Recently, a group of blockchain security companies founded the Ethereum Trust Alliance (ETA) to create a security rating system for smart contracts.
While the public Ethereum blockchain may be immutable, hackers can exploit bugs in application code or smart contracts. As of six months ago, it was estimated that at least $370 million had been lost as a result of smart contract vulnerabilities. Famous incidents include the DAO, Parity and Bancor.
As a result, there are now several security startups who perform audits and provide analysis tools.
However, as the industry evolves and seeks to attract institutions and enterprises, a more comprehensive approach is necessary. The ETA believes that a Moody’s-style rating system for smart contracts could address the issue.
The goal is to provide a risk assessment report to the users. ETA ratings will help the community to identify smart contracts that have been through rigorous checks and ensure that all vulnerabilities are addressed. To achieve this, ETA will create a registry of smart contracts, where anyone could query the security rating level of a smart contract.
On the one hand, this could provide a significant amount of work for security audit firms. The flipside is there can be some legal liability. A feature of public blockchains is that one smart contract can be dependent on another. So a flaw in a smart contract that is used by many other smart contracts could result in significant exposure to loss. However, there’s a blockchain-based organization, Nexus Mutual, that provides insurance for smart contract bugs.
Potential applications include verification by Ethereum wallet users of the trust rating before sending tokens. Exchanges can require a specific ETA rating level before new tokens are listed. In the case of a consortium, smart contracts can require an ETA rating before they are published.
With a growing blockchain network, concerns around smart contract security are increasing. Last year, a survey on the security of Ethereum revealed 44 different types of vulnerabilities, 26 of which were in the ‘application layer’ where smart contracts and DApps are built.
Founding members of the Alliance include MythX, ConsenSys Diligence, Sooho, Quantstamp, SmartDec and Runtime Verification.
Quanstamp, which boasts Nomura as an investor, and MythX are also members of another organization, the Smart Contract Security Alliance.