Smart Contract Security Newsletter 19 — MythX, IBM X-Force Red, Security Considerations for EIPs
Sign up to get this newsletter every week: https://tinyletter.com/smart-contract-security/
MythX is Real!
Our MythX security analysis API (docs.mythx.io) launched in public beta this past week! It’s free for anyone to use, for a limited time.
MythX is a security analysis platform for Ethereum smart contracts. It allows any developer or development team to perform a comprehensive range of industry-leading analyses on smart contracts, including an input fuzzer, a static code analyzer, linter, and a symbolic analyzer. All accessible through an easy-to-use API.
IBM “X-Force Red” Launches Blockchain Cybersecurity Service
From the press release:
With worldwide spending on blockchain solutions forecasted to reach $9.7 billion by 2021, the number of blockchain implementations will likely grow exponentially across all industries.1 Meanwhile, the benefit of the network effect inherent to blockchain networks means they include broad, decentralized ecosystems of organizations, which in turn offers different attack vectors than traditional applications and creates opportunities for cybercriminals seeking to manipulate or monetize the data being shared on the blockchain.
The offering (https://www.ibm.com/security/services/blockchain-testing) appears to be quite broad, not specifying any particular blockchain technology, and includes the full stack:
IBM X-Force Red is seeing that 70 percent of solutions that incorporate blockchain rely on traditional technologies for backend processes like authentication, data processing and Application Programming Interfaces (API). The X-Force Red Blockchain Testing service will evaluate the whole implementation including chain code, public key infrastructure and hyperledgers. X-Force Red will also test backend processes, applications and physical hardware used to control access and manage blockchain networks.
EIP: mandatory “Security Considerations” for EIPs
This week in the “wow, that makes a lot of sense” category, my colleague
tintinweb drafted a meta-EIP that would require all EIPs to include a ‘Security Considerations’ section.
As an interesting historical note, the EIP (Ethereum Improvement Proposal) process was inspired by BIPs (Bitcoin Improvement Proposal)… which was inspired by Python’s PEP (Python Enhancement Proposals)… which was inspired by the IETF’s RFC process (Internet Engineering Task Force / Request For Comments). RFCs do have a Security Considerations section, unfortunately somewhere on the path from RFC to EIP, it seems to have been forgotten.
Another recent proposal (eth-magicians.org) which is nicely complimentary suggests instituting a “defined review period time where the specific purpose is security”.
Also this week
On efficient Ethereum Storage (using a CREATE2 hack) — (medium.com/coinmonks)
What is Ghidra? The Reverse Engineering tool the NSA just open sourced — (Robert Graham on Twitter)
SOLTIX: Scalable automated framework for testing Solidity compilers — (github.com/eth-sri)
A python based solidity parser — (github.com/consensys)
That’s all for this week, thanks for reading!
Thinking about smart contract security? We can provide training, ongoing advice, and smart contract auditing. Contact us.