Javascript in the code of smart contracts

in blockchain •  6 years ago 

In the previous article, we focused readers' attention on such feature of the Giant blockchain as the system code update. We mentioned that our blockchain replicates Ethereum technology solutions and also offers new features such as:

  • Smart contracts development with the Javascript ES6 standard (in the nearest future with the ES7).
  • Smart contracts code update.
  • Smart contracts destruction (we will cover this feature in more detail in our next article).

For smart contracts implementation, we have chosen the JavaScript. Why the Javascript? Let's try to figure out.

Obviously, none of the existing programming languages do meet all the needs of the programmer. Each language has its pros and cons. However, the JavaScript turned out to be the best solution in our situation. Let's try to explain why.

What is «the fault» of Solidity?

In an article «A survey of attacks on Ethereum smart contracts»1 Atzei et al. touching on security issues of Ethereum smart contracts write the following: «There are several reasons which make the implementation of smart contracts particularly prone to errors in Ethereum. A significant part of them is related to Solidity, the high-level programming language supported by Ethereum. Many vulnerabilities seem to be caused by a misalignment between the semantics of Solidity and the intuition of programmers. The problem is that Solidity, whilst looking like a typed Javascript-like language (with exceptions and functions), implements some of these features in a peculiar way. At the same time, the language does not introduce constructs to deal with domain-specific aspects, like e.g. the fact that computation steps are recorded on a public blockchain, wherein they can be unpredictably reordered or delayed». From the article's excerpt, it becomes clear that the main security issues of smart contracts come from the Solidity. But what kind of «features» put the security of platforms and users who write smart contracts on the Ethereum blockchain at risk? Let's try to find out.

In the list below, we want to list some of the problems and features of the Solidity language that can threaten the security of the platform:

  • Multiple inheritance, using for, call/delegate call — These commands start the code not from the current source code thus reducing the readability and, as a consequence, the security of the code.
  • Overflows & Underflows2. Due to this vulnerability a hacker could easily cause a catastrophic loss for the crypto holder's account. Overflow & Underflow types of problem can only be fixed with a hard fork.
  • Visibility & delegatecall. This bug was the reason for the lost of 30 million dollars for the users of the Parity, a second most popular Ethereum's client3.
  • Reentrancy (sometimes referred as TheDAO hack)4 — A very common and dangerous mistake. This error is difficult to notice because it is associated with a feature of the Solidity that is not present in other languages.
  • Call to the Unknown (DoS with unexpected revert)5 — This issue appeared in the King of the Ether smart contract.
  • Short Address Attack. The GNT transfer transaction bug was indeed the exchange's fault, but it was also related to the way Ethereum contracts see the transaction input data and Solidity ABI (e.g. the way the methods of Solidity contracts encode and decode arguments)6.
  • Checks-Effects-Interactions pattern — These constructions violate the CEI.
  • By calling another contract, you can suddenly get into its fallback-function which may lead to unexpected consequences.

And this is not a complete list of the Solidity vulnerabilities that have led, and quite possibly will lead to the loss of funds of users of Ethereum smart contracts.

The largest incident in terms of money has happened with the DAO platform, a Decentralized Autonomous Organization, which has experienced a vulnerability called Reentrancy. In June 2016, a hacker took advantage of the vulnerability of DAO smart contracts and brought to his account more than 3.6 mln of ether which at the rate of that time is equivalent to about $50 mln7. Developers of the platform had tried to fix the problem as quickly as possible, but they failed to do so because of the clumsiness of the Solidity. This case hardly affected the DAO and at the end of 2016, the Kraken and Poloniex cryptocurrency exchanges excluded the DAO from trade.8

In the most recent case, which occurred in July 2018, a vulnerability in code written in the Solidity has led to the theft of about $ 23.5 million from the Bancor, a decentralized exchange.9

In conclusion, we would like to quote Martin Holst Swende, a security lead at the Ethereum Foundation, who once commented on the security of Ethereum space: &lauqo;This is Disneyland for hackers&rauqo;.

C# and C++ programming languages

The C# and C++ are complex languages for writing smart contracts and are therefore difficult to be accessed for many developers. Each of them has its pros and cons. For example, the C# is preferable for a quick production of any prototype. It is more convenient in the early stages of projects because of the high speed of development. However, if you have created an infrastructure, chosen libraries, and set a build, it doesn't matter which language you use: the speed of development will be about the same. Let's review the C# and the C++ on some other parameters:

  • The performance of the code. The C++ is better on this parameter. It has more capabilities for optimization. And if you need to process large amounts of data, the C++ is the better option. But there is a nuance. With a non-professional approach, a code written in the C++ will work much slower than the code written in the C# when they perform a similar task.
  • The simplicity of development. The C# programming language is simpler than the C++ in development but they both are more complicated than the JavaScript.
  • A number of libraries. The C++ has a lot of libraries, they are well optimized but have an archaic structure. In addition, most of them have containers and their own row types. This increases performance, while the usability and the appearance of the code «suffer». The C# language has fewer issues and many free libraries, but it is likely that nothing will fit a specific task. Perhaps, the necessary library will appear in the future, but it will work slowly.
  • Statistical typification of the C# and C++. This is another disadvantage of these languages because, in the case of tests — JavaScript language is smaller and easier for writing a code.

Obviously, JavaScript is preferable to the C# and C++ for writing smart contracts, as these languages are much more complicated. Although this complexity provides additional flexibility, it will be time-consuming for the developer.

What do we offer?

We offer the implementation of «smart contracts» on the JavaScript (ES6 standard). We utilize this programming language since it provides maximum opportunities for solving all kinds of problems. The JS is flexible, which means that you can apply more than one programming template to specific conditions. In addition, the JavaScript opens up a huge number of ready-made libraries and frameworks to simplify code writing.

You can apply Javascript in many areas and develop different applications. Thanks to the NodeJS and web frameworks, it has a large community. Convenient and easy to use JS programming language makes the development of smart contracts accessible to everyone.

The Giant blockchain runs the JavaScript of ECMAScript 6 standard using the V8 JS engine (Chrome) version 6.6.

Each smart contract has an address, in other words, it has its own balance and can accept payments. The core implementation of the contract class provides the core capabilities of smart contract, both for accepting transactions where the current smart contract acts as the recipient and for sending transactions where the sender is the current smart contract.

The simplest Giant smart contract with one field and a setter/getter looks as follows:

'use strict' 
import Contract from 'GiantContract'

export default class SimpleContract extends Contract {

  constructor(text = 'Hello world!') {  
    this.text = text
  } 
  setText(text) { 
    this.text = text
  } 
  
  getText() { 
    return this.text 
  } 
 }

Smart contract testing

Smart contracts often operate with a lot of money, meaning that the security requirements in this area are high. Hence, a mandatory part of the development of a smart contract is testing.

Tests in Giant. JavaScript makes it easy to replace any entity and to simulate its behavior. There is a low connection between the blockchain and virtual machine. Therefore, it is easy to integrate Giant directly with any Integrated Development Environment (IDE) to provide a test compatible with the execution environment of this blockchain. Therefore, it will be easy for the Giant smart contracts to write unit and integration tests using JavaScript code testing schemes.

Tests in Ethereum. Due to the fact that Ethereum smart contracts, after their launch into the network, can not be modified, developers need to be very careful when testing these contracts. Testing is important to ensure that the contract behaves in the network as intended, and also to identify contracts’ bugs, vulnerabilities, and risks. There are many tools available for testing Ethereum contracts, for example, Truffle, DApple, EmbarksJS, etc.

In General, the principle of the Giant and Ethereum tests is similar, except that the Solidity test environment is a cross-compilation of the Solidity and JavaScript languages, while the Giant environment is unified and is represented only by the JavaScript.

References:

  • Atzei, N., Bartoletti, M., & Cimoli, T. (2017). A survey of attacks on ethereum smart contracts (sok). In Principles of Security and Trust(pp. 164-186). Springer, Berlin, Heidelberg.
  • He, Y. (2018). Unit underflows and overflows — Ethereum solidity vulnerability.
  • Zhao, W. (2017). Reported Stolen Due to Parity Wallet Breach.
  • Konstantopoulos, G. (2018). How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 1).
  • Konstantopoulos, G. (2018). How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 2).
  • Bylica, P. (2017). How to Find $10M Just by Reading the Blockchain.
  • Siegel, D. (2016). Understanding The DAO Attack.
  • Falkon, S. (2017). The Story of the DAO — Its History and Consequences.
  • Russell, J. (2018). The crypto world’s latest hack sees Bancor lose $23.5M

The original article could be found on: https://giantpay.network/pages/javascript-in-the-code-of-smart-contracts

Follow us:

You can find the most recent news and insights on the Giant project on our Discord server: https://discord.gg/wFBmkJD

If you are interested in our project, tell your friends about the Giant in your social networks and forums, and subscribe to the news on the Giant project on the following channels:

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!