Parse, don't validate — correctness in smart contract development

Tomasz Kopacki — Mon, 05 Dec 2022 09:40:53 +0000

Just couple of days ago, there was a discussion on the Rust in Blockchain group. It was about another smart contract exploited by a hacker. Some missing role checks allowed arbitrary token minting.

I've been a software engineer for multiple years, and I know that it's easy to forget about an important line in the code.

However, there are techniques which make it harder to forget! That's what, dear reader, I'd like you share with you about 🙃

Ensuring input correctness

Accepting input from outside world requires checking if this input is actually what we need it to be. There is one common way of achieving this. It's called validation.

Validation

It is about taking the input and checking if it does include expected values and does not include harmful values.

If the check is successful, the input is considered valid by the internal part of our system. Otherwise, the input is rejected as invalid and is not further processed.

However, validation does not require using new types to capture information about the input correctness.

Have a glance at this Rust playground example.

It is covered by unit tests, which definitely help, but the same Addr type is shared by both, the valid and invalid address. That's where the real danger is! 🙊

What can be done to make a mistake even harder to make? We can use... types!

Parse, don't validate

I'll start by linking to an awesome article by Alexis King which includes all details about this technique.

In short, we want to parse an input into a known set of internal types. These internal types can only be constructed via functions that include validation.

The main difference is creating a wrapping type for a given valid value. Now, the valid admin address can be expressed by using the AdminAddr. All other addresses are still expressed with our basic Addr type.

Take a look at the playground here — it's a modification of the previous code example.

Security

According to the NIST Cybersecurity Framework, there are five main areas of focus: Identify, Protect, Detect, Respond, and Recover.

A simple technique like using types to ensure software correctness can be helpful with the following security areas:

Identify
- assessing risk is easier if values can carry information about their own correctness
Protect
- it's harder to forget using a correct type in an authenticated method [1]
- the compiler helps with catching the mistakes 🚀

Summary

All in all, mistakes are unavoidable. They are part of the risk. Keep in mind:

The risk can't be avoided — it has to be managed.

Strong types are one of the ways to manage risk in software development. Smart contracts included.