Solidity, a programming language that was initially proposed in 2014 by Gavin Wood and later developed by Solidity team led by Christian Reitwiessner. Solidity is also prevalent in other projects utilizing smart contracts including permissioned Hyperledger, permissionless Hedera Hashgraph and others.

While there are some alternative languages, Solidity has become the most widely used smart contract language because it was implemented fast and solved immediate problems, which allowed it to gain inertia and network effects. The language doesn’t come without its fair share of criticism mainly because of its permissiveness and the lack of intuitiveness. In June of 2016, an attacker drained more than 3.6Mn ether ($50Mn at the time) because of a vulnerability found in The DAO smart contract code, which consequently led to a hard fork of Ethereum to recover the lost funds.

Philip Daian, a PhD researcher at Cornell University, said that The DAO hack “was actually not only a flaw or exploit in the DAO contract itself, Solidity was introducing security flaws into contracts that were not only missed by the community, but missed by the designers of the language themselves.” He added: “I refuse to lay the blame exclusively on a poorly coded contract when the contract, even if coded using best practices and following the language documentation exactly, would have remained vulnerable to attack.”

Piers Ridyard, CEO of Radix, agrees that the there is a fundamental problem with Solidity. He tells Diar that “making something easy to build on and secure at the same time doesn’t exist at the moment. It’s possible to write a smart contract fast but the likelihood of it actually being secure is very low.” Radix is addressing this problem by using Scrypto, a JavaScript-based language, which allows to call base smart contract functions directly via the APIs.

Eduard Kotysh, CEO of Solidified, which is an audit platform for smart contracts that has worked with Gnosis, Polymath, Bankera, Melonport and others, doesn’t agree with the criticism of Solidity. He tells Diar: “Solidity has a solid base. The issue is not with the language itself, but with the maturity of it. Developers need time to build design patterns and best practices around a language, not to mention put proper frameworks and tooling around it. Javascript didn't become popular because it was the greatest language ever built, and many banks still run their mission-critical software on far less superior languages than Solidity.”

Another issue with writing smart contracts, regardless of what programming language is used, is that once they are deployed, the code cannot be changed and it becomes really hard to patch the issues since the contracts are immutable. Ilya Sergey, a computer scientist at University College London, analyzed a sample of nearly one million of smart contracts and found that 34,000 are vulnerable. Moreover, since they are accessible globally and usually store value, they become an attractive target for hackers. According to Group-IB, each ICO is attacked about 100 times within a month on average and according to EY, more than 10% of ICO proceeds are lost as a result of attacks. Apart from ICOs multi signature wallets have also been targeted by hackers.

In July of 2017, 150,000 ether ($30Mn at the time) was stolen as a result of a bug in Parity multi-signature contract. Another security vulnerability in Parity multi-signature contract was found just four months later and ended up rendering approximately 500,000 ether ($150Mn at the time) inaccessible. After the second vulnerability was found, Parity asserted that they have high standards of development including peer reviews and a bug bounty program. Mr Kotysh tells Diar that a possible reason for not finding the Parity vulnerabilities in time is that many audit firms do not expose smart contracts to a large enough audience of experts in order to find vulnerabilities. The audit is typically led by one or two people, not followed by a bug bounty and thus many issues are missed. Additional reason is the lack of incentives causing the experts to not want to ethically disclose the bugs.