[sunshine-o]

Smart contracts are fundamentally a business technology where money is hosted & manipulated natively on the platform. This is pretty awesome & could be very dirsuptive.

The problem is at least in ecosystems such as Ethereum you have a single line of defense, your smart contract code. And that code is written in a poor language with very little security features.

Worst if something go wrong you can maybe pause, suicide your contract before your money is gone (what goes again the very principle of the platform) or if you are lucky & worked very hard on this you might have the chance to upgrade your contract.

The result is any contract being used seriously need to go through a long & very expensive by one of the few serious company is this field.

For now the Ethereum project have been very focused on solving the scalability & decentralization problem but my guess is without big progresses on the smart contract security & developer experience front no serious actor will ever consider adopting the platform.

[jjordan]

There is a thriving community of security researchers and engineers in the smart contract auditing space.

Services like code4rena (https://code4rena.com/) and sherlock (https://www.sherlock.xyz/) make audits a public and competitive process with leaderboards that track the best of the best. Naturally those that rise to the top of these leaderboards tend to end up offering boutique auditing services due to projects wanting audits from the best of the best in the business.

Trust (a pseudo-anonymous auditor's handle) launching Trust Security (https://www.trust-security.xyz/) is a perfect example of someone who turned public contest success into a highly sought after auditing firm. There are other examples, but overall smart contract security is undeniably improving over time.

[sunshine-o]

Yes but as you see on code4rena the cost of an audit is about $100k.

What is ballpark what a company would pay to have a security audit of their website or network for example. So I would guess Ethereum has become an "Enterprise" technology because of the prohibitive cost of security of its applications?

From what understood originally, blockchain & Ethereum aimed removing those actors like banks who can afford high cost of licenses, compliance & security of complex systems.

Meaning you could write and execute your will without a lawyer and a court system, or write a smart contract to manage a condominium and its treasury with the other landlords (a $100k audit is out of the question for those use cases).

We are hearing less and less about those use cases and talk more and more about "Enterprise Ethereum" (https://ethereum.org/en/enterprise/) as we find out that developing for the platform will be as complex & expensive as for a big corporation.

[kaycey2022]

But none of the players involved are "landlords". The 100k etc is just the figure they are charging for their services. It isn't mandatory that you get a security audit. You can just go ahead without it.

Whereas if you want to get those conventional licenses you have to go through mandatory licensing. This means there is unlikely to be a regulatory capture that would introduce licensing terms that would prohibit new players from coming in.

That is objectively a good thing.

[Veserv]

But does it work?

Do any of the audits ever come back clean i.e. no detected defects?

Are those audits actually serious and representative of the resources available to a profitable attack? Many smart contracts manage millions, tens of millions, hundreds of millions and up in value. Do they actually do multi-year audits with a team of 5 that come back clean?

Do they seriously believe and publicly state their design processes are better than the best IT systems by Google, Apple, Amazon, NSA, FBI, etc.? Because those organizations can not get clean audits against red teams with multiple people and a few years to work.

That would be a extraordinary claim, do they have the extraordinary evidence to back up that claim? Do they even have any verifiable evidence at all to back up that claim other than more marketing drivel?

If the answer to all of that is not yes, then it all sounds like a house of cards and just more “security” bullshit to me.

[jjordan]

Audits are performed as a due diligence before actually launching the product or service that will utilize it. The audit is a collaborative process between the auditing team (or contest participants, in this case), and the developer of the smart contract. Contestants are rewarded financially for finding exploitable issues, with unique criticals (i.e. exploits that lose customer funds or otherwise fundamentally breaks the intended behavior of the contract) paying the most. AFAIK no public Codearena or Sherlock audit has had a critical vulnerability exploited after a contest was completed.

It would be hard to compare the smart contract auditing ecosystem with audits of internal processes at those entities you mentioned, because the problem being solved is fundamentally different. Google, Amazon, et. al. are protecting access to information stored in data centers, whereas smart contracts are at most a few thousand lines of code that needs to work as intended, without clever hackers finding a way to exploit them.

[Veserv]

So, no. Lots of “process”, words, and gamification, but no results and no evidence of actual robust security at the necessary multi-million dollar level.

Looking at the leaderboard [1] it looks like the pay out is a few thousand dollars for a “steal all the money” defect. These companys literally want to manage millions of dollars, yet it regularly costs only a few thousand dollars in developer time to steal all the money. And these are the good companys doing audits.

What a joke. It is worse than XP, but at least Microsoft knew they were a laughing stock.

[1] https://code4rena.com/leaderboard

[WinstonSmith84]

Yes you're right, there are very talented companies, but that's actually what the OP has been saying... These companies exist because of the language. No language is perfect but Solidity is very imperfect to say the least

These challenges are very interesting https://ethernaut.openzeppelin.com/. The thing is, almost none of these hacks could be possible, if Solidity would be better

[latchkey]

You're literally commenting on a post that is a reference to a website that is trying to encourage a higher level of security in smart contracts. People are working on solving this issue.

[trompetenaccoun]

It's a misunderstanding that smart contracts are just about money. What you have in essence is decentralized verifiable computation, which can and often is used for finance stuff, but isn't limited to that at all.

[zx8080]

> decentralized verifiable computation

Wasn't Ethereum centralized after switching to Proof-of-Stake?