One of the earliest intelligent contract languages ​​in the company is about to retire


nnnAccording to a report released by Zeppelin Solutions, a chain-chain security company last week, the Serpent audit report for the EtherChanne programming language shows that Serpent, one of the early-stage intelligent contract programming languages, is no longer secure and unsuitable for continued use. The report identifies dozens of questions in this programming language, including eight key vulnerabilities. The CEO of the company believes that the code for the smart contract also needs to be reviewed in view of the fact that there have been several incidents that have caused significant losses in the software vulnerabilities so far.n
nnTranslation: Clovern
nThe Serpent, one of the early intelligent contract programming languages, is no longer secure and is not suitable for continued use.n
nThis may be the most important news release from the block-chain security company Zeppelin Solutions last week for the audit report on the ether-based programming language Serpent. This result points to dozens of questions in this programming language, including eight key vulnerabilities.n
nTwo months ago, one based on the ethertop was forecasting the market Augur hired Zeppelin to review the language. And Augur has nearly $ 2 million in tokens in smart contracts written in Serpent, so the company has good reason to worry about the security of this long-standing language.n
nAugur is one of the early Ether Square projects, and Serpent is the primary smart contract language that can be used when writing its tokens. But shortly thereafter, Solidity was introduced and replaced by the main studio of the intelligent contract programming language, so Serpent was set aside.n
nEven so, Augur CEO Joey Krug said that almost no public warnings posted any questions that could prevent Serpent from executing the code as expected.n
nHe said to CoinDesk:n
nn”Nobody has come to show that Serpent is insecure or that its role has been compromised, but the language is not so popular.”n
nnAlthough Augur plans to migrate to another smart contract language at some point in the future, the results of this programming language will essentially force the project to be transferred as soon as possible. After Zeppelin informed Augur of the security issues involved, Augur quickly transferred its REP to the secure ERC-20 coin in the Solarse language.n
nn
n”Poor quality” and “loopholes”n
nFor those who want to know if they should be done, Zeppelin Solutions has made a detailed description of the audit results in its 36-page report.n
nZeppelin said in a blog post that the Serpent project was “poor quality” and “flawed”, warning developers not to use the language until many of its key issues were resolved.n
nThe news immediately prompted the founder of the tower founder Vitalik Buterin issued tweets, said the programming language “technology is out of date” and warned that it lacks adequate “security measures.”n
nFor Augur, Serpent is one of the most critical loopholes in hacker can change the date of the creation of REP tokens, in essence, is to freeze the tokens supply.n
nKrug said:n
nn”You can let the contract think that it has not actually been created, so basically any transfer can not be achieved.”n
nnKrug said that if Serpent had only one problem, he would be happy to fix the code and continue to use the language. However, the audit found too many problems.n
nSo on the contrary, Augur, in accordance with the updated route outlined by Zeppelin, re-wrote its REP tokens in the Solarse language and deployed it in the new ERC-20 contract on the ethernet. And then moved the frozen REP token to the new contract before it effectively invaded its own Serpent smart contract, frozen the REP tokens.n
nIn another blog post, Zeppelin strongly urges that the Ether Square project still using the Serpent language follow a similar migration path and move its tokens to a more secure Solidity contract.n
nn
nNeed more attentionn
nSerpent programming languages ​​and compilers are written by Buterin. But in fact, the code written entirely by one person is likely to be the cause of the existence of these problems in Serpent.n
nZeppelin wrote in the report:n
nn”The less attention to the code means that fewer vulnerabilities will be noticed.”n
nnZeppelin also pointed out that since October 2015 to the present, Serpent has been in existence for two years, and there is little commit (commit). Moreover, almost no one now use Serpent, so the code exists or has been repaired the problem is rarely found.n
nOn the other hand, Solidity was written by a team led by Gavin Wood, one of the founders of the tower. And because Solidity is more widely used and has more activity than Serpent – Zeppelin data shows a 30-bit pull request, 20x commit and 8x code contributors Newer programs are less likely to encounter the same problem.n
nAnd as to what language the developer should use to replace Serpent, Zeppelin’s report says Solidity is the best alternative to the current language. However, the report also suggests that developers consider Serpent’s successor language Viper, pointing out that Viper looks “better than” Serpent. But in tweets, Buterin suggested that developers do not use Viper for the time being, until Viper first passes external audits.n
nn
nWhat about Solidity’s review?n
nHowever, perhaps one of the more worrisome issues that Zeppelin’s review of the Serpent compiler is that Solidity itself has not been audited. Given that millions of dollars of tokens are being managed by smart contracts written in the Solarse language, some people, including Krug, are disturbed by the news.n
nWhat worries about Solidity is that the Zeity wallet was hacked by a hacker in its own code before stealing a $ 30 million encrypted currency before Zeppelin released the compiler review report. A loophole allows hackers to convert three multi-signature wallet into a zero-signed wallet to withdraw funds.n
nAfter this attack, Parity blamed in a blog post that Solidity said that “part of this vulnerability is the responsibility of the Solarse language, and its current version of the case, it is difficult to understand the implementation of the authority of the function.n
nBut a year ago, a more large-scale ether-based theft occurred, when hackers use Solidity’s code loopholes from a project called The DAO stole $ 50 million in the currency. This loss is so large that the developers behind the etherfront are hard-bifurcated in the agreement, tracing back to their trading history.n
nIn many key industries, software code auditing is required, and Zeppelin’s chief executive, Demian Brener, argues that the smart contract code also requires the same process.n
nHe wrote in a message to CoinDesk:n
nn”Given the number of vulnerabilities found in Serpent, we believe that compiler review and code review should be the best practice.”n
nnHe added that Zeppelin is currently discussing this with the APF Foundation to achieve this goal.n
nAt the same time, Krug summed up his views on the incident, and said:n
nn”In general, there are more things to be audited.”n

Leave a Reply

Your email address will not be published. Required fields are marked *