Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

3 mins to read

Simple is Secure: Streamlining Smart Contract Design and Why Contract Standards Matter

Max Houser

Senior Manager - Security and Privacy

Views
Larger Font
3 minutes to read

For security teams looking to implement and design smart contracts, there are many intricacies and nuances that can be overwhelming. Using established standards for the secure development of smart contracts/decentralized applications (dApps) is instrumental to effectively launch smart contracts. In an earlier blog, I introduced the basics of smart contracts; today, I’m diving into existing standards and how to leverage them for success.

The deceptive simplicity of smart contracts

Smart contracts appear straightforward at first glance: business logic can be captured in a few small and concise lines, with business requirements easily translated into code. The allure of smart contracts is to permanently codify building blocks of larger systems into distinct, simple systems. While all of this is largely good and true, there is another truth: as digital ledgers continue to store high-value assets, attackers have shifted their focus to smart contracts, which act as routers or storage containers for these assets.

In an ideal world, a perfect smart contract ensures that only those who should be able to access the digital assets are able to do so. Much like an online shopper must authenticate before their purchase to ensure that only an authorized individual can access their own account, a smart contract checks an account against contract-defined roles to ensure they are allowed to execute the function they are accessing. In practice, implementations that seem secure may have pitfalls unbeknown to the smart contract’s developers. While there is inevitably some custom code in each smart contract, the entire contract does not need to be new; there are smart contract standards.

How ERCs and standards work

There are many different blockchain platforms, each with their own ecosystems and standards. One frequently used platform is Ethereum, which has well-documented standards implemented by third parties.

Ethereum sets new standards (referred to as ERCs) with feedback from the community to help provide a unified understanding and framework for smart contract and decentralized application developers to build around. This allows different parties to build unique applications and implementations that will work across applications on the network, permitting all parties followed the same ERC recommendations.

Other parties can build smart contract libraries that use these standards. Developers can carry out standards into their own applications.

Libraries and permissioning schemes

Several groups have set out to create contract libraries for the most used standards (ERC-20, ERC-721, ERC-1155, etc.). The contracts comprising these libraries are extensively tested and reviewed, with security at the forefront of their open-source implementation. In addition to common smart contract implementations, these groups have also built out role-based permissioning schemes, as well as other reusable Solidity components.

As all smart contracts inherently have unique designs and implementations that businesses require to develop their decentralized applications, there will be more code reviews and security tests for new functionality and applications. But the secure starting point provided by an open source, reviewed smart contract library cannot be overstated: it provides a cleanroom of sorts to begin design and implementation of the unique parts of our application.

Don’t build access controls from scratch

What’s the danger of diverging from security reviewed contract implementations? Why not just build our own from scratch? Many well-intentioned development teams have set out to build their own implementation of various access controls and other permissioning standards when those implementations already existed in smart contract libraries.

For simpler mechanisms with adequate testing and security review, this may be fine. However, many exploits and bugs have been found in contracts where development teams created custom implementations of access controls and other permissioning standards instead of relying on established, reviewed and open-source standards.

This should serve as a cautionary tale: when smart contract components have already been designed, are available in an open-source standard, and have received extensive security reviews and scrutiny, there is little reason to feel the need to rebuild them from scratch. For most organizations, the ultimate goal is to build new functionality that delights customers. It is possible to lean into new and exciting challenges while relying on tried-and-true mechanisms designed with security input from the larger security and blockchain communities.

Still intimidated by custom smart contract functionality and security? The final blog in this three-part series covers security and shifting to the left when developing smart contracts and dApps.

To learn more about our security and privacy solutions, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Max Houser

By Max Houser

Verified Expert at Protiviti

Visit Max Houser's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

In today’s fast-paced digital landscape, DevOps practices have revolutionized software development and deployment, allowing organizations to achieve greater efficiency and...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

Companies that work with the Department of Defense (DoD) know that it is critical to store data properly and are...