For bad actors with a target, the easiest way in is usually through a trusted third-party. You’ve seen it time and time again in pop-culture and movies. When the protagonist needs to infiltrate a building, they disguise themselves as a pizza delivery and are usually let in after a little bit of scrutiny.
As seen by the recent security incident with the npm package “event-stream” it does not take much for an attacker to launch a highly directed attack with huge impact.
Here are the highlights:
- Heavily utilized library with small development team (1 consistent author).
- Developer changed hands with minimal noise about it to the community upon simple request with no vetting.
- Source code on github does not have to match the source code deployed to npm libraries.
For the individual developer, it’s near impossible to check every dependency used in a project for signs of compromise – and even more difficult to remain aware of security incidents related to upstream packages!
With that we have an interesting new approach to libraries from the OpenZeppelin team: EVM Packages.
EVM Packages are immutable, on-chain, and upgradeable smart contracts that can be readily imported and used in your projects.
From the README of openzeppelin-eth.
OpenZeppelin is a library for secure smart contract development. It provides implementations of standards like ERC20 and ERC721 which you can deploy as-is or extend to suit your needs, as well as Solidity components to build custom contracts and more complex decentralized systems.
This fork of OpenZeppelin is set up as a reusable EVM Package. It is deployed to the kovan, rinkeby, and ropsten test networks, as well as to the main Ethereum network.
Some immediate benefits of libraries living on-chain are:
- Decreased deployment gas costs.
- Contracts are considered “known good” by the community.
- These contracts are upgradeable with no action needed on the part of the dev(s).
The advantages of using on-chain contracts include immediate impact unto the deployment process, opening the door for more robust development, and streamlining of the security update process. The team is also releasing a token (currently in closed beta) to test various ideas around crypto-economic incentives. Maybe we’ll see a platform where developers get paid when their library is used, incentivizing project development and maintenance. Or a consolidation of services from across the web like bug bounties threat/intel databases, and identity management.
Whatever comes next from the team at OpenZeppelin, I expect we’ll see more libraries and commonly used smart contracts moving towards this model as the space continues to grow and mature.