UPDATED 14:51 EST / JULY 28 2017

EMERGING TECH

Ethereum smart contracts gets smarter with technology to ‘see’ what they say

The Ethereum blockchain, a cryptographic distributed-ledger protocol, just got smarter for developers and business users with the addition of technology to reduce bugs and exploits.

Using a so-called decompiler dubbed Porosity, Ethereum developers and smart contract users can translate contracts from Ethereum Virtual Machine bytecode – a machine language imprinted on the Ethereum blockchain – into a more human readable code that can be double-checked for errors. Matt Suiche, founder of cybersecurity firm Comae Technologies, unveiled the Porosity decompiler on Thursday’s at the DEF CON 25 hackathon.

One of the promises of smart contracts executed on blockchains is that they allow business users and programmers to write their own self-executing contracts. A contract can hold a particular amount of Ethereum currency until specific conditions are met and then transfer that currency from one account to another. Because Ethereum is a system of distributed nodes, smart contracts execute anywhere at any time, without the worry of a central service suffering an outage, so if Ethereum is down, chances are it’s because the Internet is down.

These contracts are written in code – most often a high-level (human readable) programming language called Solidity that’s similar to JavaScript – and therefore are subject to both human error and computer bugs.

Like any contract, smart contracts written for Ethereum can be reviewed by all parties “signing on” before it is written into the blockchain. Current tools focus on scanning through the source code before it is compiled to the blockchain, looking for weaknesses, errors or potential bugs that might affect the contract before it becomes machine code.

“Blockchain is often referred as secure by design,” Suiche said, “but now that blockchains can embed applications, this raises multiple questions regarding architecture, design, attack vectors and patch deployments.”

The ability to verify code and audit has become especially apparent in the wake of the hack of the Decentralized Autonomous Organization, which led to a thief using Ethereum smart contract bugs to steal over $55 million worth of currency. Much of the damage was eventually reversed, but it opened up a broad discussion in the community about the need for security tools and protocols to better understand the nature and complexity of smart contracts on Ethereum and other blockchain platforms.

“As we reverse engineers know, having access to source code is often a luxury,” Suiche said, referring to the fact that compiled code looks nothing like English and cannot be understood at a glance. He added that Porosity was developed to allow for analysis of already published smart contracts when the source code is not readily available.

With the addition of Porosity, developers can decompile already-published smart contracts on the Ethereum blockchain and examine their code in human-readable formats. This is important because as newly discovered bugs and exploits are revealed, old contracts can be audited for potential problems.

Developers interested in using Porosity to decompile smart contracts can find the source code available as a GitHub project.

Ethereum is a public blockchain and all of its inner workings are visible to the world, including transactions and smart contracts, but private interests such as corporations and governments may desire their own private blockchains.

For the enterprise, Porosity can be used with Ethereum forks such as Quorum, which is a private blockchain network developed by JPMorgan Chase and Co. aimed at financial technology solution users. As of the announcement, Porosity is being packaged and tested together with Quorum as a way to integrate the decompiler into traditional enterprise security workflows.

With Porosity, Quorum users can scan private contracts sent to a node from other network participants, incorporate them into the security and patching process for formalized governance models, and automate risk analysis across the network. Each Quorum node manager can double-check smart contracts after they are submitted to the network potentially catching newly discovered vulnerabilities before they can be exploited.

The new software bundle of Quorum and Porosity is available now via JPMorgan’s GitHub.

Image: Christiaan Colen/CC BY-SA

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU