A large team of OpenZeppelin developers and security researchers presented numerous advancements in securing the Ethereum ecosystem at ETHCC and DeFi Security Summit in Paris. Here is a recap of the talks, along with key takeaways from each.
100% Test Coverage But 0% Security
Security researcher Felix Wegener centered his presentation on the topic of testing in relation to the security of smart contracts. The key takeaway: how can developers make testing as attractive as hacking?
The purpose of testing is to verify whether a codebase functions as intended. Tests also serve a descriptive function, demonstrating the "happy path" through the codebase and other possible interactions an end-user might have with it. Functional and descriptive metrics, such as line or branch coverage might point to a perfect score, though simply achieving high functional and descriptive scores does not mean the system is secure.
To address this gap, it is important to conduct 'negative' test cases, aiming to confirm that certain actions, which shouldn't be possible (like an unauthorized user burning tokens), indeed cannot happen. In other words: make hacking a part of testing. Find the things you wouldn’t want to happen, and see if you can make them happen by writing tests. Security testing involves testing for the absence of undesired functionality. Developers should adopt this approach internally and then reach out to their security partners to further refine and enhance their testing methodologies.
Security Doesn’t Stop At Code Complete
In this presentation, OpenZeppelin Defender lead engineer Dan McKeon explains that while writing secure code and conducting audits are essential, deployment and post-deployment activities are equally important. He emphasizes the need for robust processes similar to those found in non-blockchain development environments, such as continuous integration and delivery, monitoring, logging, infrastructure as code, performance monitoring, and automation.
To help prevent security risks based on human error, there is a crucial need for reproducible deployments, especially across multiple networks. This can be achieved by using Defender’s automated processes, monitoring, and CI runners. Another operational security need can be addressed via bytecode verification, type safety for upgrades, and the use of testing in lower environments such as forked networks and testnets.
Account Abstraction in Starknet
Martin Triay, OpenZeppelin Contracts for Cairo developer, compared Starknet’s native account abstraction capabilities with Ethereum’s ERC4337, providing an overview of both the benefits and limitations of each system. The user sends a transaction to a sequencer node, which checks if the transaction is valid and if the account has enough funds. It then runs a validation function to determine whether it can charge gas on this account or not. This system is designed to prevent denial of service by limiting the capabilities of the validation function.
While ERC4337 has an alternative network of bundlers, Starknet has a single native network of sequencers. Also, while ERC4337 transactions are sent to a single entry point contract, in Starknet, each transaction targets a different account contract. Starknet is seen as simpler and more user-friendly because it has fewer layers and the transactions are easier to decipher and inspect. Areas for future development include protocol-level fee abstraction and improved account detection mechanisms.
OpenZeppelin Contracts v5.0
Research Engineer Hadrien Croubois discusses what’s upcoming in OpenZeppelin Contracts v5.0. This will be a breaking change for the OpenZeppelin Contracts libraries – usually breaking changes have been mapped to Solidity upgrades, however, Solidity has not moved on from v0.8 and there are a lot of important upgrades that have been held back. As a result, OpenZeppelin will move forward with the major milestone which includes improvements to governance, access control management, and NFT functionalities, along with setting the groundwork for more major security and efficiency upgrades in future v5.x releases.
Another recent release was the OpenZeppelin MerkleProof library for securely building and verifying Merkle proofs. The library includes double hashing by default and can be integrated with other contracts or libraries.
OpenZeppelin Contracts v5.0 will include custom errors and the new Access Manager to help manage permissions at a contract level in a clean and consistent way. Contracts v5.0 also includes a move to namespace storage for upgradable contracts, which helps streamline the process of upgrading contracts.
The direction of OpenZeppelin Contracts is largely driven by community needs to support the ecosystem through new features and improvements, focusing on areas such as account abstraction, governance, better nonce systems, efficiency improvements, and upgradability without compromising security.
Incident Response for OpenZeppelin Contracts
OpenZeppelin Contracts Lead Developer Francisco Giordano discusses learnings in incident response for OpenZeppelin Contracts, focusing on the process and best practices around responsible disclosures for the most trusted libraries in Ethereum. In this presentation, he highlights four foundational principles that the project abides by:
- Engineering and open-source best practices
- Secure design principles
- Multi-layered reviews
- Incident preparedness
The latter involves preparing for the eventuality that a bug might bypass all other layers of protection and outlines procedures to follow, team members to loop in, and which tools to use.
Over the years, OpenZeppelin has experienced some minor incidents and learned important lessons from each, which are shared with the community. Among the main challenges discussed is how to assess the real-world impact of an issue. Currently under development is the Dependency Checker, which can scan a project or a contract and identify the features and version of the library it's using, along with any known security advisories.
While this presentation covers incident response for the widely relied upon contracts libraries, OpenZeppelin offers comprehensive Incident response training, war rooming, and live support during incidents for clients. This training and development of clear processes helps clients react, mitigate, and respond to security incidents, model threats, identify weaknesses, develop a plan, and perform incident response simulations.
Bonus: Auditing ink! with OpenZeppelin by Polkadot
ink! Core Developer Lea Narzis delivered a presentation on Polkadot’s Rust-based smart contract language, highlighting the advantages of using Rust for ink! smart contracts. Rust is memory-safe, compiles to WebAssembly, and allows high-level function building.
A security review was conducted in collaboration with OpenZeppelin at the beginning of 2023 to make ink! and the command line tool Cargo Contracts safer. The audit identified 11 issues and suggested improvements for developer experience and education around ink!, two of which were high severity. The ink! team resolved four of the issues, and the rest are still in progress. The collaboration between OpenZeppelin and Parity was extended, and the team is currently working on Parachain Runtime Templates.
Get In Touch
Founded in 2015, OpenZeppelin is the leading blockchain security company providing products & audits to the most trusted organizations in Web3. Developer of the most-trusted smart contract libraries and standards relied upon by 100% of the Top-50 DeFi and NFT projects, and provider of over 200 audits for the leading blockchain systems.
If you're seeking to boost the security and reliability of your blockchain project, please reach out to OpenZeppelin about receiving an audit or customized security services.