The team at digital assets firm Coinbase (COIN:Nasdaq) notes that securing smart contracts from risks still remains a significant challenge.
As mentioned in an update shared with Crowdfund Insider, Coinbase noted that unaddressed security vulnerabilities are “readily turning into existential threats to your token’s viability.”
So how can asset issuers “prevent smart contract vulnerabilities from leading to real financial losses on token networks?” According to Coinbase, this can be achieved by keeping users’ tokens and token networks “safe from attackers by teaching developers to write smart contracts and design robust testing based on this list of ERC-20 implementation risks.”
Coinbase also introduces Solidify (a tool to automatically detect and classify smart contract security risks), while revealing how the Coinbase blockchain or DLT security team carries out smart contract vulnerability reviews “at scale.” A meta analysis across a few hundred token Solidify security reports “resulted in a list of most frequent and severe risks based on potential impact to token network security,” the announcement noted.
The top ten Smart Contract Risks (SCR) fall into the following main categories:
- Operational Risks — Authorization features that are “exploited when token network governance is insufficient or flawed”
- Implementation Risks — Intrinsic errors that “result in unintended smart contract behavior”
- Design Risks — Accepted system features that are “exploited to alter intended smart contract behavior”
While providing details on operational risks, Coinbase noted that the smart contract “implements functions that allow a privileged role to unilaterally and arbitrarily alter the functionality of the asset.” The smart contract could also “implement functions that allow a privileged role to prohibit a specific address from exercising an essential functionality,” the Coinbase technical team noted.
They also mentioned that the smart contract may “implement functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.” They further noted that the smart contract could “implement a function that allows a privileged role to remove the token contract from the blockchain and destroy all tokens created by the contract.”
Additionally, the smart contract may end up implementing a function that “allows a privileged role to increase a token’s circulating supply and/or the balance of an arbitrary account.” While going over implementation risks, Coinbase added that the smart contract might implement functions that “allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset” or “circumvent standard authorization patterns for sending tokens from an account.”
Furthermore, the smart contract contains operations that can “result in unexpected contract states or account balances.” While addressing decision risks, Coinbase noted that the smart contract “invokes functions on different smart contracts in order to trigger functionality not defined within the contract itself.” They added that the smart contract “allows asynchronous transaction processing that can be exploited for profit or protocol correctness through mempool transaction reordering.”
As stated in a blog post from the crypto firm:
“For Coinbase customer funds’ safety, the Coinbase blockchain security team assesses all tokens being considered for listing for proper risk mitigations according to the above vulnerabilities. If you’re looking to get a token listed on Coinbase, we encourage you to check your token’s security by reviewing and testing for the aforementioned risks.”