Contracts smart are vulnerable to attacks, that is the conclusion reached by the team of OpenZeppelin, the company that creates tools for developers and performs audits of security for distributed systems by means of contracts with smart, the blocks that form the network Ethereum and are responsible for the transfer of millions of dollars.The company with headquarters in the United Kingdom, founded in 2015, and boasts of having a network value of over 4,500 million dollars built using their systems. In addition to the security audits for decentralized applications (Dapps), the company also built an open source infrastructure to make it easier for new developers to create complex applications on the string blocks.If the decentralized applications were arteries, contracts smart would be the blood that circulates through them. Any defect within this code could pose a problem for a company, which in this system would be like the human body. However, there are doctors in our analogy, would be the team OpenZeppelin.Earlier this year, MakerDAO, the Autonomous Organization Decentralized (DAO) behind the stablecoin DAI, announced a critical update security after a vulnerability is discovered in the contract smart governance.The problem presented in the voting system for the governance of MakerDAO originated in a vulnerability in the performance of contracts, smart implemented for the process of voting, which was discovered during the second round of security audits, which at that time formed part of the work undertaken by the house of the change of cryptocurrencies Coinbase and OpenZeppelin. A major achievement for the team of developers of the security company.On these aspects, Ivan Gomez, Breaking News spoke with Martin Abbatemarco and John Carpanelli, representatives of OpenZeppelin in Argentina.What are the vulnerabilities most frequent or the most common mistakes found in the review of contracts?The last that we find we think is the most interesting, which was found on Maker, one of the processes larger than we did with millions of dollars supported by their contracts. Zeppelin ended up finding a vulnerability is very important in the voting system Maker, which led to them having to look at the contracts intelligent Maker to be able to avoid this vulnerability, so that was one of the most important.What happened was that there were problems in the business or in the contracts smart. There are vulnerabilities associated with Ethereum in particular or the basic protocol of Ethereum, but we simply find errors in the programmers and therefore they were at some function wrong or otherwise incorrect, and we as a system of vitality attackers, we had to just find them and attack them and good came out well.What precisely those errors are of the suitability of the contract, the business idea?If, fundamentally, this is it. Sometimes you don’t have very clear what are the specifications of their projects and we need these specifications to try to understand between what the code does and what the code wants to do. Many times even the draft is clear about what the code wants to do and we were able to find ways to attack the project where they do not expect us to strike because they think the project in a certain way, but we, as auditors, we have the ability to think about the project in any other way.”And you think these errors occur because they have not yet matured enough, the number of developers in the ecosystem, or because they still lack talent or experience, or due to any difficulty in languages?I think that is a normal topic, because making mistakes is only human, and that is inherent to the development of the software and is always going to be errors. The issue is that here there is an emphasis on doing the right thing because there is a lot of silver in the middle. We have a contract smart is not like a software anyone, and if someone finds a vulnerability before we meet or before which the owner of the contract the find, the can explode and there are investments at stake, and that is why there is more emphasis on that part. But it is inherent to the software development cycle. There will always be vulnerabilities, and the theme is take it to a process in which you can alleviate the best way for all of that.And in regards to issues of language programming in the blockchain, especially in Ethereum, where it has been discussed that Solidity is a language more or less complicated, the same as the language of Bitcoin, are languages difficult to develop How do you see this area, there is more maturity in development, there are searches to make a simpler language to build more secure?There are other languages, is also Vyper which is a language very similar to Python, and even so, Solidity is the language that is most stable is today, which we recommend using. Even our contracts smart Zeppelin are made in the Solidity, the Zeppelin (contracts) new also. There is a community behind Solidity, of very intelligent human beings that have been made of a language something that is pretty green, something that he has matured quite a bit. And if I had to recommend a language, it is certainly Solidity.What anda Zeppelin now, what are the next projects? what do they have on the table? how is advancing the company?The company basically today is composed by two teams: the team of research, which is dedicated basically to make audits of projects. It is, on the other hand, the computer platform that is composed by two edges: the contracts which are all known as OpenZeppelin contracts and the edge of the platform which is responsible of having everything to be able to create the smart contract, and upload them to a blockchain, to be able to make a Dapp and communicate with those contracts in a way easy, fast, simple, without having a knowledge deep-plunge on what is, not just software development in general, but the development of blockchain.In addition OpenZeppelin is working on a set of products for developers of Ethereum, which includes contracts, SDKS, and starter kits. They also work on the Stations of Gas Service to finish the transaction. It is a decentralized network of relay that is used to send transactions from ETH without the end-user to pay for the gas that normally charged for the cost of the transaction.The Stations of Gas Service (GNS by its acronym in English) emerged as an alternative solution to the obstacles hindering the mass adoption of the cryptocurrencies, that in the case of the network of Ethereum force you to interact with various applications, install extensions, and pay for gas, among other requirements to the user.
