Build your first smart contract

Transcript

1. Build your first smart contract Giovanni Toraldo GDG DevFest Pisa

   2023 1st April 2023

2. About me DevOps Engineer @ Hyland • Alfresco BDU •

   Ansible playbook • Helm charts Open Source enthusiast Medieval reenactor during the weekends 🎯 Twitter: @gionn

3. What is a cryptocurrency • A digital currency that uses

   cryptography for security and integrity • Decentralized, not controlled by any central authority • Transactions are recorded on a distributed public ledger (blockchain) ◦ provide users with a high degree of privacy and anonymity, as transactions are pseudonymous and do not require personal identification • Offer lower transaction fees (but it depends) • Anyone can start receiving currency just by running a software ◦ For sending most of the times you need a third party to exchange your FIAT money

4. Total crypto market cap, a result of 12,301 cryptocurrencies tracked

   across 666 exchanges. https://www.coingecko.com/en/global-charts

5. Introduction to Bitcoin • first and most well-known cryptocurrency ◦

   Born in October 2008 as a research paper ◦ Release v0.1 in early January 2009 as OSS • Limited supply: 21 millions ◦ Inflation halvening • Decentralized consensus: Proof-Of-Work ◦ Easy to validate for everyone ◦ Hard to generate ▪ Each new block generates fresh Bitcoins • Each transaction requires a fee depending on the network congestion ◦ Block size limited, finite number of TX in each block, block emission requires time

6. Bitcoin desktop screenshot

7. Programming Bitcoin: Script • Stack-based programming language • Not Turing-complete

   (no loops) • Foundation for transactions validation ◦ Overspending ◦ Requires 1 or more valid signatures ◦ Time-lock • These limitations was a design choice in order to: ◦ Have predictable execution times ◦ Avoid deadlocks / infinite loops ◦ High security ◦ Low hardware requirements

8. Introduction to Ethereum • 2nd crypto as market capitalization •

   Network up since 2015 • Unlimited supply (new eth distributed for each block) ◦ Deflationary since 15 September 2022: transactions fees exceeding a threshold get burnt • Decentralized consensus: Proof-Of-Stake (since 15 September 2022) ◦ One random validator randomly selected from the pool propose the next block transactions ▪ Requires 32 ETH staked ▪ Get punished if bad behaviour detected by other nodes • Each transaction requires a fee depending on the network congestion ◦ Block size limited, finite number of TX in each block, block emission with fixed cadency

9. Ethereum Virtual Machine (EVM) • Ethereum is not just a

   blockchain • Imagine a computer that everyone in the network can: ◦ Have access to its state contents (storage) ◦ Ask for a computation that can optionally alter the state • Requests for computation are transactions ◦ Consume gas to be evaluated that is paid by the requester ▪ throwing an exception requires evaluation ◦ There is a cap on gas usage known before broadcasting • Code for computations has to be deployed before it can be evaluated

10. Use Cases for Ethereum Smart Contracts • Decentralized finance (DeFi)

    ◦ lending platforms, decentralized exchanges, stablecoins ◦ no need for trusted intermediaries like banks, users can provide liquidity while keeping custody of funds (code is law) • Non-Fungible Tokens (NFT) - ownership of a unique content ◦ Digital art, game assets, physical world objects ◦ Tradable on dedicated marketplaces • Whatever is supposed to be public, verifiable by third parties, immutable

11. Dapp example: app.uniswap.org

12. Dapp example: app.aave.com

13. Dapp example: app.pooltogether.com

14. Interact with dapps via browser • Install a browser extension

    for wallets • Generate a new wallet using 24 seed words ◦ Multiple derived address • Buy gas necessary to pay transactions ◦ Test networks has free faucets • Connect to a web3 website • Interact with the UI • Emit a transaction via browser
15. None
16. None

17. Example transaction: gas usage and input data

18. Beware of scams ⚠ World is full of bad people

    and blockchain made very easy to run away with other people money. • Do not use on google search sponsored links ◦ Rely on saved bookmarks • Do not enter seed words in any other place than your wallet first setup • Do not save seed words on an internet connected device • Do not interact with DM and replies with URL on socials and chats • Beware of the other standard scam vectors ◦ Domain typosquatting ◦ Phishing emails • Verify that the transactions you made are against the expected contracts

19. Smart Contracts on Ethereum • Solidity code (compiled) can be

    deployed on Ethereum ⇒ contract created • Each contract has (like a wallet): ◦ An unique address ◦ A balance in ETH • Each contract has: ◦ State (variables, constants) ◦ Callable functions ▪ Alter the state (requires a tx) ▪ View only (query the state without a tx) • Functions can: ◦ Make computations ◦ Alter the contract state ◦ Call other contracts external functions

20. Once a Smart contract is created • Only the bytecode

    is always available • Sources can be optionally uploaded on Blockchain Explorers • To interact with deployed contracts the ABI must be known ◦ List all the available functions and corresponding parameters ◦ Generated by the compiler as an artifact • Contracts are immutable (!) ◦ Migrate state from the old to the new contract ◦ Separate data and business logic ◦ Proxy pattern • No concurrency issues - transaction are serialized within a block • A transaction can succeed or fail

21. Solidity programming language • Object-oriented ◦ Inheritance ◦ Standard types

    (boolean, int, string, array) ◦ User-defined types (struct and enum) ◦ Functions visibility and • Statically typed • Errors handling (revert transaction when error raised) • Events • Calls other contracts (any!)

22. Solidity storage simplest example

23. ERC-20 (standard token) example (from openzeppelin)

24. ERC-20: transfer (private function)

25. Introduction to Hardhat development environment • Javascript-based ◦ npm install

    --dev hardhat ◦ npx hardhat • Tasks oriented framework ◦ Clean, Compile, Test, Run • Plugin architecture • Vscode integration • Simple folders structure ◦ contracts: solidity sources ◦ test: mocha/chai tests ◦ scripts: plain javascript automation

26. Create a new Hardhat project • mkdir src/myproject • npm

    init -y • npm install --save-dev hardhat

27. Hardhat demo contract

28. None

29. Writing tests with Mocha • Automated testing is more critical

    than ever ◦ Ensure that code behave in the expected manner ◦ Ensure that all the inputs are sanitized ◦ Ensure errors are handled as expected • A bug in your code can have disastrous consequences: ◦ March 2023: Euler lost 200M for a bug in a function to donate dust to the protocol
30. None

31. Test state after deployment

32. Test transaction revert or succeed

33. Test the transfer happens once the lock expires

34. Deploy script (network agnostic)

35. Run HardHat test network • Spin up a fully functional

    blockchain in memory that is compatible with Ethereum / EVM

36. Common security issues • Attack vectors common also in other

    platforms: ◦ Business logic errors ◦ Rounding errors ◦ Uninitialized variables ◦ Unsanitized input variables • Reentrancy attacks ◦ Calling an external contract that recursively calls your contract which postpone state update ◦ To avoid it, change state before calling external contracts (Check-Effects-Interactions) ◦ Executing a transfer is actually calling an external contract ◦ Reentrancy is not an issue if the effects are the same of calling the function N times

37. Reentrancy bug example

38. OpenZeppelin Opensource secure contracts library - openzeppelin.com • Implementations of

    standards like ERC20 and ERC721 • Role-based permission schemes (onlyOwner) • Other secure components: ◦ SafeMath (avoid overflows) ◦ Payments splitter ◦ Proxy (upgradable contracts) ◦ Pausable ◦ ReentrancyGuard

39. Ownable library example

40. Linters and static analysis tools Tools that are easily integrated

    into an hardhat project: • Solhint: ◦ Code style guide (mixedCase function names, underscore prefix for internal variables, …) ◦ Best practices (max line length, cyclomatic complexity, …) ◦ Basic security issues detection (missing visibility in a function, simple reentrancy) • Slither: static analysis to detect vulnerable code ◦ They maintain a list of hacks that could have been prevented if using the tool

41. More links • https://ethereum.org/en/developers/docs/ • https://docs.soliditylang.org/en/latest/ • https://hardhat.org/docs

42. Thanks! (have you found the fish?)