Top ten smart contract security risks

By the Blockchain Security Team at Coinbase

Securing smart contracts from risks remains hard. Unaddressed security vulnerabilities readily turn into existential threats to your token’s viability. So how can asset issuers prevent smart contract vulnerabilities from leading to real financial losses on token networks?

Keep users’ tokens and token networks safe from attackers by teaching developers to write smart contracts and design robust testing based on this list of ERC-20 implementation risks.

In Introducing Solidify, we shared how the Coinbase blockchain security team performs smart contract vulnerability review at scale. A meta analysis across a few hundred token Solidify security reports resulted in a list of most frequent and severe risks based on potential impact to token network security.

The top ten Smart Contract Risks (SCR) fall into three categories:

  1. Operational Risks — Authorization features that are exploited when token network governance is insufficient or flawed
  2. Implementation Risks — Intrinsic errors that result in unintended smart contract behavior
  3. Design Risks — Accepted system features that are exploited to alter intended smart contract behavior

OPERATIONAL RISKS

SCR-1: Super User Account or Privilege Management

The smart contract implements functions that allow a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

SCR-2: Blacklisting and Burning Functions

The smart contract implements functions that allow a privileged role to prohibit a specific address from exercising an essential functionality.

SCR-3: Contract Logic or Asset Configuration can be arbitrarily changed

The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

SCR-4: Self-Destruct Functions

The smart contract implements a function that allows a privileged role to remove the token contract from the blockchain and destroy all tokens created by the contract.

SCR-5: Minting Functions

The smart contract implements a function that allows a privileged role to increase a token’s circulating supply and/or the balance of an arbitrary account.

IMPLEMENTATION RISKS

SCR-6: Rolling Your Own Crypto and Unique Contract Logic

The smart contract implements functions that allow the holder of a privileged role to unilaterally and arbitrarily alter the functionality of the asset.

SCR-7: Unauthorized Transfers

The smart contract contains functions that circumvent standard authorization patterns for sending tokens from an account.

SCR-8: Incorrect Signature Implementation or Arithmetic

The smart contract contains operations that can result in unexpected contract states or account balances.

DESIGN RISKS

SCR-9: Untrusted Control Flow

The smart contract invokes functions on different smart contracts in order to trigger functionality not defined within the contract itself.

SCR-10: Transaction Order Dependence

The smart contract allows asynchronous transaction processing that can be exploited for profit or protocol correctness through mempool transaction reordering.

For Coinbase customer funds’ safety, the Coinbase blockchain security team assesses all tokens being considered for listing for proper risk mitigations according to the above vulnerabilities. If you’re looking to get a token listed on Coinbase, we encourage you to check your token’s security by reviewing and testing for the aforementioned risks.

Future posts will help you review your token’s security by examining the top Smart Contract Risks in detail and will also provide countermeasure recommendations.

If you are interested in listing your token with Coinbase, visit the Coinbase Asset Hub. If you are interested in securing the future of finance, Coinbase is hiring.


Top ten smart contract security risks was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Continue reading

Embracing decentralization at Coinbase

The cryptoeconomy is still in its early stages, but it is clear that every year more and more economic activity will take place on crypto rails. Coinbase is the trusted bridge to the cryptoeconomy today, but we need to become the place people also go to actually participate in the cryptoeconomy.

We’re seeing crypto quickly mature from its initial use case of trading bitcoin to the trading of thousands of new assets, and the adoption of new use cases like Decentralized Finance (DeFi), NFTs, smart contracts, Decentralized Autonomous Organizations (DAOs), and more. Much of this is relatively new and there are challenges to using it, but I see it as the future of where this industry is going. In the same way we helped people access Bitcoin for the first time in a trusted, easy way — we need to do the same for the decentralized cryptoeconomy.

The uses cases are here

For years, people at conferences and journalists would ask me, “Where are the use cases?” We’re finally seeing a wide range of emergent applications and products get traction. From NFTs, to a broad array of new dApps (decentralized apps), the cryptoeconomy is growing at an incredible pace, and I think this will continue to accelerate. Like the internet, or the mobile app stores, we’re seeing developers rush into the space to use these new tools to develop innovative use cases that we couldn’t have imagined before.

The opportunity for Coinbase

Our centralized (CeFi) products will continue to play a critical role in the growth of the cryptoeconomy. But the decentralized cryptoeconomy will also be a major area of growth. With all of this new innovation coming to crypto, we have a massive opportunity to give our customers access to these new products and features. Here are some of the ways we’re going to tackle this:

  1. Bring more assets to Coinbase, faster: A few years ago we developed a rigorous process for evaluating new assets to list on our exchange (analyzing legal, security, compliance, and other risks). This process has been essential to responsibly growing our offering to date. But we need to move faster. We need to treat asset issuers as the very important customers they are, rolling out the red carpet, and courting them, and promptly responding to their inquiries. The goal is to list all legal assets and empower users to make their own risk-adjusted decisions.
  2. Crypto is global, and we need to be too: Coinbase was founded in the US in 2012. We’re now a global company, with our products offered in >100 countries. We need to move from shipping products that cater only to the US (or UK/EU) to shipping products that work globally. This will increase the number of people who have access to our products and further our mission of increasing economic freedom in the world.
  3. Build the crypto app store: Apple didn’t attempt to build every app for the iPhone, it empowered developers and gave mobile users an easy way to access new innovative apps. We need to do the same in crypto. There is now 10s of billions of dollars of economic activity running on dApps, and a new trend coming out every three months. We’ll work to give our users easy access to all of this from the main Coinbase product.

Here are our next steps

Improve our asset addition process

  1. Reduce the burden on asset issuers: We’re simplifying inputs onto our legal review from 70 questions to 12 questions that get at what most raises concerns under the law. We’re also working through optimizing our Compliance and Security reviews.
  2. Create an “experimental” zone for new assets: We need to be able to support new assets, but there may be additional risks for these networks (e.g. low liquidity, bugs in the code, etc). Because these assets often come with more risk than long standing and tested assets like Bitcoin, we need to make sure we are disclosing these risks to our customers appropriately, and enabling them to make educated decisions.
  3. Move towards approving most assets for store/send/receive: We may not be able to trade every asset on our centralized exchange (for regulatory reasons), but we believe we can enable access to most assets for basic wallet functionality

Have an International-first mindset

We put a huge amount of effort into working with regulators in the US, UK, EU, etc. which has generated an enormous amount of value for customers in these regions, but it can also lead to products that are hyper focused on the western world. We’re going to flip this approach on its head by shipping more products in international markets on day one, while still partnering with regulators in more established markets to ensure our products are compliant with their local rules. This is also better aligned from a mission point of view, because sometimes international markets are even more in need of the economic freedom that crypto can provide.

Embrace third-party interfaces and self-custody

Soon any app built on decentralized crypto rails will be accessible to users of the Coinbase app. Our customer’s wallet and identity should seamlessly integrate into any of these apps. Part of this change will be embracing new wallet technologies, including those that allow for safe and easy self custody. In the future you will have the option to do self-custody of your crypto, right in the main Coinbase app.

Conclusion

The crypto industry is changing rapidly. The products that the most crypto-forward people are using today will be used by mainstream customers in a year, and by institutions a few years after that. We need to start integrating them today. Coinbase has shown that it can be a great crypto 1.0 company. Our next step is to show that we can be a great crypto 2.0 company.

This effort all ties back to our mission, which is to increase economic freedom in the world. Many of the most innovative use cases in crypto are being created in decentralized apps. By fully embracing this trend we can put crypto in the hands of more people around the world and thereby increase their economic freedom.

If these challenges excite you, please join our amazing team and come help build the cryptoeconomy.


Embracing decentralization at Coinbase was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Continue reading

MoneyGram Slapped With Class-Action Lawsuit For Issuing Misleading Statements Concerning XRP

More Woes For XRP As MoneyGram Suspends Trading On Ripple's Platform

The fiasco surrounding the legal status of Ripple’s cryptocurrency XRP continues to unfold as a new lawsuit filed against MoneyGram puts pressure on the case. MoneyGram, presently the world’s second-biggest money transfer service provider, is being sued for allegedly making false statements regarding its relationship with Ripple and also for failing to reveal that XRP […]

Continue reading

Nigeria’s Vice President makes a surprising case for Cryptocurrencies

Nigerians bounce back with a defiant response to the government’s Bitcoin ban

A contradictory statement has recently been made by Nigeria’s Vice president Prof. Yemi Osinbajo, concerning the recently imposed Cryptocurrency ban by the country’s Central bank. The Vice President explained at the CBN bankers committee economic summit, that digital currencies are an inevitable part of the country’s economy. Prof. Osibanjo makes a fair case for digital […]

Continue reading

An Iranian Think Tank Recommends the Use of Cryptocurrencies to Circumvent Sanctions

An Iranian Think Tank Recommends the Use of Cryptocurrencies in Circumventing SanctionsA think tank affiliated with the Iranian Presidency has unveiled a study report that encourages the use of cryptocurrencies in circumventing sanctions against the country. In addition, the report also claims the government could potentially “generate US$2 million a day and $700 million a year in direct revenue from cryptocurrencies.” Employment Opportunities Meanwhile, as reported […]
Continue reading