The purpose of this post is to update my personal vision of Zeppelin and Zeppelin’s projects, as their founder and CTO. This is my own personal perspective, and some Zeppelin team members may not be aligned with my views. However, several people told me it would be helpful if they could read my understanding of this topic as a base for further discussions, to inform long-term planning and product design. If nothing else, it has been useful to write it as a personal log.

Zeppelin (the Company)

As an organization and team, we work to build technology that helps bring freedom to the…


Few applications need blockchains. Distributed consensus makes each computational step very expensive. Only apps for which users are willing to pay such a cost will make sense in the new decentralized paradigm. But what makes an app need a blockchain?

A Brief History of Computer Innovation

The first such app was bitcoin, the first free currency. Why are the ~20M bitcoin users willing to pay the price of running a currency on top of a costly, slow platform such as a blockchain? Let’s explore the answer by analogy.

In 1982, why did my dad spend $150 at an obscure computer store in Buenos Aires to buy…


Zeppelin is proud to be sponsoring Devcon3. To celebrate, we are releasing a CTF hacking game at the start of the conference, on November 1st.

The contest includes multiple stages consisting of security challenges and puzzles designed to test your smart contract hacking skills. Each consecutive stage increases in difficulty. Prizes totaling $10,000 USD will be distributed equally in ETH to the first five participants who successfully complete all challenges.

These are the kind of challenges our teams work on every day. …


Last week, we announced zeppelinOS, the operating system for smart contract applications.

We highlighted that “the rate of innovation in building decentralized applications is limited by the manual and duplicative efforts developers must make to ensure basic usability and security.”

zeppelinOS aims to solve this problem. Based on our experience working to secure dozens of projects in the space, we are now building an open-source, decentralized platform of tools and services on top of the EVM to help developers rapidly deploy, upgrade and manage secure smart contracts.

We have classified the features of the OS into 4 categories of services:


Last week, we saw one of the biggest hacks in the history of smart contract applications. ~30M USD were lost due to a simple programmer error, leaving critical functions open for anyone to call. It’s high time we get serious about writing secure contracts, if we want decentralized applications to reach their full potential.

In the early days of computing, writing code into machines was a difficult and inefficient endeavor. There were few tools and resources available for programmers, and specialized magazines were the main distribution media for software. Major operating systems were not yet available, so each computer model…


The Storj team asked us to review and audit their new Storj Token (STORJ) code. We looked at their contracts and now publish our results.

The audited contracts can be found in their storj-contracts repo. The version used for this report is commit 2bdeb27c0216d2f0889b6e7363d8a84b54cd7f39.

Code quality is very good. Functionality is properly modularized, and most lines of code and nearly all functions have accompanying comments stating their purpose and/or reasoning.

Here’s our assessment and recommendations, in order of importance.

EDIT: Most problems were addressed in the latest version of the code.

Severe

Problems with PaymentForwarder’s pay function

pay function in line 44 of PaymentForwarder.sol


The Brave team asked us to review and audit their new BAT Token contract code. We looked at their contracts and now publish our results.

The audited contracts can be found in their basic-attention-token-crowdsale repo. The version used for this report is commit 17a5f8440a256a6dc5d8dd894b9615182c2901b2.

Here’s our assessment and recommendations, in order of importance.

Update: Brave team followed most of our recommendations in the latest version of their code.

Severe

Brave can get an unfair refund if tokenCreationMin is not reached

A fixed 300 million BAT tokens are assigned to Brave (specifically to the batFundDeposit address) when the crowdsale contract is deployed. …


The Moeda team asked us to review and audit their new Moeda Token code. We looked at their contracts and now publish our results.

The audited contracts can be found in their moeda repo. The version used for this report is commit b2bf23119d563e251b6f16b29b642bac43e76a64. The main contracts are MoedaToken.sol and Crowdsale.sol.

Overall the code is good and has only minor issues. Here’s our assessment and recommendations, in order of importance.

Update: The Moeda team implemented most of our recommendations in the latest version of their code.

Severe

We haven’t found any severe security problems with the code.

Potential problems

Unnecessary complexity calculating token amount

The formula used to calculate…


As you may know from reading our blog, we do lots of security audits for blockchain-based projects. All projects in the space need someone external to take a fresh, unbiased, and skeptic look at their code.

OpenZeppelin is an open repository of reusable smart contract modules. Since we started the project, we committed to the highest standard of security and peer-review. This means performing external audits on our code too. That’s why we asked the New Alchemy team to perform a formal security audit of OpenZeppelin’s codebase, following the 1.0.0 release of the framework.

Projects using OpenZeppelin just need to…


The Wings team asked us to review and audit their new Token contract code. We looked at their code and now publish our results.

The audited contract is at their contracts GitHub repo. The version used for this report is commit 1b308105a31c5b005c21fbbda3b1ff5b3fac9bae. The main contract file is Token.sol.

Code quality is good. We’re very happy to audit a project using OpenZeppelin.

Here’s our assessment and recommendations, in order of importance:

Update: The Wings team implement most recommendations in their master branch.

Severe

We haven’t found any severe security problems with the code.

Potential problems

Be careful with types

Avoid declaring variables using var if possible. The type-deduction…

Manuel Araoz

In search of truth and good stories to tell.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store