OpenZeppelin: A powerful tool to ensure the security of Ethereum smart contracts
Core points
Ethereum's computing needs to be replicated on all nodes in the network, so its computing is expensive and inefficient (in fact, Ethereum's GitHub developer documentation states that we should not expect Ethereum's computing power to exceed 1999 in 1999. mobile phone).
Therefore, the security of Ethereum Virtual Machine (EVM), i.e. the security of smart contracts deployed on the Ethereum blockchain, is crucial. All errors can cause actual economic losses—whether it is caused by bad contract codes or losses caused by hackers exploiting contract vulnerabilities such as the infamous DAO hack that led to the community split and gave birth to the classic Ethereum blockchain. .
Turing completeness and a range of other design decisions make Ethereum more powerful and complex, but also pay the price. The richness of Ethereum makes it more vulnerable to errors and hacking.
What's worse is that smart contracts deployed on Ethereum cannot be modified. Blockchain is an immutable data structure.
This article explores the security of smart contracts and the ecosystem of tools and libraries that help us write secure smart contracts.
Let's take a look at some amazing tool upgrades that we can use right away to take advantage of the best practices provided by the Solidity environment.
One of the coolest tools for Ethereum developers is the OpenZeppelin library. It is a framework that contains many secure and reliable Solidity code patterns and smart contract modules. The authors themselves are Solidity auditors and consultants, where you can read third-party audit reports on these modules. Manuel Araoz of Zeppelin Solutions, an Argentina-based company, outlines the main Solidity safety patterns and considerations.
OpenZeppelin has become the industry standard for reusable and secure open source (MIT) Solidity code, easily deployed with Truffle. It consists of smart contracts that can be easily imported and used in our contracts once installed via npm.
Truffle framework publishes a tutorial on how to use OpenZeppelin with Truffle and Ganache.
These contracts are intended to be imported, and their methods are also intended to be covered as needed. The file itself should not be modified.
The OpenZeppelin library contains a set of contracts for publishing tokens on the Ethereum platform - for ERC20 tokens, including BasicToken contracts, BurnableTokens, CappedTokens (mintable tokens with fixed caps), MintableTokens, PausableTokens ( Token transfers can be suspended). There is also TokenVesting (a contract that can gradually release its token balance like a typical vesting plan, with cliff periods and vesting periods) and so on.
There are also some contracts for ERC721 tokens (or irreplaceable unique tokens of the type CryptoKitties).
also includes the ERC827 token contract, which is used to send data when trading tokens.
There are also some crowdfunding contracts - contracts for initial token offerings. These contracts can record purchases, deliver/issuance of tokens to buyers, and forward ETH funds. There are also some features for verifying and processing token purchases.
FinalizableCrowdsale contract allows certain logic to be executed after sale. PostDeliveryCrowdsale allows withdrawals to be frozen until the crowdfunding is over. RefundableCrowdsale is an extension of the Crowdsale contract that adds financing targets and the possibility that users can get a refund if the target is not met.
The destructible contract can be destroyed by the owner and all funds are sent to the owner. There are also some contracts used to achieve pauseability of subcontracts.
OpenZeppelin provides many aids and utilities for ICO--for example, a contract that can recover ERC20 tokens sent to an ICO address instead of ETH. An inheritable contract allows the transfer of ownership to another owner in certain circumstances. The Ownable contract has an owner address and provides basic authorization/authorization and transfer of ownership.
RBAC contracts provide role-based access control utility. We can assign different roles to different addresses, and there is no limit on the number of roles.
Zeppelin also provides an example of crowdfunding startup Truffle project that has not been audited, so it is best to use it as a primer for using OpenZeppelin. It makes it easy to quickly start crowdfunding and tokens.
ZeppelinOs is an open source, decentralized tool and service platform built on EVM to securely develop and manage smart contract applications.
In fact, this is the middleware layer above EVM, which goes a step further than the current OpenZeppelin framework. Zeppelin Solutions here promises to enable developers to select the variability of their deployed code through upgrade mode. Those who write smart contracts for EVMs know that one issue/restriction is the immutability of deployed contracts: once you enter the blockchain, the contract cannot be changed. That's one of the reasons why ZeppelinOs' promise is so attractive.
So far, in order to "update" the contract, two contracts need to be deployed - one as a proxy with an interface and the other as an implementation. The proxy's function will be called and the request will be forwarded to the implementation. Then, if changes are required, switch the implementation in the proxy (repositioning another implementation and having the option to turn off the original implementation with the suicide function), and the new implementation will be activated seamlessly.
We are looking forward to the future adoption of ZeppelinOs by the community. Zeppelin Solutions has mentioned some non-trivial participants such as OpenBazaar, district0x, storj.io, and they are using ZeppelinOs.
Truffle framework is the development environment, testing framework and asset pipeline of Ethereum. It is the most complete tool set and the most widely used tool set among Ethereum developers. Truffle's ecosystem includes many Truffle boxes—boilers that include front-end JavaScript code, Solidity contracts, and workflow utilities such as boilerplate webpack projects with their toolsets, such as migration, testing, building pipelines, and more. Truffle Boxes can include a complete starter dapp.
Some officially supported boxes include:
Community-created boxes also bring boilerplate to the mobile application/Status IM integration contract, or provide Angular and Vue.js boilerplate, etc.
These boxes are integrated with Truffle, so we can start them by running commands like truffle unbox react - this will download the React box and install its dependencies locally.
TokenMarket is another company that has released Solidity contracts and tools for managing token sales/ICOs. It is a limited company registered in Gibraltar and engaged in ICO consulting business. It won the "Best ICO Consultant" award at the 2018 Crypto World of Berlin.
Tokenmarket's ICO repository on GitHub says one of its design goals/principles is to use or build existing OpenZeppelin contracts, calling it the gold standard for Solidity contracts. Therefore, most of TokenMarket's ICO code base is based on OpenZeppelin's code base and then further builds on it (by inheriting in an object-oriented manner).
TokenMarket periodically (trying) to keep in sync with its upstream code base OpenZeppelin. However, it also adds more content, such as:
EVM is Turing-complete, so all these different contracts can't even drain its full functionality remotely, despite the lot of code in the repository we're discussing here. If the system (Ethereum) can survive and continue to be competitive, and there are enough people on the network, we can expect greater versatility of the problems these blockchain contracts are trying to solve.
Consensys Ventures is a Swiss venture capital firm that positions itself as a venture capital firm in the decentralized space—especially in the Ethereum space. In addition to the other resources they provide for protected companies, they have compiled a brief compilation of Ethereum smart contract best practices. While this is not strictly code, it still contains a lot of examples of the pros and cons of Solidity code.
It focuses on the best security practices of Solidity smart contracts.
The complete list of topics is beyond the scope of this article, as the resource is very comprehensive and even a read-away reminder for smart contract developers to keep in mind when writing software for EVMs. This is especially true if someone writes a program from scratch (not relying on ready-made and proven code like OpenZeppelin).
Some articles involve external calls, avoiding state changes after external calls, handling errors in external calls, prioritizing pulling rather than pushing for external calls, understanding the trade-offs between abstract contracts and interfaces, and not assuming that contracts are used Zero balance creation, distinguishing between functions and events, multiple inheritance considerations, warnings about timestamp dependencies and playability of such structures (for example, using blocks) – and many other such tricks, with lots of code Example.
Then are token-specific warnings, warnings related to token standards, software engineering techniques, security tools - for static analysis, testing, code checkers, etc.
They also listed known attacks, including those calling external code and contracts, functions that can be called repeatedly in this case, reentry issues, cross-function race conditions, where they analyzed a series of problems, Some of these problems are manifested in the DAO hacking incident.
They further mentioned transaction sort dependencies, timestamp dependencies, integer overflow and underflow, different types of DoS attack possibilities/points, such as using block gas-limited DoS, and then forcibly sending Ether to the contract ; They also analyzed historical and deprecated attacks. Be sure to read their documentation.
In this introduction to the ecosystem, we introduce some of the available resources for smart contracts that are well written on Ethereum virtual machines that can be used for production. This includes reuse of audited and verified code (OpenZeppelin claims more than $4 billion in cryptocurrency runs on its contract) and learning to write your own secure, production-ready software.
We are very sure this list is not complete. Have we missed anything worth mentioning? Please tell us!
OpenZeppelin is a library for secure smart contract development. It provides implementations of standards like ERC20 and ERC721, which you can deploy as is, or scale to your needs, as well as Solidity components for building custom contracts and more complex decentralized systems. OpenZeppelin helps protect blockchain projects from common threats by providing tested and community-audited code.
OpenZeppelin ensures the security of smart contracts by providing a tested, reusable and secure code base. The OpenZeppelin Contracts library is the most widely used solution in the development of Ethereum smart contracts. It is designed to be a safe and reliable code resource that developers can reuse, thereby reducing the scope of potential vulnerabilities in a single smart contract.
OpenZeppelin provides upgrade plugins that you can use to upgrade smart contracts. These plugins provide an easy and secure way to upgrade smart contracts over time to add new features or fix bugs. These plugins are designed to work with Truffle and Hardhat development environments.
Truffle is the development environment, testing framework and asset pipeline of Ethereum. It plays a crucial role in OpenZeppelin by providing a test environment for smart contracts. Truffle's suite of tools helps developers create, compile, deploy and test smart contracts in a unified environment.
To use OpenZeppelin with Truffle, you need to install both in your project. Once the installation is complete, you can import the OpenZeppelin contract into your own contract and expand it according to your needs. Truffle will be used to compile and deploy your contract.
OpenZeppelin provides a cornerstone of stability and security for your Solidity project. It provides a tested, reusable and secure code base that can help protect your projects from common threats. It also provides tools to upgrade smart contracts, allowing you to add new features or fix bugs over time.
The OpenZeppelin community welcomes the contribution of developers. You can contribute by reporting bugs, suggesting new features, or writing code. All contributions will be audited by the community and will help improve the security and functionality of OpenZeppelin.
While OpenZeppelin is primarily designed for use in Ethereum, many of its principles and libraries can be applied to other blockchain projects. However, specific implementation details may vary depending on the blockchain platform you are using.
OpenZeppelin provides implementations of the ERC20 and ERC721 standards that you can deploy as is or scale to your needs. These implementations are safe and reliable, and are tested and community-audited.
While OpenZeppelin is a popular choice for Solidity development, there are other libraries and frameworks available. These include Truffle, Hardhat, and Ether.js. Each has its own strengths and weaknesses, and the best choice depends on your specific needs and preferences.
The above is the detailed content of Quality Solidity Code with OpenZeppelin and Friends. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
