[HN Gopher] Smart Contract Security Field Guide
___________________________________________________________________
Smart Contract Security Field Guide
Author : dmuhs
Score : 93 points
Date : 2023-07-26 16:03 UTC (6 hours ago)
(HTM) web link (scsfg.io)
(TXT) w3m dump (scsfg.io)
| monero-xmr wrote:
| [flagged]
| zeryx wrote:
| From every lawyer I spoke to about this, this was not a win for
| Ripple but the SEC.
|
| They were found guilty of unregistered offerings to
| institutional. There's no way that the jury/judge won't take
| that prior decision into account with the non-institutional
| tranche. Somehow this was spun as a good thing?
| pcthrowaway wrote:
| I know a lawyer who happens to have a CS background who
| specializes in technology and cryptocurrency law. IIRC he was
| saying this was more of a win for Ripple/crypto, as it paved
| a path for crypto projects to not be classified as securities
| wonderwonder wrote:
| I'm not sure. After this ruling every platform quickly
| relisted xrp. I assume they have pretty good attorneys who
| looked at the ruling and essentially declared "game on".
| Kretinsky wrote:
| On the contrary, all metrics show that VC activity is at the
| lowest, personnal experience tell me that right now new funding
| is very hard to come by.
| yao420 wrote:
| You post this type of message in nearly every crypto thread yet
| every time you are pressed you don't name a single company,
| project, or thought leader.
|
| Personally I've worked at both coinbase and a blockchain
| company called avalanche. I think crypto is scams all the way
| down.
| mikhmha wrote:
| Crypto guys were saying the exact same thing last year too.
| What changed? I kept hearing how there was all these projects
| underway and how I could switch jobs into crypto and make way
| more money.
|
| Now you're saying this year is the year? n+1
| duxup wrote:
| Can someone give me a good use case (even better if you're doing
| it yourself) for a smart contract?
|
| What is anyone doing with them that they find really handy?
|
| I've never been able to understand how it gets used / why you
| would use smart contracts. I've googled and read... still don't
| grok it.
|
| I've seen so many "benefits" listed, but none make sense to me as
| far as the process you go through and how it works out in the
| end. Often it's described as a magic thing that eliminates the
| use of "intermediaries" and so on. I suppose that is true but you
| only get to that by going through all the complexity of from
| making sure someone writes a good contract / getting folks from
| the outside to review and validate it and so on. I'm not sure
| that saved a lot in the end.
|
| Much like a most things blockchain I find these ideas (not bad
| ones) and then the practical usage ... much less than ideal.
| jjordan wrote:
| Arguably the most popular use case is that smart contracts are
| used to create decentralized exchange services. See: Uniswap.
|
| They are also used extensively in the crypto sub-genre called
| DeFi, or decentralized finance. One of the most popular
| implementations is called Aave, which allows one to take loans
| out (i.e. give the contract Ether as collateral, receive an
| amount of USD stablecoin in return) on a given set of assets.
|
| Of course every NFT you ever heard of is essentially its own
| smart contract (specifically one that implements the ERC-721
| standard of functions and public variables), though I'm not
| sure that qualifies as a 'good' use case. ;)
| latchkey wrote:
| This answer right here is, in my opinion, one of the most
| interesting use cases that is available today.
|
| Provide collateral and take out a loan against that
| collateral. It allows people to act as their own bank. No
| longer do you have to go to a bank, ask for permission and
| then get approved for a loan. Now, you can do that yourself,
| instantly, without any trouble at all. Amazing really.
|
| What are those loans used for today? Well, mostly it is about
| interest rate arbitrage and providing liquidity. As a super
| basic example, you can borrow funds at 2% and then lend them
| out again at 3% and make 1%. It is essentially risk free
| (assuming the contract doesn't have bugs/exploits).
|
| The larger picture will be to enable people to be their own
| Kiva's. Crypto often is pushed to 'bank the unbanked', but it
| is more than just holding money. It is enabling people to
| borrow against their existing holdings, effectively allowing
| anyone, globally, to put their savings to work for them,
| without having to rely on a centralized banking system to do
| so. This might not be interesting for USA people, but it is
| especially valuable in countries that don't have a stable
| banking system.
| csumtin wrote:
| Correspondent banking. So say a bank in the States needs to
| send money to one in Spain. They may not have a relationship,
| so they go through an intermediary bank.
|
| You can use a smart contract to eliminate the trust in the
| intermediary bank, so eliminating that counter party risk
| karpierz wrote:
| How exactly does the Spanish bank get the USD that the
| American bank sent without trusting a third party?
| brobinson wrote:
| You don't need to trust when you can verify. The source
| code for the intermediary bank (smart contract) would be
| available for everyone to read.
| karpierz wrote:
| I'm not talking about code.
|
| The goal of the transaction is for the Spanish bank to
| have access to USD. In the example given, the Spanish
| bank would then have to take the crypto it got and trust
| an exchange to give it USD in exchange for the crypto.
|
| How do you get USD to the Spanish bank without trusting a
| third party?
| csumtin wrote:
| USD doesn't have smart contract abilities so yes you are
| correct about trusting a third party to exchange crypto
| to USD. You could use a stablecoin but that requires you
| to trust the stable coin backing.
| chrisco255 wrote:
| They may be willing to accept trusting the dollar-backed
| token issuer. In the case of USDC, it's Circle. But there's
| nothing stopping JPMorgan, BoA, Wells Fargo, Western Union,
| etc implementing their own dollar backed tokens, and I
| suspect we'll see more and more of that as regulatory
| clarity settles.
|
| Maybe the Fed themselves will issue tokens in this way.
| It's also entirely possible to construct a permissioned,
| yet decentralized exchange of tokens among whitelisted
| parties.
|
| Either way USD is never sent trustlessly.
| csumtin wrote:
| Explanation: bankA -> bankB -> bankC.
|
| bankC creates a secret number, hashes it and sends it to
| bankA. bankA sends money to bankB locked to hash. bankB can't
| get money until they have that secret number. bankB sends
| money to bankC locked to hash. bankC reveals secret number to
| bankB to unlock that money. bankB does the same with bankA.
|
| Tada, we eliminated the risk of bankB running away with
| money. This is the lightning network
| csumtin wrote:
| I realise that this might seem a bit niche but we can use
| this to create a payment network(like visa). This system is
| better as the nodes in the network don't need to trust each
| other.
|
| Cast your mind back to 2008 and hopefully this means that
| one bank falling over doesn't bring down the whole system.
| Uptrenda wrote:
| I find posts like this honestly infuriating because its like
| you don't know the first thing about an entire, specialized
| field, yet because its something taking place in tech you feel
| like you're qualified to write about it. Ask the same question
| about chemistry, biology, electrical engineering, or any STEM
| subject, and here's the actual answer: it's beyond the scope of
| a comment on hacker news to spoon feed you an entire fucking
| field in a way that will make sense to you.
|
| You will have to read papers, and think about what works and
| doesn't, over years to understand what is going on. And to be
| ahead of the curve -- you'll also have to do your own
| experiments that 9/10 won't yield any interesting results. In
| the blockchain and 'crypto' industry we also have the problem
| that entry is easy while skilled execution is not.
| Consequently: many fuck-ups have happened. It's easy to point
| to them and say that 'this is the industry' but its really not.
| Those are a few bad eggs.
| jason_pomerleau wrote:
| Genuine question from someone on the outside watching all of
| this: then who are these things for? Apparently not me, nor
| GP, nor my mum and dad. Are we waiting until the Smart People
| sort out all of these complex details to make this stuff
| accessible for regular people?
| kspacewalk2 wrote:
| I genuinely cannot tell if this comment is veiled sarcasm or
| not. That or a question about concrete, practical examples of
| this tech and what unique advantages smart contacts bring to
| the table has hit a real nerve and set you off. If the latter
| is the case, that is of course a telling answer in itself.
| mypastself wrote:
| At the bottom, it's an address holding a program that can
| release funds to another address or a group of addresses (which
| may be wallets or other smart contracts) based on some
| predefined conditions.
|
| There's technically no limit to what you can implement, but
| there's no killer app yet, and it's questionable if there ever
| will be. For me, it's mostly an interesting piece of tech to
| learn about.
| mteigers wrote:
| I have no direct affiliation with this service (nor am I a user
| of it) but I recently learned about "Pool Together" which is a
| "lossless" lottery system. It's a daily lottery that happens
| automatically, you do not need to collect as it happens
| automatically, and you can withdraw all of your capital at any
| time.
|
| I thought that was a decently novel use case.
| coding123 wrote:
| Sounds really unnecessary. What is there not to trust in an
| actual lottery? Are the people that go on TV to show the
| results not worth the job they have?
|
| Why does the website have a starting sentence that includes:
|
| "a passion project I hold dear to my heart."
|
| What is it about lotteries or smart contracts that have
| people that saying "dear to my heart". The only thing "dear
| to my heart" is probably my wife and family. I don't know how
| something related to money could be. And I have a hard time
| trusting a person that has a passion project dear to their
| heart related to lossless lottery systems.
| duxup wrote:
| That sounds amusing ... albeit the lottery aspect makes me
| suspect shenanigans. Is anyone reading the contract to
| understand if it really is what it says it is?
|
| One of those issues is of course that people will need to
| find someone who can read the contract for them, and hope
| they get it right.
|
| Still, good example that is easy to get, seems like easy to
| code and work.
| hn_throwaway_99 wrote:
| First off, wanted to say thanks very much for posting this,
| primarily because I think it _is_ an example that is
| straightforward and easy to understand. That said, I 'm also
| thinking "if this is one of the best, straightforward
| examples people are talking about when referring to 'the
| value of smart contracts', then smart contracts are just
| nowhere near the important tech its boosters believe." (To be
| clear mteigers, not directing this at you, just saying this
| because what you've posted _is_ probably the best example of
| a real-world use case I 've seen).
|
| In summary, what PoolTogether (https://pooltogether.com/)
| does is basically act like a normal savings account, except
| instead of you getting 4% interest a year or whatever, that
| interest is all pooled and then given out in big chunks at
| random - most people get nothing, but "winners" will get what
| is essentially everyone else's interest. Some notes:
|
| 1. I'm not clear what activity they're engaging in that
| actually generates interest (e.g. who they're lending to in
| order to generate a spread), but in fairness I didn't spend
| much going into the details. That said, if they _really are_
| generating income by lending, then I 'm very curious how they
| can't suffer from some of the same negative edge-cases
| inherent in fractional reserve banking, like a run on the
| bank. If they _are not_ generating real income from lending,
| I 'm very suspect about how they can really be generating
| interest. Again, I didn't look much into this, so totally
| admit I could just not be understanding the details here.
|
| 2. I see absolutely no real benefit that comes from doing
| this as a smart contract vs. just doing this as any other
| kind of normal software (e.g. what core banking software
| provides), despite what their blurbs on the website say.
|
| So still just dumbfounded by the lack of real utility in any
| of these smart contract examples I've seen.
| namdnay wrote:
| So they're "premium bonds"? Indeed they have been around
| far longer than crypto
| hn_throwaway_99 wrote:
| Oooh, yeah, sounds exactly like that, which according to
| Google has existed in the UK since 1956. AFAIK we don't
| have anything like that in the US.
| hn_throwaway_99 wrote:
| Wish I could upvote this more.
|
| I'm a reasonably intelligent person. My job requires me to
| learn complex technical details about a bunch of different
| domains - it may take me a while to grok it all, but I usually
| can once I do my research.
|
| The thing that is striking to me whenever smart contracts come
| up is how _extremely rare_ it is to be just presented with a
| simple, understandable, real-world use case that is an
| improvement over existing alternatives. Instead, so often you
| get:
|
| 1. Long missives about how the technology is really cool, but
| that completely sidestep the original question: show me a
| simple example of what a smart contract is used for.
|
| 2. Lots of examples _that are only relevant to crypto in the
| first place_ (i.e. just speculating on valuation movements in
| crypto). What I mean by this is that the purpose of finance (at
| least the intended purpose) should be to provide capital for
| _real_ goods and services. Pretty much all of the smart
| contract examples I 've seen are just, for example, triggers
| related to the prices of a bunch of different tokens.
|
| I would honestly be thrilled if someone could just give a
| simple example of someone actually using this stuff in the real
| world.
|
| OK, please commence all the "HN just always hates on crypto"
| non-responses... (this last sentence is sarcasm but also born
| out of frustration of getting straightforward answers in this
| domain).
| photonthug wrote:
| Escrow is the simple thing. Suppose you want to buy a house
| or a car, and you show up with a bag of money and someone
| else shows up with a set of keys. How to proceed without the
| transaction requiring trust between people who don't know
| each other? If you physically get the car/house/keys, what
| guarantees that title was transferred as expected? Depending
| on the cash volume and the jurisdiction, there is basically
| no established mechanism for doing this peer-to-peer. If
| you're "lucky" then you see a whole industry of middle-men
| created around trying to solve /skim on this, which then
| increases the costs of transaction (say realtors or car
| dealerships). If you're unlucky, then there's simply no way
| to have a trust-free transaction, and you just weigh the risk
| and take it or leave it.
|
| This does seem solvable, right? Because there's only a few
| APIs (bank transfers, title queries) that are involved in a
| fully automatic escrow. Such escrow could be provided as a
| free service by the government, or it might be pay-per-use
| (and simply cost less than markup from dealerships/realtors).
| [deleted]
| duxup wrote:
| One theory I have about all this is that doing deals with
| zero trust is that ... people don't want to do that ... and
| no matter what you do there's going to be this whole
| process around these transactions to provide some
| assurances and so on. On the surface all this title company
| stuff is silly and it is, unless there's a real problem
| with the title and then you want it.
|
| These are human problems.
| hn_throwaway_99 wrote:
| OK, great example, so I'll explain why a smart contract
| couldn't work here at all.
|
| So, to start, going to be clear I'm using your specific
| example of "escrowing funds on purchase of a piece of real
| estate (and I mean actual, real, real estate)". Simple
| enough. But, at the end of the day, who is to say "the keys
| you gave me are really the keys to the house you said you
| sold me"? That is, there needs to be some way to import to
| the smart contract ecosystem "yes, these are the keys to
| the house he sold me, and yes, the seller is the
| unencumbered title holder of this house". There is no real
| way to do that without some sort of oracle, and then you've
| just moved the problem back a step (i.e. you need to trust
| the oracle).
|
| I happen to think title insurance is vastly overpriced in
| many states, but that's not the same thing as thinking that
| title companies (who normally do escrow in the US) don't
| serve a very important purpose. Most importantly, they
| ensure the seller is the actual title holder. And I can
| hear the crypto fans saying "Well, if you just held that
| title on a blockchain, there would be no ambiguity about
| who owns it." But that just pretends that all the real
| world examples don't exist, like a contractor who puts a
| lien on a house because he claims he wasn't paid. Also, in
| the real world, if someone steals the key to your house,
| it's not usually that hard to evict them and change your
| locks. In the crypto world it's "sorry, finders keepers".
|
| So again, this simple example just falls apart on further
| inspection. Very happy to hear why any of the rationale
| I've given above is not correct.
| dale_glass wrote:
| That only works so long the "car" resides entirely within
| the blockchain.
|
| In the real world, there can be disputes after the sale.
| The property might have some horrible undisclosed effect.
| You might have stolen it. Or something else along those
| lines.
|
| Securely swapping a bag of cash for some keys is solving
| the trivial part of the problem, and ignoring the rest.
|
| The blockchain will do its thing and give you the title to
| a house infested from top to bottom with termites, but
| everything went according to the smart contract, so as far
| the blockchain is concerned there's no problem to be
| solved.
| GauntletWizard wrote:
| Escrow's only real value is when a third party steps in to
| judge who's in the right when things go wrong. When Escrow
| works well, it's highly automatable and already
| significantly automated by modern escrow companies. When
| one or both parties try to cheat, then you need human
| intervention, and again; Crypto/Blockchain/"Web3" is
| completely unsuitable.
| freemanon wrote:
| Well it was the same with the internet itself. It's prone to
| hacks, bugs, and outage, and yet today we all use it to manage
| our finances and make payments.
| namdnay wrote:
| Well, for the internet you could say "it allows stores to
| show pages with their products, and people can choose what
| they want to order, give their address and pay it with credit
| card , all without leaving their home"
|
| That's a pretty obvious killer feature of the internet
| dguido wrote:
| I appreciate how organized the Consensys guide is laid out. It's
| pretty easy to read. Trail of Bits has a similar guide that is a
| little more in-the-weeds technically. It also covers, what we
| think is, essential background about certain automated analysis
| techniques like static analysis and how fuzzers work. Check it
| out!
|
| https://secure-contracts.com/
| dmuhs wrote:
| Hi Dan! Small correction: This is not a ConsenSys guide. It's
| my own work. As a private person. :) More content on offensive
| security techniques is yet to come, so stay tuned!
| dguido wrote:
| Oh neat! I didn't realize. It's good! I could have been
| fooled it was done by a whole team :D
| sunshine-o wrote:
| Smart contracts are fundamentally a business technology where
| money is hosted & manipulated natively on the platform. This is
| pretty awesome & could be very dirsuptive.
|
| The problem is at least in ecosystems such as Ethereum you have a
| single line of defense, your smart contract code. And that code
| is written in a poor language with very little security features.
|
| Worst if something go wrong you can maybe pause, suicide your
| contract before your money is gone (what goes again the very
| principle of the platform) or if you are lucky & worked very hard
| on this you might have the chance to upgrade your contract.
|
| The result is any contract being used seriously need to go
| through a long & very expensive by one of the few serious company
| is this field.
|
| For now the Ethereum project have been very focused on solving
| the scalability & decentralization problem but my guess is
| without big progresses on the smart contract security & developer
| experience front no serious actor will ever consider adopting the
| platform.
| [deleted]
| latchkey wrote:
| You're literally commenting on a post that is a reference to a
| website that is trying to encourage a higher level of security
| in smart contracts. People are working on solving this issue.
| jjordan wrote:
| There is a thriving community of security researchers and
| engineers in the smart contract auditing space.
|
| Services like code4rena (https://code4rena.com/) and sherlock
| (https://www.sherlock.xyz/) make audits a public and
| competitive process with leaderboards that track the best of
| the best. Naturally those that rise to the top of these
| leaderboards tend to end up offering boutique auditing services
| due to projects wanting audits from the best of the best in the
| business.
|
| Trust (a pseudo-anonymous auditor's handle) launching Trust
| Security (https://www.trust-security.xyz/) is a perfect example
| of someone who turned public contest success into a highly
| sought after auditing firm. There are other examples, but
| overall smart contract security is undeniably improving over
| time.
| sunshine-o wrote:
| Yes but as you see on code4rena the cost of an audit is about
| $100k.
|
| What is ballpark what a company would pay to have a security
| audit of their website or network for example. So I would
| guess Ethereum has become an "Enterprise" technology because
| of the prohibitive cost of security of its applications?
|
| From what understood originally, blockchain & Ethereum aimed
| removing those actors like banks who can afford high cost of
| licenses, compliance & security of complex systems.
|
| Meaning you could write and execute your will without a
| lawyer and a court system, or write a smart contract to
| manage a condominium and its treasury with the other
| landlords (a $100k audit is out of the question for those use
| cases).
|
| We are hearing less and less about those use cases and talk
| more and more about "Enterprise Ethereum"
| (https://ethereum.org/en/enterprise/) as we find out that
| developing for the platform will be as complex & expensive as
| for a big corporation.
| Veserv wrote:
| But does it work?
|
| Do any of the audits ever come back clean i.e. no detected
| defects?
|
| Are those audits actually serious and representative of the
| resources available to a profitable attack? Many smart
| contracts manage millions, tens of millions, hundreds of
| millions and up in value. Do they actually do multi-year
| audits with a team of 5 that come back clean?
|
| Do they seriously believe and publicly state their design
| processes are better than the best IT systems by Google,
| Apple, Amazon, NSA, FBI, etc.? Because those organizations
| can not get clean audits against red teams with multiple
| people and a few years to work.
|
| That would be a extraordinary claim, do they have the
| extraordinary evidence to back up that claim? Do they even
| have any verifiable evidence at all to back up that claim
| other than more marketing drivel?
|
| If the answer to all of that is not yes, then it all sounds
| like a house of cards and just more "security" bullshit to
| me.
| jjordan wrote:
| Audits are performed as a due diligence before actually
| launching the product or service that will utilize it. The
| audit is a collaborative process between the auditing team
| (or contest participants, in this case), and the developer
| of the smart contract. Contestants are rewarded financially
| for finding exploitable issues, with unique criticals (i.e.
| exploits that lose customer funds or otherwise
| fundamentally breaks the intended behavior of the contract)
| paying the most. AFAIK no public Codearena or Sherlock
| audit has had a critical vulnerability exploited after a
| contest was completed.
|
| It would be hard to compare the smart contract auditing
| ecosystem with audits of internal processes at those
| entities you mentioned, because the problem being solved is
| fundamentally different. Google, Amazon, et. al. are
| protecting access to information stored in data centers,
| whereas smart contracts are at most a few thousand lines of
| code that needs to work as intended, without clever hackers
| finding a way to exploit them.
| Veserv wrote:
| So, no. Lots of "process", words, and gamification, but
| no results and no evidence of actual robust security at
| the necessary multi-million dollar level.
|
| Looking at the leaderboard [1] it looks like the pay out
| is a few thousand dollars for a "steal all the money"
| defect. These companys literally want to manage millions
| of dollars, yet it regularly costs only a few thousand
| dollars in developer time to steal all the money. And
| these are the good companys doing audits.
|
| What a joke. It is worse than XP, but at least Microsoft
| knew they were a laughing stock.
|
| [1] https://code4rena.com/leaderboard
| WinstonSmith84 wrote:
| Yes you're right, there are very talented companies, but
| that's actually what the OP has been saying... These
| companies exist because of the language. No language is
| perfect but Solidity is very imperfect to say the least
|
| These challenges are very interesting
| https://ethernaut.openzeppelin.com/. The thing is, almost
| none of these hacks could be possible, if Solidity would be
| better
| flooow wrote:
| Every time I hear about another massive hack on Ethereum, I feel
| a little bit sad that I didn't specialize in software security.
| For many years there was huge amounts of free cash just sitting
| on a table waiting to be taken, a victimless crime (VCs and
| cryptobros are not victims, everyone is playing the same game).
|
| I expect the low-hanging fruit has gone now. And setting up
| spearfishing attacks to scam teenagers out of their NFTs doesn't
| seem as noble (or as profitable).
| pcthrowaway wrote:
| As a dark-hat in the space you'd have a pretty good chance of
| being caught by chainalysis eventually.
|
| Meanwhile there are still hundreds of millions of dollars of
| bounties available for white-hats who responsibly disclose.
|
| The dark-hat hackers who aren't held responsible are likely in
| either Russia or North Korea
| dafelst wrote:
| At most you are going to make a few thousand, maybe if you're
| super lucky and skilled, a few tens of thousands of dollars
| on bug bounties. Compared to the amount of poorly-secured
| money that was/is in crypto, it is a pittance.
|
| Add to that the fact that many of the hacks are largely legal
| consequence free due to crypto's famous lack of regulation
| (by design, lol), the economics are far more skewed towards
| the black hats over the white hats.
| waprin wrote:
| I don't work in crypto but I read a ton of tech blogs and
| this guy:
|
| https://cmichel.io/
|
| Seems legit and claims to have made one million in 14
| months in bug bounties, although he was #1 on some
| leaderboard. Based on his blog I think he's probably one of
| the best in the world at smart contract security so it's
| probably not a realistic goal for most people , but
| assuming the blogger is honest I think you underestimate
| the potential for top white hats. Certainly the big black
| hat hacks are far bigger money but a million is nothing to
| sneeze at especially for no legal or moral risk.
| pcthrowaway wrote:
| There are loads of bounty payouts in the hundreds of
| thousands. Probably 1000 payouts per year at that size.
| Most protocols would rather pay out $1 million than lose
| $100M to an exploit.
| iramiller wrote:
| Doing crime on a system with a perfect immutable record
| doesn't seem like a smart play to me.
|
| As noted above the firms like chainalysis will continue to
| uncover and attribute all of the nodes in the graph. If you
| are taking 100s of thousands or more through fraud the
| incentives are aligned to see your crimes prosecuted.
| liveoneggs wrote:
| is it a crime if the smart contract acts as coded, but
| not necessarily as intended?
| dafelst wrote:
| I think the main takeaway here is that in many cases wrt
| crypto, it is highly ambiguous on whether the actions you
| take are criminal or not.
| mypastself wrote:
| Agreed, especially given that frontrunning and similar
| techniques are almost inextricable from the technology's
| default behavior.
|
| However, actors other than law enforcement can also
| perform chain analysis, and you'd probably prefer to stay
| anonymous if you engage in such practices...
| greiskul wrote:
| It's amazing how quickly code-is-law becomes regular law is
| law when the code allows all your money to be stolen. And
| that is the nail in the coffin of this ideology, proponents
| of blockchain claim one day your house deed will be on the
| blockchain. What happens when people hack your house away
| from you then?
| rattlesnakedave wrote:
| Code is law. The issuer of tokens backing rwas should be
| able to figure this out and reissue.
| anamexis wrote:
| So, the issuer of tokens is law
| chrisco255 wrote:
| If the code allowed the issuer such flexible control,
| then yes. But many tokens have immutable implementations
| that can no longer be altered after deployment.
| SkyMarshal wrote:
| Good resource, probably half of which is only necessary due to
| shoddy Solidity and EVM design.
___________________________________________________________________
(page generated 2023-07-26 23:00 UTC)