Fujitsu Laboratories Ltd and Fujitsu Research and Development Center Co, Ltd (Fujitsu) have announced the development of technology that can verify, in advance, risks associated with smart contracts. The announcement occurred at the Blockchains and Smart Contracts Workshop 2018 held in Paris in late February.
Smart contracts are programs which automatically execute transactions on blockchain platforms. Because smart contract risks directly link to business losses, improving their reliability as a system matters. To do this Fujitsu blockchain technology identifies the relevant locations in the source code.
Fujitsu claims its algorithms identify risk-affected transaction sequences on the Ethereum platform when executing blockchain applications. The basis is symbolic execution technology. Using these algorithms, the technology detects six types of risks in smart contracts. Each has the potential to be escape a manual review. The effect will be that blockchain developers can develop ever safer smart contracts.
Fujitsu’s expectation is that the relevance will extend beyond finance, for example to securities management, real estate registration, healthcare and electronic government.
Blockchain technology can ensure that, even without a trusted third-party intermediary, data does not alter. The Ethereum blockchain adds functionality known as smart contracts. In these a contract can form in the system in advance, possess process checks and execute automatically.
Smart contracts copy to multiple locations and execute in a distributed manner. Once a contract initiates it is not easy (or impossible) to stop or revise it even if contract parties identify errors or risks in the smart contract. The most egregious example of this involved the so-called DAO-incident‘ when a smart contract created an automatic investment trust application on a blockchain that had was flaws. A substantial amount of money was improperly transferred where it was not supposed to go.
With the Ethereum execution platform smart contract risks are grouped into six categories (see also the diagram above):
- authenticating the source of a transaction call
- call stack restrictions
- divide by zero
- transaction order dependency
- transaction uncertainty due to reliance on the timestamp.
With previous technologies, detecting smart contract risks in advance was impossible for all of the different types. For example, source call authentication through indirect calls via multiple smart contracts led to changes in the information in the transaction’s source call due to an Ethereum specification. This can lead to abuses to illicitly evade authentication. Previously the risk arose because of the difficulty tracing a transaction’s internal information.
Results and future plans
Using the newly developed technology, Fujitsu found that:
- previous verification tools had a detection rate of about 67%
- its technology was capable of 100% detection (“excepting a few items”)
- in terms of precision, it achieved an accuracy rate of up to 88% for risk detection and source code risk location identification.
Because over-identification of risk is rare, this should enable more efficient smart contract development. Combined with the risk location identification the workload involved – in tasks such as specification comprehension, code evaluation and fixing code – should reduce.
Going forward, Fujitsu Laboratories will continue to develop verification technologies but not only for Ethereum. It will add support for the Hyperledger Fabric. Fujitsu Laboratories is not limiting development of its verification technology to smart contracts. Its larger goal is to help build secure systems which use blockchain.
What does it mean
Smart contracts have always sounded too good to be true. Automated execution is fine if the parties to a smart contract have constructed it as they intended. Too often, as the DAO calamity demonstrated, actual smart contract definition and implementation is inadequate, thereby introducing unexpected risks.
Whether Fujitsu’s technology will do as well as suggested will take time to ascertain. Nevertheless, the greater the number of tools which seek to identify flaws in smart contracts, and the broader their coverage, the better it must be for the smart contract credibility. Extending applicability to the broad-based Hyperledger Fabric falls into the same category.