Once again, we’ve seen the limitations of smart contracts in practice this week. And once again, the problem isn’t entirely the contracts themselves, but human error.

Since Ethereum has been launched, there have been a long series of critical bugs uncovered in its smart contracts that have led to hundreds of millions of dollars of funds being lost or stolen. It’s worth stating that these aren’t exactly problems with the code: the smart contracts acted in precisely the way they were programmed. It’s just that the developers unwittingly introduced loopholes that could be exploited.

Some of this is down to developer error. The code for Parity’s multi-sig wallets was professionally audited, but no one spotted the bug that would lead to an attacker ‘suiciding’ the contract to make $150 million inaccessible. But some of it is down to the programming language used, which allows scope for grey areas and blurred lines that can be exploited. After The DAO hack, which resulted in Ethereum forking to become two blockchains, one analyst wrote:

‘This was actually not a flaw or exploit in the DAO contract itself: technically the EVM was operating as intended, but Solidity was introducing security flaws into contracts that were not only missed by the community, but missed by the designers of the language themselves. I would lay at least 50% of the blame for this exploit squarely at the feet of the design of the Solidity language… the contract, even if coded using best practices and following the language documentation exactly, would have remained vulnerable to attack.’ (See https://pdaian.com/blog/chasing-the-dao-attackers-wake/)

The latest issue to be discovered is the so-called batchOverflow bug: a previously unknown vulnerability that enabled an attacker to transfer a huge number of an existing token (with initial supply far lower than the number transferred). Analysis showed that over a dozen ERC20 contracts had the same vulnerability, causing exchanges to halt trading while contracts for the tokens they listed were examined.

Ethereum’s ‘code is law’ principle means that it’s very difficult to address these issues once the tokens are released into the wild. Ethereum is an intriguing project, and a great sandbox for developers to build cool stuff, but the unfortunate reality is that it’s not ready for the real world. For that, we’re going to need a new implementation of smart contracts: one that is more predictable and, possibly, less powerful.

Read more about batchOverflow at https://medium.com/@peckshield/alert-new-batchoverflow-bug-in-multiple-erc20-smart-contracts-cve-2018-10299-511067db6536

Red hot news, scorching wit and searing opinion pieces from Crypto Inferno.

Join us on

Telegram: https://t.me/crypto_inferno

Reddit: https://www.reddit.com/r/CryptoInferno/

Twitter: https://twitter.com/CryptoInferno_

Facebook: https://www.facebook.com/CryptoInfern!