I was one of those people that used to think and say that blockchain, and the different technologies around it, are solutions for problems that don’t exist. That many people talk about it without knowing any technical details or implications, or focusing on the wrong topics (e.g. politics, finance, etc.) didn’t help either.
However, lately, I have been changing my mind. I’m just starting to explore the technology, but I already think that it is very interesting, new, and that it has much more meat that I thought. I guess I was suffering the Dunning-Kruger effect: when I didn’t know too much about it, I was more sure about my thoughts. Now I have many questions.
I started changing my mind after reading this excellent blog post about a vulnerability found on a smart contract. The article describes how by exploiting a vulnerability on a smart contract it was possible to alter its business logic, and steal 350 million dollar. The article talks about “interesting functions”, “commit functions”, “initAccessControls function”…I didn’t understand nothing. I though blockchain was a thing for storing and allowing payments…why is this article talking about code? Some days later I found this CTF challenge on ALLES! CTF. It was about finding the flag on the Solana blockchain. What? And when reading a bit about Solana it seems that Solana smart contracts are written in Rust (!). What is happening here?
It seems that smart contracts are not some legal digital paperwork, but plain programs. And as almost any program with some degree of complexity, they can have security vulnerabilities. I also discovered that there are bug bounties related to smart contracts like this and this.
I don’t know if smart contracts or anything related to blockchain technology is going to reach traditional businesses, but the fact is that we cannot talk about “future” technology either. It is something in use today, very relevant to many people, and with much money at play.
It is interesting for security, at least from the research point of view, because if smart contracts are programs, they are supposed to face the same problems that traditional programs face: confusing data with code, alteration of business logic, injections, etc. And many areas currently focused on traditional programs, could be applied to smart contracts. I’m talking about SAST, DAST (?), fuzzing, etc. I want to focus on the possibilities of static analysis of smart contracts.
I’ll document what I learn in this blog through different articles under the tags Ethereum, Solana, or Smart Contracts.