Oyente, a tool intended to calculate and report any vulnerabilities within smart contracts, is set to debut at DEVCON2.
Loi Luu, a Ph.D. student, and a researcher at Oyente, are scheduled to present their future open source tool on September 20.
A group of researchers from the National University of Singapore analyzed the security and stability of thousands of smart contracts and determined many of the issues were repeated. Using Oyente, the researchers were able to detect flaws that would allow an attacker to manipulate the contract for their personal gain.
In their white paper, Oyente discovered 8,833 smart contracts out of 19,366 were vulnerable. This included the DAO bug which led to the hack and eventual demise of the smart contract in June.
During their analysis, they found these flaws could be caused by a semantic gap. This problem, according to the white paper, is led “by the assumptions contract writers make about the underlying execution semantics and the actual semantics of the smart contract system. Specifically, we show how different parties can exploit contracts which have differing output states depending on the order of transactions and input block timestamp.”
Four major issues kept recurring in their research. These issues included transaction-ordering dependence (where a miner can control the order of transactions after mining the block), timestamp dependence (where a miner can “precompute” a timestamp for their own benefit), mishandled exceptions (an attack deliberately causes a send transaction to fail), and reentrancy (a call where the attacker can drain a contract that has not been “zeroed”). Reentrancy may sound familiar, as it was the bug that led to the DAO hack (3.6 million Ether was drained by hackers).
In order to test your smart contract for vulnerabilities, users must input it into Oyente. Their analysis will not only allow for better-executed contracts but it will also prevent any questionable ones.
Since the DAO hack, security has been the main focus in repairing future smart contracts. In that, Hrishi Olickel, a researcher for the Oyente analysis, points out that we rely too much on the programming language for smart contracts, and that we assume with the right computations that nothing will go wrong.
“Unfortunately, when ‘Code Is Law,’ autopilots are no longer an option. There needs to be a new language for smart contracts which requires at least a cursory understanding of the underlying system,” Olickel says.
Oyente is not the only company attempting to solve smart contracts’ security problems. Microsoft has joined forces with Harvard University to strengthen, and possibly change, the programming language.
Oyente does not plan to focus solely on Ethereum smart contracts. The tool will be platform agnostic and aims to work with platforms such as Counterparty and Rootstock.