1) Collaboration is @ethereum's major strength. In four months, the ETHSecurity community has grown to 138 members with auditors, DAPPs, opsec experts, researchers and @ethprize and @ethereumecf
2) The first ETHSecurity meetup is Sept 6th @ETHBerlin to review secure development guidelines, tools and OWASP like models. Huge thanks to @captnseagraves, @fubuloubu, @rhygate, @hackdomETH, @Corpetty for all the hard work and execution!
3) Some personal learnings from the ETHSecurity interviews:
Security audits are not a statement that code is safe. The outcome of an audit is that you learn about the code you wrote and your code does what you want it to
cc @dguido
Security audits are not a statement that code is safe. The outcome of an audit is that you learn about the code you wrote and your code does what you want it to
cc @dguido
5) We need a Common Vulnerability Database for smart contracts to track and disclose issues cve.mitre.org -- it can be done decentralized, autonomously, and on a blockchain (could be a great hackathon project) --
cc @__Tux
cc @__Tux
6) Remix is the most helpful tool for auditors. It’s rare that you have something that allows you to look at entire code base, compile it, test it and debug it -
cc @cryptodavidw
cc @cryptodavidw
7) Tools guide you to the places that need more attention, but will never supercede manual review
cc @maurelian_
cc @maurelian_
8) A package manager would be a big milestone for crypto. We see code reuse done with “copy paste” - a version is copied at some point in time and all the community security updates are missed
cc @maraoz
cc @maraoz
9) There is a tendency to hire offensive security like pen testing and code audits. Have somebody security focused writing code right from the design phase.
cc @find_evil
cc @find_evil
10) We're excited about languages that offer a subset of Solidity functionality preventing certain kinds of mistakes. Programming smart contracts is akin to C but should be closer to Rust.
cc @PolySwarm
cc @PolySwarm
11) We need to make it easier for developers to code with security in mind -- Threat modelling and concrete examples of vulnerabilities like OWASP are needed to better understand security
cc @mhswende
cc @mhswende
12) We created a bug prediction market to provide incentives to find bugs post audit. Auditors can stake their reputation for a period of time to provide accountability
cc @SolidifiedHQ
cc @SolidifiedHQ
13) We are building a service where you can see all the smart contracts which have been audited by a security specialist. You can check which contracts were audited, and if the bugs found were actually fixed. -
cc @jakublipinski
cc @jakublipinski
14) The only real metric we have for how secure a certain practice is, is how much money a contract holds and how long it has been on the mainnet. - cc @Corpetty
15) Auditing requires craftsmanship and can’t be automated yet -- start by manually testing overflows, safemath, send problems, verifying loops and follow entire implementation
cc @clesaege
cc @clesaege
16) Thanks to @captnseagraves and @hackdomETH for leading the ETHSecurity interviews. There will be a report released along with the transcripts from all the interviews if you want to learn more!
