Share this page!

Evan Cheng (See https://jobs.lever.co/mystenlabs) Profile picture
Twitter logo
Feb 4 12 tweets 4 min read
Many people have posted great explanations of the Wormhole exploit. This is not another breakdown of the attack. Instead, let's talk about smart contract auditing vs. verification.
#Crypto #web3 #Wormhole #SmartContracts
1/x
By and large, smart contract developers are being responsible - following best security practices, using the best dev tools, and making sure their contracts are audited before deployment. But is trusting auditing as the last line of defense the right approach?
2/x
We all know how important it is to keep commits small since it's hard to reason about a large body of code. Auditors have to understand and probe the entire system. Given it's very much a human-in-the-loop process, it's not surprising auditing is a long and expensive process.
3/x
It must be frustrating for developers to deal with smart contract auditing. It adds an additional step to the development process. Developers are not in control of the deployment schedule. It's expensive and not a guarantee.
4/x
And auditing is fundamentally limiting the growth of the ecosystem. @Mysten_Labs' mission is to bring 10 million developers into web3. If they are all dependent on auditing, how many auditors are needed?! This is not scalable.
5/x
Can the process be automated? Not currently. It's not easy to build a fully statically analyzable programming language. Solidity has dynamic features that have been exploited repeatedly. Rust is a complex language. Verification tools exist. But they are not perfect.
6/x
We believe using math to prove contract correctness is the right path. It shifts the burden from a system-wide, human-in-the-loop, imprecise practice to a process that is 1) automated, 2) can be integrated into CI flow. So, what is the state of art today?
7/x
Imagine a flow where a smart contract developer carefully turn code comments into specifications in their program - local (function) / global (module) pre and post conditions, invariants, etc.
8/x
The formal verification tool would inform the developer whether the code is provably correct. And if it's not, it will spit out anti-examples to help the developer correct their code. This flow would significantly reduce the auditing overhead. Fewer exploits. More developers!
9/x
What if the specifications are wrong or absent? Ultimately developers must employ secure programming practices. There is a need for experts to help new developers write comprehensive specifications. The good thing is it fits perfectly in the incremental development process.
10/x
While at Novi Research, we spent a lot of energy designing the Move language and the Move prover. The co-design approach ensures the all the Move programs are formally verifiable. This will be a critical piece for everything @Mysten_Labs builds.
11/x
Take a look at the keynote by our esteemed colleague Prof. David Dill. Here is the paper www-cs.stanford.edu/~yoniz/cav20.p… if you want to learn more about the science.
/fin

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Evan Cheng (See https://jobs.lever.co/mystenlabs)

Evan Cheng (See https://jobs.lever.co/mystenlabs) Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @EvanWeb3

Evan Cheng (See https://jobs.lever.co/mystenlabs) Profile picture
Dec 6, 2021
Gm. Very proud to share Mysten Labs official launch with everyone. 1/
First, let us introduce ourselves. The founding team came from Novi Research, where we led R&D efforts for the Diem network, e.g., Move smart contract platform, consensus, and many cryptography efforts.
2/
What you may not know, we have done extensive work beyond what you see in DiemCore. New protocols and new system designs will change the blockchain paradigm. We are launching Mysten Labs to bring these technologies to the broader web3 ecosystem.
3/
Read 10 tweets
Evan Cheng (See https://jobs.lever.co/mystenlabs) Profile picture
May 23, 2021
Crypto market is dumping. But it won't stop those of the forward looking builders to keep going!

Novi Research (Facebook) is hiring! We are staffing up to build blockchain / crypto products.

1/3
We are currently in SF Bay Area, Seattle, and London. But we are opening up positions in many US and European locations. Remote positions are available too!

2/4
Ok. I'm really bad at this tweet thread thing. This thread is going to be longer than 3 or 4. Please excuse the bad numbering 😂.

3/x
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Like this author's thread?

Get emails when @EvanWeb3 has new unrolls!

Check out other threads from @EvanWeb3!

Read all threads by @EvanWeb3

:(