Coding smart contracts has sometimes been compared to coding for critical infrastructure, such as the national grid, because millions and even billions can be lost if the network doesn’t agree to fork the theft or bug.
The field is a fascinating space where some of the smartest people on earth work on new frontiers, giving us such scenes like in February when a hacker hacked a hacker who was trying to hack his honeypot smart contact.
Then there are other scenes where a noob goes around pressing buttons and boom “I accidentally killed it.” So freezing hundreds of millions.
Absolute security for a smart contract, therefore, is by far the number one priority. But considering just how hard that is, a new study published some surprising results.
Thorough code analysis of 970,898 contracts through new techniques found only 3.4% of them, or 34,200, had publicly known and publicly unknown vulnerability types.
Those types were classified in three categories, smart contracts that “lock funds indefinitely, leak them carelessly to arbitrary users, or can be killed by anyone.”
Either of those bug types can in effect burn the funds, so even 0.1% of smart contracts having them is arguably too much. But within such smart contracts there are all sorts, including honeypot ones that intentionally place what appears to be bugs to in effect steal money from thieves.
“The number of contracts has increased tenfold from Dec, 2016 to Dec, 2017 and 176- fold since Dec, 2015,” the study says. Moreover:
“The distribution of Ether balance across contracts follows a skewed distribution. Less than 1% of the contracts have more than 99% of the Ether in the ecosystem.”
So many of these contracts with vulnerabilities might even be test contracts or abandoned contracts, but of course sometimes it is a decent project.
Yet it is somewhat surprising that 940,000 contracts would be classified as safe by this study considering the whole field is barely two years old.
That might be because a lot of work has gone into formally verifying smart contracts and into assuring their highest level of security since at least 2016. Not least because developers are now aware a mistake can be very costly financially.
That’s especially the case as all of this is public, so the exploitation field is global. Which means one can deduce with time passing that without an exploit the smart contract is safe.
There could also potentially be mechanisms within the smart contract itself to reverse certain actions as the field remains still very new and very much in development.
Which perhaps suggests absolute security for smart contracts might not be far away considering so few appear to be vulnerable at this early stage.