How to develop secure and optimized blockchain smart contracts? – 5 rules | Nextrope Academy

Paulina Lewandowska

10 Oct 2022
How to develop secure and optimized blockchain smart contracts? – 5 rules | Nextrope Academy

Why is the security of smart contracts important?

Smart contracts are a major part of applications based on blockchain technology. In the development process of smart contracts, we should maintain the highest security standards because of factors such as:

  • in many systems, they are responsible for the most critical functionality, the incorrect operation of which can be associated with a number of very unpleasant consequences, including irreversible loss of funds, a logical error ruining the operation of the entire application/protocol,
  • a smart contract that has already been published on the web cannot be modified. This feature means that bugs and vulnerabilities that are diagnosed after the contract is launched productionally cannot be fixed. (There is an advanced technique to create "upgradeable contracts," which allows the contract logic to be modified later, but it also has a number of other drawbacks and limitations that do not relieve the developer from writing secure code. For the purposes of this article, we will skip a detailed analysis of this solution).
  • The source code of most contracts is publicly available. It is good practice to publish the source code in services such as Etherscan which significantly increases the credibility of the application data or defi protocols. However, making the code publicly available entails that anyone can verify such code for security, and use any irregularities to their advantage.

Learning to write secure smart contracts is a process that requires learning many advanced aspects of the Solidity language. In this article, we will present 5 tips to simplify this process and secure our software from the most common mistakes.

1. Accurate testing of smart contracts

The first, and at the same time the most important factor that allows us to verify that our contract works properly is writing automated tests. The testing process usually allows us to reveal various security gaps or irregularities at an early stage of development. Another advantage of automated tests is protection against code regression, i.e. a situation when during implementation of new functionalities bugs are created in previously written code. In such tests we should check all possible scenarios, 100% code coverage with tests should not be a goal in itself, but only a measure to help us make sure that tests scrupulously check every method on our contract.

2. Configuration of additional tools

It is worthwhile to make use of tools that are able to measure and check the quality of the software we provide. Tools you should use in your daily work are:

  • A plugin for measuring code coverage e.g. solidity-coverage. Expanding on the thought from the first point that code coverage should not be an end in itself, it is nevertheless worth having such analytics in the testing process. By analyzing code coverage with tests, we are able to easily see which code fragments require us to write additional tests.
  • Framework for static code analysis e.g. slither, mythril. These are tools that, with the help of static analysis, are able not only to point out places in our code where a vulnerability exists, but also to offer a number of tips. Following these tips can improve not only the security, but also the quality of our software.

3. Openzeppelin smart contract library

There are many libraries and ready-made contracts that have been prepared for later use by developers of blockchain applications. However, each of these libraries needs to be verified before use to see if it has any vulnerabilities. The most popular library at the moment is openzeppelin. It is a collection of secure, tested smart contracts used in many of DeFi's most popular protocols such as uniswap. It allows us to use the most commonly used implementations of ERC (Ethereum Request For Comments) standards and reusable contracts.

The library has a large range of components that can be used to implement the most popular functionalities on the smart contract side. I will give two applications of the library as examples. However, we believe it is worth exploring all the capabilities and contracts that are provided there.

  • Ownable and AccessControl extensions

These extensions allow us to very easily add access control to functions that, according to business requirements, should only be available for execution to authorized addresses. An example from the documentation showing the use of the Ownable extension in practice:

pragma solidity ^0.8.0;
 
import "@openzeppelin/contracts/access/Ownable.sol";
 
contract MyContract is Ownable {
    function normalThing() public {
        // anyone can call this normalThing()
    }
 
    function specialThing() public onlyOwner {
        // only the owner can call specialThing()!
    }
}

As you can see, using the openzeppelin library is not only very easy, but also allows you to write more concise code that other developers can understand.

  • Implementations of the popular token standards ERC-20, ERC-721 and ERC-1155

Many decentralized applications and protocols are based on ERC-20 or NFT tokens. Each token must have an implemented interface that works according to the specification. Implementing a token entirely on your own is associated with a high risk of error, so our token may have security holes or problems with operation on various exchanges and wallets. With the help of openzeppelin library we are able to prepare a standard, functional token and enrich it with the most popular extensions with little effort. A good place to start is the interactive token configurator in the openzeppelin documentation, it allows us to generate token source code that will meet functional requirements and security standards.

4. Using new versions of the Solidity language

An important safety tip is that projects should use new versions of the Solidity language. The compiler requires us to include Solidity version information at the beginning of each source file with a .sol extension:

pragma solidity 0.8.17;

Along with new versions of the language, new features are introduced, but in addition to this, it is also important that fixes are added to various kinds of known bugs. A list of the bugs found in each version can be found in this file. As you can see, with newer versions of the language the number of bugs decreases and is successively fixed.

The language's developers in the official documentation also recommend using the latest version in newly implemented smart contracts:

When deploying contracts, you should use the latest released version of Solidity. Apart from exceptional cases, only the latest version receives security fixes”.

5. Learning from other people's mistakes

An essential factor for delivering secure software is the sheer knowledge of the advanced aspects of the Solidity language, as well as awareness of potential threats. In the past, we have witnessed many vulnerabilities where multi-million dollar assets fell prey to the attacker. Many examples of such incidents can be found on the Internet, along with detailed information on what mistake was made by the developers and how it could have been prevented. An example of the above is an article explaining the "reentrancy" attack, with the help of which the attacker stole $150 million worth of ETH. The list of possibilities for attacking smart contracts is definitely longer, so it is worth reading the list of the most popular vulnerabilities in Solidity. A good way to learn security is also to take on the role of an attacker, for this purpose the Ethernaut service is worth a look. There you will find a collection of tasks involving hacking various smart contracts, these tasks will help consolidate previously acquired security knowledge and learn new advanced aspects of the Solidity language.

Summary

In conclusion, software security of decentralized applications is a very important, but also difficult issue requiring knowledge of not only the programming language itself. Also required are testing skills, a willingness to constantly explore the topic of smart contract vulnerabilities, knowledge of new libraries and tools. This topic is vast and complicated and the above 5 points are just guidelines that can help improve the security of our code and with the associated learning. Also take a look at other articles in the Nextrope Academy series, where we take a closer look at other technical issues.

Tagi

Most viewed


Never miss a story

Stay updated about Nextrope news as it happens.

You are subscribed

Aethir Tokenomics – Case Study

Kajetan Olas

22 Nov 2024
Aethir Tokenomics – Case Study

Authors of the contents are not affiliated to the reviewed project in any way and none of the information presented should be taken as financial advice.

In this article we analyze tokenomics of Aethir - a project providing on-demand cloud compute resources for the AI, Gaming, and virtualized compute sectors.
Aethir aims to aggregate enterprise-grade GPUs from multiple providers into a DePIN (Decentralized Physical Infrastructure Network). Its competitive edge comes from utlizing the GPUs for very specific use-cases, such as low-latency rendering for online games.
Due to decentralized nature of its infrastructure Aethir can meet the demands of online-gaming in any region. This is especially important for some gamer-abundant regions in Asia with underdeveloped cloud infrastructure that causes high latency ("lags").
We will analyze Aethir's tokenomics, give our opinion on what was done well, and provide specific recommendations on how to improve it.

Evaluation Summary

Aethir Tokenomics Structure

The total supply of ATH tokens is capped at 42 billion ATH. This fixed cap provides a predictable supply environment, and the complete emissions schedule is listed here. As of November 2024 there are approximately 5.2 Billion ATH in circulation. In a year from now (November 2025), the circulating supply will almost triple, and will amount to approximately 15 Billion ATH. By November 2028, today's circulating supply will be diluted by around 86%.

From an investor standpoint the rational decision would be to stake their tokens and hope for rewards that will balance the inflation. Currently the estimated APR for 3-year staking is 195% and for 4-year staking APR is 261%. The rewards are paid out weekly. Furthermore, stakers can expect to get additional rewards from partnered AI projects.

Staking Incentives

Rewards are calculated based on the staking duration and staked amount. These factors are equally important and they linearly influence weekly rewards. This means that someone who stakes 100 ATH for 2 weeks will have the same weekly rewards as someone who stakes 200 ATH for 1 week. This mechanism greatly emphasizes long-term holding. That's because holding a token makes sense only if you go for long-term staking. E.g. a whale staking $200k with 1 week lockup. will have the same weekly rewards as person staking $1k with 4 year lockup. Furthermore the ATH staking rewards are fixed and divided among stakers. Therefore Increase of user base is likely to come with decrease in rewards.
We believe the main weak-point of Aethirs staking is the lack of equivalency between rewards paid out to the users and value generated for the protocol as a result of staking.

Token Distribution

The token distribution of $ATH is well designed and comes with long vesting time-frames. 18-month cliff and 36-moths subsequent linear vesting is applied to team's allocation. This is higher than industry standard and is a sign of long-term commitment.

  • Checkers and Compute Providers: 50%
  • Ecosystem: 15%
  • Team: 12.5%
  • Investors: 11.5%
  • Airdrop: 6%
  • Advisors: 5%

Aethir's airdrop is divided into 3 phases to ensure that only loyal users get rewarded. This mechanism is very-well thought and we rate it highly. It fosters high community engagement within the first months of the project and sets the ground for potentially giving more-control to the DAO.

Governance and Community-Led Development

Aethir’s governance model promotes community-led decision-making in a very practical way. Instead of rushing with creation of a DAO for PR and marketing purposes Aethir is trying to make it the right way. They support projects building on their infrastructure and regularly share updates with their community in the most professional manner.

We believe Aethir would benefit from implementing reputation boosted voting. An example of such system is described here. The core assumption is to abandon the simplistic: 1 token = 1 vote and go towards: Votes = tokens * reputation_based_multiplication_factor.

In the attached example, reputation_based_multiplication_factor rises exponentially with the number of standard deviations above norm, with regard to user's rating. For compute compute providers at Aethir, user's rating could be replaced by provider's uptime.

Perspectives for the future

While it's important to analyze aspects such as supply-side tokenomics, or governance, we must keep in mind that 95% of project's success depends on demand-side. In this regard the outlook for Aethir may be very bright. The project declares $36M annual reccuring revenue. Revenue like this is very rare in the web3 space. Many projects are not able to generate any revenue after succesfull ICO event, due to lack fo product-market-fit.

If you're looking to create a robust tokenomics model and go through institutional-grade testing please reach out to contact@nextrope.com. Our team is ready to help you with the token engineering process and ensure your project’s resilience in the long term.

Nextrope Partners with Hacken to Enhance Blockchain Security

Miłosz

21 Nov 2024
Nextrope Partners with Hacken to Enhance Blockchain Security

Nextrope announces a strategic partnership with Hacken, a renowned blockchain security auditor. It marks a significant step in delivering reliable decentralized solutions. After several successful collaborations resulting in flawless smart contract audits, the alliance solidifies the synergy between Nextrope's innovative blockchain development and Hacken's top-tier security auditing services. Together, we aim to set new benchmarks, ensuring that security is an integral part of blockchain technology.

Strengthening Blockchain Security

The partnership aims to fortify the security protocols within blockchain ecosystems. By integrating Hacken's comprehensive security audits with Nextrope's cutting-edge blockchain solutions, we are poised to offer unparalleled security features in our projects.

"Blockchain security should never be an afterthought"

"Our partnership with Hacken underscores our dedication to embedding security at the core of our blockchain solutions. Together, we're building a safer future for the industry."

said Mateusz Mach, CEO of Nextrope

About Nextrope

Nextrope is a forward-thinking blockchain development house specializing in creating innovative solutions for businesses worldwide. With a team of experienced developers and blockchain experts, Nextrope delivers high-quality, scalable, and secure blockchain applications tailored to meet the unique needs of each client.

About Hacken

Hacken is a leading blockchain security auditor known for its rigorous smart contract audits and security assessments. With a mission to make the industry safer, Hacken provides complex security services that help companies identify and mitigate vulnerabilities in their applications.

Looking Ahead

As a joint mission, both Nextrope and Hacken are committed to continuous innovation. We look forward to the exciting opportunities this partnership will bring and are eager to implement a more secure blockchain environment for all.

For more information, please contact:

Nextrope

Hacken

Join us on our journey to deliver top-notch blockchain tech and a safer future for the industry!