Decentralised Software Engineering - Security Deep Dive - Part 1

Value is either created or transfered, but never destroyed.

The blockchains like Ethereum introduced smart contracts whose true value is in facilitating universal execution of code, and as all things have dual side, the attack on DAO gave way for the other side and a new subject line to the world - "Security in Smart Contracts." and exposed its the negative externalities for the first time. The kind of bug that affected DAO can affect Lisk and IBM blockchain as its not the code but the concept that is being challenged in here.  

So what do we need to take care while developing a Dapps. To elaborate on it following are points -

• Governance structure is the core.

Governance structure of the smart contracts needs to be defined , with crystal clear understanding of all components and, it should be tightly knit with the objective / purpose. 

• Know thy ground. 

It is very important to know the ground level details of each and every function. And know it is functioning is as per intended definition. This includes extensive documentation and testing within closed releases. 

• Understand that simple normal users.

This is one of the most common assumption and a fatal mistake, that developers make. They assume that access control is inherently defined in smart contracts but actual case is access control needs to be defined on a function basis. Moreover, variables definition is very crucial. (i.e. Weather variable is private / public).   

• Understand cross contract validation.

Its very important to know all places where external contracts and libraries are being called upon. The DAO attack has its roots in 

• Keep it simple. 

Its pointless to add useless complication to contracts as it would keep on increasing complexity and cost. Hence try to simplify and minimize operation where ever feasible. 

Happy hacking and use the knowledge wisely ... :)