Vulnerability Detection in ink! Programming Language
CoinFabrik received a grant from the web3 foundation to study and build a proof of concept tool for detecting security vulnerabilities in ink! smart contracts. It’s been an interesting ride: we discovered what are the possible bugs in ink!, designed some methods to detect them and build a sound proof-of-concept toolset that clearly shows that an ink! vulnerability-detection tool is buildable, that this can be done iteratively, and how it would help ink! developers.
Parity’s ink! is a language for developing smart contracts on Substrate-based blockchains. In the case of Substrate parachains, like Kusama and Polkadot, smart contracts can be deployed when the parachain contains the Contracts pallet, and in that case the smart contracts are deployed to the execution environment in WebAssembly. Parity’s ink is an embedded domain-specific language for Rust that can be compiled to this WebAssembly accepted by Substarate’s execution environment.
Software engineering, and in particular static/dynamic analysis have made great progress in vulnerability detection. The starting process appears to be simple: get a good deal of programs including vulnerabilities, get a good deal of programs with no vulnerabilities, all annotated with precise information about the vulnerabilities, build a tool that has good precision and recall and you have a start!
