[currymj]

it's pretty hard to write even a simple smart contract that doesn't have horrible vulnerabilities. far harder, I would say, than writing C code that can't be buffer-overflowed on an old system with no protections in place. and solidity the language does NOT make this any easier. read all the resources you can. there are really counterintuitive best practices.

the reason for all these hacks is not stupidity or laziness of the developers. the EVM execution model just makes it very easy to write vulnerable code.

[heliumcraft]

Quite the exaggeration, this silly meme has to stop. You make it sound like writing even a hello world would have horrible vulnerabilities or something. There are thousands of perfectly safe contracts deployed, one can't take some isolated incidents and make such conclusions from such a small sample.

[nosuchthing]

  If the creator of Solidity, Gavin Wood, cannot write a 
  secure multisig wallet in Solidity, pretty much confirms 
  Ethereum is hacker paradise. 

[1] https://t.co/WAR3eltfWl

[2] https://www.cryptocoinsnews.com/hackers-seize-32-million-in-...

[heliumcraft]

That's tweet is factually incorrect.

Gavin Wood DID NOT write the change that caused that bug, he was not the assigned reviewer either. https://github.com/paritytech/parity/pull/3773

[nosuchthing]

Gavin Wood is the designer of solidarity and the founder of Parity.

https://en.wikipedia.org/wiki/Solidity

http://gavwood.com/

[yarrel]

Yes but that doesn't mean that they wrote this particular code. Authorship isn't transitive.

[heliumcraft]

I know who Gavin Wood is. The fact is he didn't write the change the tweet claimed.

[sillysaurus3]

There are thousands of contracts where no vulnerabilities have been discovered yet. Mostly because there are larger targets to go after.

It's not true to say that something is secure just because it hasn't been broken yet.

I agree with your call for balance, but it's unnecessary to jump to the opposite extreme.

[currymj]

maybe not a hello world, but even very rudimentary 20 LoC contracts for, say, keeping account balances can have reentrancy vulnerabilities when written in the obvious way. so your customer could just give themselves an infinite balance.

i don't think it's impossible to write secure smart contracts but it takes quite a bit of care even for simple stuff.

there are many issues that arise because your functions might be called by an adversary who has set up the stack in an evil way.

[edjere]

Agree with this, especially with the "it takes quite a bit of care even for simple stuff", but this should not discourage developers to do so. One of the reasons to build this kind of infrastructure is to set proper standards for smart contracts development which are currently missing. As long as we are aware that we need to be careful, and we raise the quality of the code and keep on developing tools to improve development as a whole things should keep on moving forward.