I'm an Independent, Strong, Crypto-Dev who don't need no Security Audit!

in #steemit8 years ago (edited)


There appears to be a culture among crypto devs to reject the standard practice employed, in the fiat world, by technology companies that individually represent more than $1, to hire third-party security companies to  audit their software/sites.


Indeed, the God of Computer Science Vitalik Buterin in his infinite IQ, needed not the council of some dusty researcher with 20+ years of experience on formal languages for smart contracts. 


According to apocryphal sources, Young Vitalik was editing some HTML5 for a responsive website, when Jesus Crypto descended upon an air-cushion delivering this message: "You shall invent a language, Solidity. It shall thus, by definition, be solid. It shall be  built in Javascript's likeness."


Who was young Vitalik to ignore techno-divine instruction? And so Ethereum was built. 

And its duplicate in under a year.


I mean, when your organization make $1,000,000+ from premined coins, you can't afford not to bootstrap. So it stands to reason that you shouldn't hire security researchers for several tens of thousands of dollars. 


 Indeed, so Stephen Tual thought when in his infinite wisdom, he and his band of pioneers coded an immutable smart contract in crypto-Javascript without an update function built in, to respect the divine theology of immutability.


"We'll just hard-fork #theDAO 2.0 once the fund reaches $1 billion" was his response.


To be sure, that code was hacked together, yet they exercised greater diligence than their crypto-counterparts.


They paid  a security firm $200 to research integer overflow risks.


 "DAO is going to the moon. So we'll have to add realllllyy big numbers"  he explained.

Sort:  
  1. Vitalik Buterin didn't invent Solidity, he invented EVM.
  2. Ethereum Foundation actually paid for a security audit. And, amazingly, the problem which hit The DAO was mentioned by the audit company. (But in the passing.)
  3. Formal verification can be incredibly expensive. Are you sure you aren't confusing Ethereum Foundation which got about $20M to play with with Intel which has $50B yearly revenue?
  4. Smart contract language research can take many years. Ethereum made a smart choice of standardizing EVM. New, better languages can be developed. They will be developed once more money will pour into the industry.

And your second point is wrong. The security audit made no mentioned of the recusive call function.

Hobbyists mentioned it in blogs.

Wrong. The LeastAuthority report reported "reentrancy hazards":

the refund callback could make a new donation, triggering another refund cycle, potentially double-refunding the earlier contributions, or failing to refund later ones

It is usually possible to protect against these hazards with careful state management

The object-capability community addresses this class of hazards by using the "eventual-send" operation whenever possible

They described exactly the problem which affected The DAO, and how to avoid it, and how to make language/VM resistant to such errors.

$20M to play with. I don't know what world you inhabit. I inhabit a world where security researchers in dusty faculty buildings earn under $20,000.

This piece was satirical, so the details aren't 100% but I hope you understand the general message.

I don't care whether John, Mick or George invented Solidity. The Ethereum foundation created it, and my point still stands. There's tons of literature on formal languages no need to reinvent the wheel with a bullshit language.

Smart contract language research is decades old (read nick szabo's '02 blogs for example, which cites older research)

They have created no new unexplored field, just reinvented the wheel with half-baked pump material.

You don't understand what you're talking about. Formal language is a language which has a grammar. Pretty much any programming language is a formal language.

You probably meant formally-verifiable language. There are many ways to approach formal verification, none of them is general purpose. So it's still a question what kind of formal verification is needed for smart contracts.

Contract languages are still a research subject. Again, they are still not general enough.

Tbh I was sort of trolling, just skim read a reddit post on formal verification and jumped on the fud train

The real DAO hacker agreed to an interview

they all like to be "hacked"

Hi! This post has a Flesch-Kincaid grade level of 9.7 and reading ease of 59%. This puts the writing level on par with Michael Crichton and Mitt Romney.

Greetings! Very useful advice in this particular post! Its the little changes that produce the largest changes. Thanks a lot for sharing!