How Strong is Your Smart Contract’s Security? Says Who?
By Chaals Nevile, EEA Director of Technical Programs, and Editor of the EEA EthTrust Security Levels Specification v1
The EEA’s EthTrust Security Levels Working Group recently published version 1 of the EEA EthTrust Security Levels Specification. This is an important new EEA technical specification, outlining requirements for security audits of smart contracts. With the increasing value of Ethereum Mainnet, and the increasing role of Solidity/EVM smart contracts in many blockchains, this topic is only becoming more important.
The specification sets out three levels of requirements, from those that can be tested automatically with a piece of software (Security Level [S]), to a thorough analysis covering coding quality and accuracy of documentation.
The Security Level [S] check for obvious issues might be sufficient for a low-value piece of simple code, while a full static analysis by an expert to ensure your code meets the requirements of Security Level [M] provides stranger guarantees for important contracts. Security Level [Q], with a deep and careful assessment of business logic and coding quality is more appropriate for a critical contract that will handle substantial value, or for code that is going to be re-used in multiple projects.
Security auditors who refer to this specification can show they cover the gamut of known vulnerabilities in their testing procedures. This provides a neutral benchmark, to help customers pick an appropriate level of security review and understand its implications.
Developers familiar with the specification will be able to anticipate many issues that a quality security audit would uncover, reducing the cost of remediation and enhancing their own skills and efficiency.
Until now, the best approach to ensuring that smart contracts were secure has been to choose a reputable company to do audits, or perhaps two to be on the safe side. While these companies exist, some have a long backlog of work. Meanwhile it has been hard for even high-quality newcomers to establish themselves in the market, because there was no external standard to validate their work.
This EEA specification is intended to address that gap in the ecosystem. Ensuring that the security audit you are getting complies to the corresponding EthTrust Security Level now offers a neutral, industry-validated quality check for this critical service.
Because this specification has been developed with the participation of many of the major players in smart contract security it serves as an independent quality mark, rather than one company’s opinions. As noted in the acknowledgements of contributors, it has been crosschecked by numerous security experts from multiple competing organizations to ensure that it underpins good quality standards for the industry.
This specification has been developed over the last couple of years, addressing security vulnerabilities from multiple sources. Equally, in-depth reviews from experts working in multiple EEA member organizations have helped to make it as clear as possible.
As a certain level of transparency is important in security, the specification drafts were available to the public even while they were an unfinished work in progress. The first version focuses on contracts written in Solidity but is relevant to any blockchain that runs an EVM.
With the first version published as an EEA specification, the Working Group plans to collect feedback and study how it is used, as well as keep an eye on the ever-evolving field of security, to produce an updated version when that becomes appropriate.
In other future activities the group and the EEA may also consider work such as certification schemes and further tooling to support adoption and increase the overall security of the Ethereum ecosystem.
For now, we are happy to have provided a strong foundation for the entire ecosystem to build on more securely than ever, justifying increased trust in the capability of quality Ethereum developers to safeguard real value and important processes underpinned by smart contracts. The working group is now drafting its next charter and recruiting further members, to maintain the specification and take this work to the next level.