Profile picture
CryptoJesus @robbiebent1
, 16 tweets, 8 min read Read on Twitter
1) Collaboration is @ethereum's major strength. In four months, the ETHSecurity community has grown to 138 members with auditors, DAPPs, opsec experts, researchers and @ethprize and @ethereumecf
2) The first ETHSecurity meetup is Sept 6th @ETHBerlin to review secure development guidelines, tools and OWASP like models. Huge thanks to @captnseagraves, @fubuloubu, @rhygate, @hackdomETH, @Corpetty for all the hard work and execution!
3) Some personal learnings from the ETHSecurity interviews:

Security audits are not a statement that code is safe. The outcome of an audit is that you learn about the code you wrote and your code does what you want it to

cc @dguido
4) If you don’t put in a mechanism for upgrades - you’re toast. Upgradability is becoming an industry standard and minimizes the risk there will be a flaw in the system -

cc @izqui9 , @sohkai
5) We need a Common Vulnerability Database for smart contracts to track and disclose issues cve.mitre.org -- it can be done decentralized, autonomously, and on a blockchain (could be a great hackathon project) --

cc @__Tux
6) Remix is the most helpful tool for auditors. It’s rare that you have something that allows you to look at entire code base, compile it, test it and debug it -

cc @cryptodavidw
7) Tools guide you to the places that need more attention, but will never supercede manual review

cc @maurelian_
8) A package manager would be a big milestone for crypto. We see code reuse done with “copy paste” - a version is copied at some point in time and all the community security updates are missed

cc @maraoz
9) There is a tendency to hire offensive security like pen testing and code audits. Have somebody security focused writing code right from the design phase.
cc @find_evil
10) We're excited about languages that offer a subset of Solidity functionality preventing certain kinds of mistakes. Programming smart contracts is akin to C but should be closer to Rust.
cc @PolySwarm
11) We need to make it easier for developers to code with security in mind -- Threat modelling and concrete examples of vulnerabilities like OWASP are needed to better understand security
cc @mhswende
12) We created a bug prediction market to provide incentives to find bugs post audit. Auditors can stake their reputation for a period of time to provide accountability
cc @SolidifiedHQ
13) We are building a service where you can see all the smart contracts which have been audited by a security specialist. You can check which contracts were audited, and if the bugs found were actually fixed. -
cc @jakublipinski
14) The only real metric we have for how secure a certain practice is, is how much money a contract holds and how long it has been on the mainnet. - cc @Corpetty
15) Auditing requires craftsmanship and can’t be automated yet -- start by manually testing overflows, safemath, send problems, verifying loops and follow entire implementation
cc @clesaege
16) Thanks to @captnseagraves and @hackdomETH for leading the ETHSecurity interviews. There will be a report released along with the transcripts from all the interviews if you want to learn more!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to CryptoJesus
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!