Intelligent Ethernet square is the vulnerability of the contract will not withdraw or change
Software bugs is a normal thing, but if it happened in the etheric body is square, a very dangerous thing.
Ethernet square programming language Solidity in this week was traced to find loopholes, and cause certain influence intelligence contracts, and because the operation mechanism of Ethernet square (Ethernet workshop each application will promise to perform accurately according to the programming), most of the affected contracts will not be withdrawn or change.
In short, to the center of the intelligent contract (cannot be an owner control contract) owner is at a loss what to do for this vulnerability.
The vulnerability report released after two days, the developer has launched a Solidity version of 0.4.4. repair. But because of the impact of the vulnerability and address some of these contracts in the data type, so they can not be upgraded.
But thankfully, this vulnerability may not affect many smart contracts.
ChristianReitwiessner Solidity language creator said that he has been through a general block browser “semi-automatic” analysis for each column in the Etherscan process, found in 12000 contracts, only 4 are available.
Reitwiessner said that these contracts are not the etheric coins, so they may be used for testing. But it is worth noting that not all contracts will be displayed in the browser on the Etherscan block chain. (current Ethernet square has a total of about 200000 contracts, it is difficult to say whether the rest of the contract funds security).
In short, compared to the intelligent contract TheDAO event errors, the vulnerability is not big problem. However, it is also in the circle of crypto currency caused a lot of discussion, we have discussed, considering not all intelligent contracts have a concentrated ownership of all of its upgrade to prevent errors, then the other major vulnerabilities, what will happen?
A social media observers believe that this vulnerability may be a potential vulnerabilities contract angle intelligent iceberg.
One solution to the problem is to make radical ideas, etheric Fang contract upgrade in the near future, so that the contract owner relieve or change this evil code. But the only concern is that this might mean depriving the etheric Fang (or other to the center of the platform of the one and only).
National University of Singapore (NationalUniversityofSingapore), LoiLuu said, the user can learn how to best the etheric Fang to go to the center of the safe deployment of smart contracts.
Luu said: “I personally do not think this is a good idea, it basically violates the contract all of the original design of intelligent. If the ether workshop is a test version of the network, let the intelligent contract failed, let people learn a lesson from it.”
But Luu’s comments suggest that the upgrade of all contracts may not be a good idea, there are other ways to prevent possible future vulnerabilities, especially ethernet is a new technology workshop.
To fix the problem
Using Ethernet Fang readable program written in a high-level language, such as Solidity or Serpent, before being added to the block chain will be compiled into byte code. The problem here is mainly in compiler technology.
In order to solve this problem, Reitweissner recommends that developers do two things. First, if you are compiling a new contract, developers need to use the new version of the Solidity language to upgrade, in order to avoid this flaw.
Second kinds of methods to avoid the above problem is even more strange, because it is necessary to upgrade or restart the deployment of intelligent contract – this scheme is not possible in the etheric workshop.
Reitwiessner detail of the proposal, and explains that there are two types of contracts: centralized control, and to the center of the latter, nobody has the privilege”.
The first type may provide some upgrade mechanism or a method of moving money from the contract.
While the second type is more difficult. On the other hand, because the contract is not reliable Ethernet Intelligent workshop once started, it cannot be removed or changed, if the developer did not start from the center of the intelligent use of contracts, so that they can do is very limited.
However, Reitwiessner said that developers can by some means, to prevent similar problems (such as Solidity) occurred.
He said: “for this type of contract, my advice is to shorten the running time of either of them, in order to reduce the potential impact of the occurrence, or proper contract byte code analysis. We are currently developing tools to help them.”
Upgrade the contract
But there are other ways to be the problem.
Ethernet square foundation information technology consultant HudsonJameson describes an upgrade to the center of the intelligent contract, he must add a dynamic code upgrade way.
He said: “the whole idea is that developers in the early stage, the most important is to join the failsafe device in your own code, to remove or upgrade the safety value of the contract.”
Jameson also describes some of the potential intelligence contract “fail safe”, even if the owner has been in the etheric Fang deployment of their contract, but also to upgrade the contract using the device, or in the suspicious things, intelligent contracts can be detected automatically.
He said that they do not need to be the center, or by a person of all control. For example, intelligent contract you can set a time limit to withdraw money.
He said: “if the attacker tries to steal the contract funds or assets, will automatically trigger a response to the center, put them locked, and let other people use contracts, so people can withdraw their money in time.”
The road is long
Because the original square chain (ETC) Ethernet Intelligent contract with ETH on the chain using the same set of rules, which have also been affected by this vulnerability.
But according to the main organizer Arvicco said that developers are exploring a new programming language, can avoid more loopholes.
He said: “one possible way is to transfer the contract from the object program language to develop intelligence on to function paradigm.”
No matter what the repair method is possible, these discussions indicate that developers should not expect Fang Ethernet Intelligent contract own no danger at all, this is for those who have been deployed in the network code for people who may be very obvious.
Especially for the Solidity language, if there is another irresistible loopholes, may affect other intelligent future contracts.
Reitwiessner pointed out that the error is always possible in the compiler, and the Solidity Serpent (Ethernet or other smart Fang contract language) there may be other undiscovered vulnerabilities.
However, he pointed out that in the history of the development of more than two years, this is the first serious vulnerabilities found in intelligent contract language.