EOS Network Foundation
Providing an overall framework for security analysis tooling and contract audit for EOSIO-based applications.
With security threats on the rise, the Audit+ working group is providing research and development to ensure a safer and more secure user and developer experience for everyone.
Security is critical for any decentralized application, but it’s one area which is comparatively overlooked in EOS. The Audit+ working group (WG) is led by security experts Slowmist and Sentnl, who are both widely used auditing firms for EOSIO and Solidity smart contract developers. This working group was inspired by Consensys Diligence and was formed because there are comparatively few solutions in the EOSIO ecosystem focusing on security compared to other blockchain technologies.
One of the key issues for the Audit+ team to address will be the self-perpetuating knowledge within developer communities which can only be learned and passed on if tomorrow’s developers are provided with the right tools and documentation today.
The EOSIO core system is brilliantly designed for a security-oriented approach. However, the basics still need to be addressed to ensure that it can first match the standards of other blockchains and then harness the unique elements of EOSIO, such as its robust permissions system, to push it not one, but many steps further.
By looking at the network as it stands and conducting research of other communities, the Audit+ working group has identified a number of key areas of focus that they plan to detail in their upcoming Blue Paper, which will serve as a compilation of their research and provide a roadmap for how EOS can move forward. Some of the topics that Audit+ plans to address include:
Build Automated Open Source Security Auditing Tools and APIs
As things stand, there aren’t any services within the community which can verify that the current smart contract code has been audited and deemed to be secure. EOS also lacks a centralized location for auditors to publish their findings and other information. This creates a significant vulnerability within the system and gives developers limited reassurances that the smart contracts they are working on are totally safe.
Creating more automated and freely available tools could make it easier for individual developers to check the security of their contracts. Although some tooling currently exists, it is neither open source nor free of charge. A robust security platform would be something which virtually no other blockchain has fully achieved, putting EOSIO at the forefront of blockchain security, giving users peace of mind when interacting with EOSIO DApps.
This will have a number of benefits for EOS in that it will enable exchanges to verify the security of each smart contract by verifying that the on-chain hash matches the hash of the last audit performed. Wallets will be able to integrate with APIs using clear standards and provide approval against smart contracts used during interactions. Users will be able to verify the security of applications via wallets or by visiting the front end.
Contract Upgrade Authorizations
A world in which EOS contracts can be deployed on ordinary EOS accounts, and in which the owner has permission to change the contract as he or she pleases, creates a trust issue. How can users trust owners won’t suddenly change the contract to an unaudited version or even take all the funds locked into the contract? Audit+ is looking to identify a way to make this trustless while still ensuring developers can upgrade their contracts.
Software Libraries for Secure Smart Contract Development
As the numbers and total value locked (TVL) of DeFi protocols grow, the risk of attack increases. While developing audits and more secure operations can provide a start in securing the network, there remains a gap in the integration of security. The Audit+ working group plans to lay out a road map for how commonly used smart contract templates could be developed, audited, and open sourced to the wider community to amplify cost savings and security assurances across the entire ecosystem similar to what OpenZeppelin offers for Solidity developers.
This can provide a useful guide enabling even inexperienced developers to create secure smart contracts with the support of these templates and standards — thereby securing the wider network as a whole.
Bug bounties can harness the enthusiasm and talents of the community to secure the network. These bounties encourage the hacker community to invest time in analyzing the EOS code base, identifying vulnerabilities and flagging them. These are already in operation in most leading blockchains, but EOS currently lacks any well-defined program on its own. By setting up a well-managed and well rewarded bug bounty program, they believe EOS can attract the best talent in the white hat hacker and security community to identify and flag up the most serious vulnerabilities before they become public.
Knowledge Repository of Common Security Pitfalls When Writing EOSIO Smart Contract
Some of the most common security pitfalls when writing smart contracts are relatively easy to avoid, but only if developers know what they’re looking for. Less experienced developers will be liable to make simple mistakes which can let malicious actors in. Currently there aren’t any actively managed lists of common mistakes and how to avoid them for EOSIO smart contract developers. Having something like this available would give developers a repository of verified information to refer to and may prevent many of the most common and basic vulnerabilities ever appearing in the first place. Some of these initiatives will be easier to get started than others. Some will require time and considerable investment, while others, such as developing a list of common mistakes, can be started immediately.
The Audit+ Blue Paper is expected to be published before the Chinese New Year and will outline all of their recommendations and initiatives that they believe can immediately change the EOS network for the better. Each of these initiatives will put EOS back on the front foot when it comes to securing the ecosystem against current and future attacks.
The findings and recommendations from the Audit+ working group will reassure developers and build the network’s reputation as a place where it is safe to build dApps and do business.
- Join WG+ on the EOS Community Discord Server!
- EVM+: Bringing the Ethereum Virtual Machine to EOS
- API+: Providing Access for the Next Generation of EOSIO-powered dApps
- Core+: Developing Software to Run on EOSIO
- In Support of the EOS Wallet Ecosystem
The EOS Network is a 3rd generation blockchain platform powered by the EOS VM, a low-latency, highly performant, and extensible WebAssembly engine for deterministic execution of near feeless transactions; purpose-built for enabling optimal web3 user and developer experiences. EOS is the flagship blockchain and financial center of the EOSIO protocol, serving as the driving force behind multi-chain collaboration and public goods funding for tools and infrastructure through the EOS Network Foundation (ENF).
EOS Network Foundation
The EOS Network Foundation (ENF) is a not-for-profit organization that coordinates financial and non-financial support to encourage the growth and development of the EOS Network. The ENF is the hub of the EOS Network, harnessing the power of decentralization as a force for positive global change to chart a coordinated future for EOS.