We recently caught up with Dr. Amrit Kumar, president, and chief scientific officer at Zilliqa, a high-throughput blockchain platform that recently announced a collaboration with ChainSecurity, a company focused on enhancing blockchain security.
Kumar, a research fellow at the University of Singapore, discussed best practices related to improving smart contract security. He also explained how Zillqa is planning to develop a security scanner and a static analysis framework.
Tell us more about the static analysis framework and security scanner that the Zilliqa team is planning to develop, following its partnership with ChainSecurity.
Dr. Amrit Kumar:
“Funded via our US$5 million Zilliqa Ecosystem Grant Programme, our collaboration with ChainSecurity is a testament to Zilliqa’s commitment to security at both the protocol and the application-level.
In this next phase of growth and as our network continues to mature, it’s crucial that we equip developers and users alike, with better security tools and resources.
This initiative is underscored by two key goals:
1) improving the security of Scilla-based smart contracts by working to reduce the number of vulnerabilities and exploits that developers may potentially encounter;
2) promoting the adoption of Scilla-based smart contracts by providing even greater security guarantees.
ChainSecurity’s security scanner will enable developers to identify generic security vulnerabilities as well as design issues as a result of poor coding practices. These issues range from unsafe transaction targets, locked ZILs (where ZILs cannot be withdrawn from a contract), unrestricted ZIL flow (where ZIL transfers are performed without conducting appropriate checks), transaction order dependency, as well as missing input validation, unrestricted storage writing, etc.
On the other hand, the extensible static analysis framework will allow developers to check the properties identified with the security scanner. This framework supports critical prerequisites that are needed to verify non-trivial security properties, such as state-of-the-art control-flow, data-flow, information-flow, and static taint analysis. This framework will be used to encode all identified vulnerabilities from the scanner. Extensible by design, developers and users will be able to easily add more relevant security checks and vulnerability patterns over time in order to establish best practices for smart contract development.
Please explain how you intend to establish best practices to ensure smart contract security.
Dr. Amrit Kumar:
“As a team, we have always placed security at the heart of our blockchain platform and our secure-by-design smart contract language, Scilla. Early on, we actively chose a layer-1 (on-chain) scaling solution to ensure that the network could be secured by the blockchain itself. Moreover, the development of Scilla (more details on Scilla below) has prioritized security, ultimately setting us apart in the industry.
Maintaining a public blockchain’s resilience is of the utmost importance to ensure that developers can build their products and maintain the integrity of their data.
Part of this is to consistently monitor the latest security risks, produce new fixes, and implement defensive tools within technology infrastructure capable of counteracting any threats. We follow stringent processes to ensure security standards are met to the highest possible standards:
Implementation of regular, periodic fixes, improvements and upgrades:
Our Platform and Languages team adopts a protocol where codes are peer-reviewed before being merged. On release management, we adopt semantic versioning (https://semver.org/) where releases are classified into major, minor and patch versions. This allows us to push out new releases in a systematic and timely manner.
Making testing and high-quality coding a priority:
Rigorous testing forms a core part of our development practices. Each bug fix and feature implementation are independently tested and end-to-end integration tests are conducted to check for regression. To achieve a high standard of code quality, we use various toolings in our arsenal and consistently strive to adopt good coding practices. First, our development infrastructure ensures that we address all warnings and errors reported by our compiler. We also employ various static analysis tools to diagnose and fix issues such as style violation, interface misuse, and other bugs.
Tools for developers:
In addition to our basic editing tools such as the Scilla modes for Emacs and Vim (and a community-contributed plugin for VS Code) which integrate the scilla-checker into the integrated development environment (IDE) to enable safety right from the development stage, we are currently working on establishing a set of reference contracts, as well as a Scilla style guide and a design pattern and anti-pattern guide to ensure that developers adopt best practice designs in order to avoid design pitfalls.
Periodic security audits:
We have worked with various professional security audit teams since our inception, including industry-leading cybersecurity and penetration testing firms such as Cure53, Kudelski Group, as well as NCC Group. Such audits serve to independently review our implementation from a security perspective. Through these engagements, we have received valuable advice and feedback on how to best strengthen our platforms and mitigate potential attacks and vulnerabilities.
Bug bounty program:
Prioritizing security is also a community effort that extends beyond our core tech team. Over time, we have found that crowdsourcing security through bug bounty programs has been immensely beneficial. In the past, we’ve used platforms such as Bugcrowd to help us manage our bug bounties. We also allow for coordinated disclosure of any identified vulnerabilities which gives security researchers the opportunity to coordinate public disclosure of the vulnerability. This can provide the community with useful insights on security-related issues.”
Functional programming languages such as LISP were created several decades ago. Cardano’s developers also use a functional programming language called Haskell. Please tell us how important you think Scilla (also a functional programming language) and other similar coding languages are to the long-term development and security of smart contract-enabled blockchain networks?
Dr. Amrit Kumar:
“Of the many bugs we’ve seen today arising out of notable incidents such as the DAO or the Parity wallet hack, the coding errors and vulnerabilities in those situations simply aren’t unique to smart contracts. In fact, they gesture toward far larger, linguistic insufficiencies in the programming languages we have today.
At Zilliqa, our decision to develop Scilla was driven by the need for greater security guarantees at the language level. By encoding guidelines and parameters, we can ensure that such coding errors are never made again. With Scilla, we ensure that our language makes a clean separation between contract-specific computations (mathematical and state changes) and blockchain-wide interactions––this helps to provide a sound reasoning mechanism about potential contract composition and invariants.
We did our best to create a language that looked to provide a good balance between expressivity, security, and tractability. Though Scilla is only one of many functional programming style languages in the industry today, we hope that the benefits of a secure-by-design framework will only continue to grow apparent to developers and users alike in the years to come.
That being said, a language is only as good as the tools and resources that accompany it, and allow for ongoing improvements and auditing. Our recent partnership with ChainSecurity builds on this approach, allowing developers to leverage a language that has prioritized security from the get-go while giving them the tools to mitigate security risks and attacks as they increase in sophistication.”
What are the main products and services that the Zillqa platform aims to offer?
Dr. Amrit Kumar:
“With our emphasis on security, we built Zilliqa as a viable option for enterprises that require a high-level of security for their high-value transactions. However, as Zilliqa is an open, public blockchain platform, there are no limitations to what can be built on our network. To date, the many use cases on Zilliqa come from a variety of sectors, including finance, payments, digital advertising, and gaming.
To date, we have several existing partnerships in the gaming industry. EMONT Alliance, the founder of the renowned Ethereum-based crypto collectible game, Etheremon, recently released their new game on Zilliqa, called Ocean Rumble. Krypton also released a game called SuperPlayer on our mainnet earlier this summer. This was accompanied by a decentralized application (Dapp) browser, Zilliqa Planet, and a non-fungible token (NFT) marketplace.
We also marked our entrance into the financial services sector in January 2019 when we announced Hg Exchange, a joint venture with Singapore-based private investment platform Fundnel and digital asset exchange platform, MaiCoin. Hg Exchange looks to become Southeast Asia’s first member-driven exchange and will enable startup founders and employees to monetize their shares, now no longer beholden to long lock-up periods.
Investors, on the other hand, will be able to access promising high-growth ventures. Following our announcement, we collectively submitted an application to the Monetary Authority of Singapore’s Fintech Regulatory Sandbox and are awaiting approval.
Beyond that, we embarked on our first payments-related partnership earlier this summer with Singapore-based fintech payments provider, Xfers, in order to bring blockchain-powered payment solutions to over 500,000 enterprise partners and users in the region. Accredited as a Widely Accepted Stored Value Facility (WA SVF) by the Monetary Authority of Singapore, Xfers is the first fintech startup to receive such accreditation. This partnership also serves to pioneer the concept of b-commerce, which addresses the need for blockchain solutions that can be easily and seamlessly integrated into existing financial infrastructures.
Lastly, we’re continuing to build on the work we’ve achieved with Project Proton. Project Proton is a programmatic advertising alliance established with global media and marketing services company, Mindshare, Mediamath, Rubicon, and Integral Ad Science. In March 2019, we successfully completed a Southeast Asia campaign powered by smart contracts for PepsiCo.
With our smart contracts, we were able to reconcile ad impressions derived from multiple data sources in near real-time with our Native Alliance Token (NAT). With smart contracts, additional spending incurred by ad fraud as well as inefficient processes can be reduced significantly, ensuring that advertisers only need to pay for impressions that have been validated as viewable, brand-safe, and free from ad fraud. Results from our PepsiCo campaign showed a 28% increase in cost-efficiencies for viewable impressions.
Last month, our sister company, Aqilliz, officially launched. A blockchain solutions provider, Aqilliz looks to restore transparency, equitability, and cost-efficiency to a largely fragmented marketing technology ecosystem. With Zilliqa as its technical infrastructure provider, Aqilliz looks to enable greater enterprise adoption of our platform, as we work with them to build solutions that target different areas of the digital supply chain. Aqilliz was born out of our work with Project Proton and will continue to build from the valuable learnings we’ve gained from our first campaign.”
What are the main (legitimate) use cases for decentralized applications (according to your experience)?
Dr. Amrit Kumar:
“Today, there is no shortage of applications being built on the new ‘token economy.’ These are providing services that can shift the very operational workings of industries to provide more transparency, security and data legitimacy. Whether in financial services, healthcare, security management or governance, these applications – whenever successfully implemented – can prove that blockchain is not just a solution looking for a problem, but is, in fact, a step forward in technology and innovation.
Loaning money by using collateral (being done by Compound, InstaDapp, and MakerDAO) and prediction markets are some particular use case areas setting the tone for concrete progress, and I am personally very interested in seeing its development. With such promising dapps on the horizon, Zilliqa is committed to supporting developers by providing them with the tools, guidance and incubation options to facilitate innovative and advanced building. This will undoubtedly push blockchain adoption to the next level.”
Like what you read? Give us one like or share it to your friends