Little-Known Security Tool Keeps Ethereum Applications at an A+ Rating
Ethereum may not have been able to overcome the market capitalization of Bitcoin ever, but the decentralized applications have greatly thrived as a result of their security efforts. The platform manages to maintain A+ security with the use of a security tool hasn’t been well publicized. The tool ensures that the platform does not endure the errors in the self-executing lines of code, otherwise known as smart contracts, that would result in high costs.
The tool is entirely free, and it was launched by Amberdata, an Ethereum tech startup, in October. The general public is also capable of accessing this tool, allowing them to check how secure the Ethereum blockchain’s applications are. Smart contracts are often at a great risk to for bugs, considering that they can cost potentially hundreds of millions. With the service, the scan will go over the code and assign a letter grade to show how secure the dApp is.
This is just one of the many tools that consumers can use to increase the transparency between the end-users of apps and the developers that create them. Furthermore, the ability to do so has other opportunities in the space to perform these evaluations, like DuckDuckGo. DuckDuckGo is a browser with significant privacy protocols implemented and can be applied through a Chrome browser extension that can rate websites with a letter grade as well. In a blog post from January 2017, DuckDuckGo stated that their mission is to “raise the standard of trust” for websites and other online endeavors.
The grading tool from Amberdata is fairly similar. CEO Shawn Douglass said in a press release that their tool is crucial in ensuring more access and visibility to the structure of smart contracts. They hope that that, by offering these options to consumers, there could be lessened dependencies, and the community will be able to thrive with faster development.
To create the ratings, there are 13 potential vulnerabilities tested and rated on Amberdata, which CTO Joanes Espanol compares to checking the engine lights on the dashboard of a car. With more securities errors, the letter grade goes down, ranging from A+ to an F. However, the number of errors is not the only factor; the vulnerabilities have different levels of severity that adjust what the final grade can be. For instance, two of the low-security vulnerabilities that Espanol noted include
“delegate call to a user-supplied address”
“message call to external contract.”
The point of the security audit is to be a warning to the dApp, rather than just pointing out the code errors. One dApp, TrueUSD, was created by Trust Token and received a C letter grade, which does not put much faith in the program. However, a security engineer named William Morriss said that the concerns that the company found were not considered “critical.” He added that the findings were treated
When it comes to creating a dApp, it is necessary to create code that cannot be penetrated. There are two big reasons for this, considering how unlike traditional applications they are. The dApps are often open-source computer programs, making it exposed and the public, so users have a chance to take advantage of any bugs found. Secondly, every dApp runs on a smart contract, which means that programmers do not have as great of an opportunity to correct the errors after the program launched.
Third-party security audits are crucial before launch, and it is important to test every single part of the code. This testing could make the difference between an effective and safe dApp and one that is hacked by any skilled developer.