Starting out as a group of blockchain developers, around before the Ethereum genesis block, we’ve amassed hundreds of the foremost experts in every blockchain sub-discipline. As a result, these engineers have gone on to work at ConsenSys and gather extensive knowledge of what it takes to be successful in the blockchain ecosystem. These developers have created some of the fundamental infrastructure and tools for the Ethereum ecosystem, including Truffle, Infura, MetaMask, Alethio, PegaSys, Mythx, and more.
Between May 30 and June 12, 2019, a handful of devs joined forces to answer unanswered questions on Ethereum Stack Exchange. The goal of this initiative was to help improve the on-boarding and developer experience for the Ethereum community.
Q1. — How to verify the security of a contract?
With self-executing, open-source contracts, where anyone in the world can see inside, know how much money is there, and watch how it works security is a huge risk. One mistake and hundreds of millions of dollars can get stolen or frozen (e.g. the DAO, Parity multi-sig wallet hack). So, of course, a common question is how do I verify the security of my contract?
StackOverflow user Cognus asks:
“Any recommendation for a reliable smart contract auditing/testing service? I need to have my smart contract (written in Ethereum solidity) thoroughly audited for potential security, efficiency problems.”
Oisin, a blockchain architect at ConsenSys Dublin, gave a great answer with the many options available.
“As a good place to start, I would integrate your build/test pipeline with Mythx. If you use truffle for building your smart contracts, you can easily incorporate mythx with this project. If you want to get a professional audit done, you can talk to Consensys Diligence”
You can use MythX API to run analysis on your codebase to check for common security flaws and exploits. They are also working on IDE integration to help you right better Solidity code in real time.
There are also more advanced options out there for smart contract auditing. The most popular in the Ethereum space is formal verification with K. Formal verification is an exhaustive process to define the semantics of your entire program. A great example of what using K looks like is Gnosis who uses it to verify Gnosis Safe, their multi-sig wallet.
A similar question was asked about automated testing of smart contracts to make sure they compile when making PRs and merges before you deploy them. (hint, the answer is Truffle )
Q2. — Why do smart contract languages have to be deterministic?
Satoshi Nakanishi asks, “Why do smart contract languages have to be deterministic?”
This is a pertinent question for any blockchain developer. In essence, smart contract languages have to be deterministic because it is a distributed state machine so all nodes have to arrive at the same answers to ensure consistency across the network.
Nicolas Massart, Ethereum Stack Exchange mod and software engineer at ConsenSys R&D division PegaSys gives an in depth answer:
“As reminded in the first comment from Richard, smart contracts have to be deterministic because each nodes of the network have to be able to find the same result given the same input for a contract method. Otherwise each node that executes the contract method to validate the transaction would end with different results and no consensus would be possible.
But why the smart contract language itself such as Solidity have to be deterministic? It doesn’t have to be.
Solidity is deterministic because it’s a convenient language well designed for its purpose, but the Lisk network for instance uses standard JavaScript which is not deterministic. That means that nothing can avoid the use of a method to generate a random value in Lisk smart contracts. Developers thus have to be very careful to avoid using non deterministic functions. Sometimes this can be tricky. Math.random() function is obvious, but some other math methods can use roundings that won’t always give the same result or some date functions as the new Date() which gives the current date and is thus non deterministic. As you can read in the Lisk documentation developers are warned not to use this functions. But if you are not careful you can completely wreck your contract.
The power of Solidity and other deterministic languages is that developers don’t even have to care about determinism because there is no non deterministic functions in the language.”
Julien Marchand, Tech Lead at ConsenSys Paris added:
“The determinism prevent any fork in the network. The same goes for Solidity which uses the EVM.
To complete @NicolasMassart ‘s answer and @user1870400 comment that proposes to generate random values based on a possible Solidity implementation of the Go code used for random number generation, based on https://golang.org/src/math/rand/rng.go you can notice that this code doesn’t rely on any random at all but uses hard coded entropy.
If you try it twice without specifying entropy, you’ll get the same predictable result. To use this in a concrete use-case, you’re supposed to bring your own source of entropy, i.e.: rand.NewSource(time.Now().UnixNano()) for example.
Hopefully inside the EVM, each source of entropy generate the same value for a single transaction across each node of the network, whether you use the timestamp (aka block.timestamp or now — because it’s the timestamp of the time the block was issue by the single miner of this block) or any other pseudo random value.
So even implementing this algorithm in a smart contract using Solidity will lead to a deterministic result.“
ConsenSys Paris developers answering questions on Ethereum Stack Exchange
Q3. Solidity — How to integrate Drizzle with React?
Blockchain is a globally distributed database that revolutionizes how data and applications are built. But how do you bring that backend to life in your application? React is one of the main web application frameworks with lots of different state management approaches, let’s see what one example of Ethereum -> React data flow.
User51347 asks:
“I have currently set up a truffle project with react, redux and react-router. I just finished writing my first implementation of the smart contract, and now want redux to connect with the smart contract. I have tried reading up on several pages, including this: https://truffleframework.com/docs/drizzle/getting-started/using-an-existing-redux-storeHowever, I can’t seem to figure this out. I have now set up my store as follows:”
import { createStore, applyMiddleware } from ‘redux’;
import thunk from ‘redux-thunk’;
import rootReducer from ‘./reducers/rootReducer’;
import ItemList from “./utils/getItems”; //drizzle
import { generateContractsInitialState } from “drizzle”;
import ItemOwnershipContract from “./contracts/ItemOwnership.json”;
export default function configureStore() {
const options = {
contracts: [
ItemOwnershipContract
]
}
const initialState = {
contracts: generateContractsInitialState(options),
account: “1”,
items: new ItemList().itemList,
equipSelector: “0”,
raritySelector: “0”,
chosenItems: [-1, -1, -1]
}
const enhancers = applyMiddleware(thunk) &&
(window.__REDUX_DEVTOOLS_EXTENSION__ &&
window.__REDUX_DEVTOOLS_EXTENSION__());
return createStore(
rootReducer,
initialState,
enhancers
);
}
(apologies for the indentation).
How do I now do the following:
1. Get account address from current user?
2. Do I still need to use web3 to see if I have [a] connection with the given blockchain?
3. Will this automatically update the store whenever the content of the smart contract gets updated? Or do I need to force update it?
4. In that article, they simply call generateContractsInitialState() on “./drizzleOptions”, but never shows us the file. What will it contain? A way struct with the contracts array field, and passed in a json file?
5. do drizzle store my current account address, or do I need to use web3 to fetch that?
I am aware there is a lot of questions here, but I am not very familiar with any of these tools, so I don’t quite understand it. Thank you in advance!”
Amal Sudama, a software developer from Truffle answered:
“I also recommend reviewing Truffle’s drizzle box, as an up to date example of integrating with drizzle.
Drizzle is a state manager implemented in Redux that will handle loading web3 and will sync the currently selected address of the web3 provider. It will also sync contract state for registered contracts by automatically scanning transactions for contract updates in newly mined blocks.generateContractsInitialState is called internally when a contract is registered with Drizzle and should not be invoked directly.
Two resources for your consideration:
- Contract event Tutorial that makes use of the drizzle box“
Drizzle brings in a powerful mechanism for interacting with contract data inside your dapps front-end. It abstracts away a lot of the work of managing the user’s address you want to interact, keeping your UI synced with contracts data as it’s updated on-chain, and managing async transactions sent by the user or events received from the contracts you specify.
Using React’s data driven rendering plays nicely with the async yet deterministic nature of smart contracts making it an ideal library to use when building dapp front-ends. Truffle has maximized this by offering a simple and easy way to marry the two together, in an easily adaptable library. Like any redux store, Drizzle lets you insert custom middleware to go beyond mere data synchronization and activate external services when contract events are emitted. You can also setup your own sagas, reducers, higher-order components, etc. allowing you to adapt your dapps state management as your contracts develop over time.
List of the tags + sections where Ethereum Stack Exchange questions were answered:
- Contract-design
- Protocol
- Remix
- Web3js
- Solidity
- Geth
- Precompiled contracts
- Private blockchains
- Tokens
- ERC-20
- Web3j
- Infura
- Ecdsa
- Javascript
- Transactions
- Cryptocurrencies
- Drizzle
- Truffle
- Arrays
- Metamask
- Ganache-cli
- Dapp development
- Contract development
- Contract debugging
- Contract invocation
- Local variables
If you really want to step up your game, check out these resources:
- Common attack vectors and hacks on Ethereum contracts
- Best smart contract best practices
- Blockchain Developer On Demand Program
- Blockchain Developer Job Kit
There is no better way to get relevant advice than from the first-hand experience of senior developers. Ethereum is known for our talented, inclusive, supportive developer community willing to take time out of their busy schedules to support developers in need. Ethereum has become the best platform to build on because developers, like these from ConsenSys, continually contribute to open source code and knowledge every day.
Every question and answer counts! Head to the Ethereum Stack Exchange to lend your Web3 expertise. Help developers all over the world, sharpen your skills, and buidl the future.