Ethereum stands out as one of the most widely utilized blockchain networks on a global scale. Recent data from CoinMarketCap reveals that Ethereum boasts the highest number of total developers, constituting 16% of all developers within the cryptocurrency sector.
However, the popularity of the Ethereum network comes with a downside, as it has become increasingly susceptible to security vulnerabilities. According to the “Global Web3 Security Report” by blockchain security firm Beosin, investors in the crypto space suffered losses totaling $282.96 million due to rug pulls in the third quarter of this year. Additionally, the report highlighted that phishing schemes accounted for $66.15 million in losses during the same period. Beosin’s findings underscore that the Ethereum blockchain experienced the highest number of losses and security incidents overall.
Updated framework for reviewing smart contract code
Chaals Nevile, the technical program director at the Enterprise Ethereum Alliance (EEA), an organization focused on promoting enterprise Ethereum as an open standard, highlighted existing challenges within the Ethereum ecosystem, particularly regarding security. Nevile pointed to one prominent issue: bugs in the Solidity compiler, responsible for generating bytecode and other necessary components for smart contract deployment. He explained that while the compiler evolves and addresses old bugs, new ones inevitably emerge, impacting the overall security of the ecosystem.
To tackle these challenges, the EEA took action by establishing the “EthTrust Security Levels Working Group” in November 2020. In August 2022, the group released the “EthTrust Security Levels Specification v1,” serving as a foundational framework for developers, organizations, and customers dealing with smart contract code written in Solidity, Ethereum’s primary programming language.
Despite these efforts, Nevile emphasized the need for continuous updates to the EthTrust Security Levels Specification to keep pace with Ethereum’s advancements and address new security developments. He noted that while the v1 specification covers bugs up to approximately the year 2022, new bugs have been identified after its release, underlining the dynamic nature of security challenges in the Ethereum network.
Taking into consideration the persistent challenges in the Ethereum ecosystem, Chaals Nevile announced the release of Version 2.0 of the EthTrust Security Levels Specification by the Enterprise Ethereum Alliance (EEA). This update specifically addresses issues like newly discovered bugs in the Solidity compiler, treatment of rounding errors, and a more robust approach to read-only reentrancy attacks, among other improvements.
Nevile highlighted the significance of these updates, particularly in addressing vulnerabilities that have led to security exploits in the Ethereum network. One such example is the infamous “The DAO” hack in 2016, which resulted in a loss of $3.64 million in ETH. Michael Lewellen, the head of solutions architecture at OpenZeppelin, a security firm specializing in an open-source framework for securing smart contracts, pointed out that The DAO hack was a classic case of reentrancy.
Nevile further explained that reentrancy occurs when a developer initiates a smart contract and then requests the program to perform a different task while it is in the midst of running code. This interruption can lead to a mix-up of requests, creating an opportunity for a program hacker to exploit and potentially steal funds or alter the intended outcome. The updates in EthTrust Security Levels Specification v2 aim to mitigate such risks and enhance the overall security of the Ethereum ecosystem.
Will an industry standard be widely adopted?
In response to the serious nature of security incidents in the cryptocurrency space, Michael Lewellen of OpenZeppelin highlighted the crucial role played by the EthTrust Security Levels v1 framework in preventing security vulnerabilities. OpenZeppelin incorporates this framework as a pre-audit assessment for many clients, providing them with assurance that specific instances are thoroughly checked during the audit process.
This industry standard has proven beneficial, with an anonymous client of OpenZeppelin sharing with Cryptonews that EthTrust has addressed a previous deficiency in their security processes. The client stated that they had failed their previous security audit due to a lack of clear guidance on missing security requirements. Implementing EthTrust’s requirements in their codebase has given them increased confidence as they approach their next security audit. EthTrust serves as a valuable tool for organizations seeking clarity and adherence to security standards in the development and auditing of smart contracts on the Ethereum blockchain.
Nevile observed that, despite positive feedback on the EthTrust standard v1, raising awareness about its existence among developers and organizations remains a challenge. He emphasized that the framework is particularly well-suited for emerging Ethereum projects. According to him:
“While established projects like Uniswap and Aave may find these specifications beneficial, they are generally already familiar with such information. It is the projects currently in the development phase and transitioning to production on the Ethereum platform that are likely to perceive these specifications as valuable.”
Nevertheless, there is still uncertainty about whether adopting such an industry standard will effectively mitigate security exploits on Ethereum in the future. John Wingate, the founder and CEO of BankSocial—a financial services company utilizing blockchain technology—expressed concerns about the dynamic nature of industry standards. He remarked, “Standards are continually evolving; programming languages constantly phase out methods, variables, data types, and object types.”
With this concern in mind, Nevile disclosed that work is already underway on version 3 of the EthTrust specification. He stated, “We are approximately 16 months between publications. I believe that a revision every 12 to 18 months is frequent enough to ensure that we stay current and relevant.”
However, Wingate holds the belief that repeatable, automated testing is the singular method to ensure that decentralized applications adhere to best practices, thereby minimizing the risk of security exploits. He explained:
“This entails setting up your platform for regular, automated code testing. When there’s a known bug in the source code or compiler, the automation tool can be updated, and then everyone benefits from scanning for potential exploits.”