EVM Packages: On-chain, Immutable, Upgradeable, Package management.

For bad actors with a target, the easiest way in is usually through a trusted third-party. You’ve seen it time and time again in pop-culture and movies. When the protagonist needs to infiltrate a building, they disguise themselves as a pizza delivery and are usually let in after a little bit of scrutiny.

C’mon buddy! I gotta delivery to make!

As seen by the recent security incident with the npm package “event-stream” it does not take much for an attacker to launch a highly directed attack with huge impact.

Here are the highlights:

  • Heavily utilized library with small development team (1 consistent author).
  • Developer changed hands with minimal noise about it to the community upon simple request with no vetting.
  • Source code on github does not have to match the source code deployed to npm libraries.

For the individual developer, it’s near impossible to check every dependency used in a project for signs of compromise – and even more difficult to remain aware of security incidents related to upstream packages!

With that we have an interesting new approach to libraries from the OpenZeppelin team: EVM Packages. 

EVM Packages are immutable, on-chain, and upgradeable smart contracts that can be readily imported and used in your projects.

From the README of openzeppelin-eth.

OpenZeppelin is a library for secure smart contract development. It provides implementations of standards like ERC20 and ERC721 which you can deploy as-is or extend to suit your needs, as well as Solidity components to build custom contracts and more complex decentralized systems.

This fork of OpenZeppelin is set up as a reusable EVM Package. It is deployed to the kovan, rinkeby, and ropsten test networks, as well as to the main Ethereum network.


Some immediate benefits of libraries living on-chain are:

  • Decreased deployment gas costs.
  • Contracts are considered “known good” by the community. 
  • These contracts are upgradeable with no action needed on the part of the dev(s).

The advantages of using on-chain contracts include immediate impact unto the deployment process, opening the door for more robust development, and streamlining of the security update process. The team is also releasing a token (currently in closed beta) to test various ideas around crypto-economic incentives. Maybe we’ll see a platform where developers get paid when their library is used, incentivizing project development and maintenance. Or a consolidation of services from across the web like bug bounties threat/intel databases, and identity management.

Whatever comes next from the team at OpenZeppelin, I expect we’ll see more libraries and commonly used smart contracts moving towards this model as the space continues to grow and mature.


Editor-In-Chief @crypto_defense & COO @SpyglassSec. #cryptosec #infosec #blockchain #cryptocurrency #firespinner