In the battlefield of the world of crypto which is often plagued by malicious hackers and careless developers, safety and security are often taken for granted. In this interview at the International Blockchain Conference in Hyderabad 2018, BTCManager spoke to Hartej Sawhney co-founder of security firm Hosho, regarding the current state of the smart contracts and blockchain security.
Sawhney is one the rare participants exhibiting in the conference who was not there to pitch his ICO. He currently serves as the President of Hosho, a company which specializes in blockchain security analysis and smart contracts auditing. His is the only business card of more than a 100 at the conference to have a PGP key, making a bold statement about cybersecurity.
The security team at Hosho has observed over the course of one year that the quality of smart contracts has improved, and much of it is due to accessibility to prewritten smart contracts and the education provided in the industry. However, most of the vulnerabilities and flaws they have found were not in the technical implementation but the business logic.
Sawhney told BTCManager:
“It is perhaps potentially because of the gap between the people writing the white paper and the team implementing the smart contract. It’s important for the words in the white paper to be married to the code in the smart contract.”
Some interesting errors or vulnerabilities observed while auditing smart contracts were:
- Allocation: Though the white paper announced generation of 800 million tokens, the smart contract in question was only written to generate 320 million tokens.
- Infinite Token Generation: Smart Contracts having a backdoor to generate infinite tokens.
- Centralized functionality: Use of centralized functionality in smart contracts, where founders with the genesis token had the power to delete tokens from any wallet. This is a concern to everybody including exchanges, investors, governments, and lawyers. One such vulnerability was also discovered in a popular token with millions of dollars in market cap which was later fixed.
Exchanges can avoid being hacked by regularly conducting regular penetration testing. Every time code changes, they are potentially opening doors to the outside world.
Sawhney narrates the CoinDash hack, an exchange which was hacked of millions within 24 hours of its launch. The website was built with WordPress which is highly insecure for a product like a cryptocurrency exchange. Hosho also estimates almost ten percent of the funds raised through ICOs are hacked or lost.
Finally, he explained that Investments should go to products which value security and audits. Having more sophisticated engineers with a background in security and a quality assurance mindset is also a huge plus.