The current security situation in web3
The basic design paradigm of web3 is that we should build systems that are open and self-supporting, where everyone "pays their way", rather than having corporate-sponsored infrastructure and walled gardens. This tradeoff means that security doesn't get to be "someone else's problem": if these resources are shared and not proprietary, that means it's everyone's problem.
To be clear, security threats exist on a number of levels in web3; if you missed it, take a look at our article on LavaMoat and Snow, two projects from MetaMask's security researchers which address supply chain attacks and security issues inherent in how browsers handle windows, respectively.
There are huge issues to be solved surrounding user education, and how private keys and Secret Recovery Phrases are managed. Most people struggle to grasp self-custody and the power of private keys, and are easily swindled out of their funds by someone posing as a helpful stranger--or a helpful Customer Support agent.
But the most attention-grabbing security issues in web3 are, broadly speaking, smart contract exploits. This consists of someone figuring out how to manipulate a smart contract or several in order to extract, often, eye-watering amounts of money.
If you're building a smart contract, you need to be sure that it's safe. Solidity is still a young language, and the unfortunate truth is that collectively we are learning what design paradigms are secure, and which ones have fatal flaws, the hard way.
How did we get here?
If this topic seems important to you, but it's feeling a bit over your head, don't worry. There's a lot here to catch up on, and with the exception of maybe two dozen people in the world, we're all new to crypto at some point.
There are two articles that dive straight into this world, and give a great sense of what this is like in practice:
- Ethereum is a Dark Forest, by Dan Robinson and Georgios Konstantopoulos
- Flashbots: Frontrunning the MEV Crisis, by Alex Obadia
While the two pieces are written by different authors, the second one picks up where the first one left off, and paints a mural-sized picture of the Ethereum security research space.
What you can do about it
The good news is that a number of projects are trying to build tooling for developers to help them avoid these scenarios. Consensys' Diligence, a top-notch team of Solidity engineers who specialize in smart contract audits, have also produced a series of resources to help you along your way.
A question of leaderboards
Regardless of whether you use one, all, or none of these resources, you should get your contracts audited, and once you do, make sure you follow the auditor's recommendations; you'd rather be on Diligence's Public Audits board than on the Rekt Leaderboard.
Scribble out some smart contracts, and make sure they get fuzzy
At the risk of downplaying how freaking cool the tech behind it is, Scribble is a framework that enables you to test the properties of your Solidity code. Fuzzing is a process that tests those properties, and sees what conditions might cause security issues involving your code.
Getting into the details a little bit, you feed your Solidity code into Scribble:
Scribble converts this into instrumented code, which allows for various fuzzing tools to check the properties of the code, and see what kind of scenarios, if any, will produce a result you didn't intend:
And what you get on the other end is a helpful report indicating the kinds of issues you may be looking at with your code:
The tool that MythX uses under the hood is called Mythril, and you can take a look at the GitHub repo for it here. If you have questions about Mythril, or want to know how it works, you're always welcome in the Discord server.
Full Mythril Jacket
Diligence's Fuzzing and Scribble tools are two battle-hardened tools that are available to you in the adversarial, yet open, yet collaborative, world of smart contract development. As you move forward in your journey in Ethereum's dark forest, it might be dangerous; you should take these tools with you:
- The Diligence Graphviz Interactive Preview plugin for VSCode
- The Diligence vyper plugin for VSCode, for those writing smart contracts in vyper
- Sūrya, The Sun God: A Solidity Inspector, by Diligence's Gonçalo Sá
- This whole bandolier of security tools
- A way to contact friends with a particular set of skills