DEV Community: Crypton Studio

ERC-X Miner Contract Exploit on ERC-404 Standard: our Expert Analysis

Crypton Studio — Fri, 16 Feb 2024 07:11:35 +0000

Disclaimer: The information presented in the article "ERC-X Miner Contract Exploit on ERC-404 Standard: our Expert Analysis" is provided for informational purposes only and should not be construed as advice or guidance for any purpose. Crypton Studio is not responsible for any further actions taken by readers and does not recommend taking any actions based solely on this information.

ERC-X contract exploit of the MINER project

On 14 February 2024, the MINER project's ERC-X contract was exploited on the Ethereum mainnet due to a double-spend vulnerability resulting in a loss of 168.8 ETH (about $470,000).

The ERC-X contract is a combination of ERC-20, ERC-721, ERC-1155 and ERC-404 and their extensions.

MINER is a collection of 100,000 avatars linked to ERC-X tokens.

Graph of MINER price drop by 60% according to Geckoterminal data

What is ERC-404?

The ERC-404 is a new experimental standard that allows to combine the standard of fungible tokens (ERC-20) and non fungible tokens (ERC-721).

The idea of these tokens is that non- fungible tokens are represented as fungible tokens and the reverse. Thus it is possible to increase liquidity due to the fact that non fungible tokens can be traded in smaller units in the form of fungible tokens.

Let's look at an example. An ERC20 + NFT token is equal to one ERC-404 token. 1 NFT token cannot be divided into fewer parts, while 1 ERC-20 token is usually equal to 10 to the 18th degree of units, which is its divisibility.

If the account balance is less than one ERC-404 token, it owns that amount of ERC-20. If the account balance is equal to or greater than one ERC-404, then it owns that amount of ERC-20 tokens and the relevant amount of NFTs.

NFTs can be traded on NFT marketplaces such as OpenSea, while ERC-20 tokens can be traded on decentralised exchanges such as Uniswap. This allows to capture the liquidity of both NFT marketplaces and decentralised exchanges.

It is important to note that ERC-404 is not an officially accepted standard by the Ethereum community and is experimental in itself, which in its turn implies risks.

ERC-404: Structure

What happened with ERC-X contract of the MINER project?

Now let's analyse the vulnerability of the contract why this happened.

The problem is that when calling the transfer function, which is responsible for transferring tokens, there is a check that the input arguments from and to are not null addresses. But there is no check that the from address is different from the to address. This means that it is possible to specify the same address as the sender and the receiver!

Next, the transfer function calls the update function.

In the _update function you should pay attention to the fact that address balances are initially saved to memory variables, which are further used for calculations.

Then the balance of address from is updated fromBalance ( which was cached ) - value. And immediately the value of the address from the calculation toBalance (which was cached) + value is overwritten. And if the from and to addresses are the same, the data is actually updated simply by the new value of the original balance + value. And in this case, this function simply increases the address balance!

To protect from this vulnerability, simply add a check that the address from != (not equal to) the address to!

At the moment it is highly recommended not to interact with this contract!

Conclusion

This incident highlights the critical importance of auditing and following best practices in developing secure smart contracts because this is a known vulnerability.

It is also very important to be careful when interacting with new standards, especially if they are not accepted by the Ethereum community. In this case, this contract was deployed on the network only a few days before it was exploited!

At Crypton Studio, we understand the critical importance of security in blockchain development. That's why we strictly adhere to industry-leading best practices when creating smart contracts for our clients. Our team is experienced in identifying and mitigating vulnerabilities to ensure the integrity and reliability of your smart contracts. Whether your contracts need auditing, additional verification, or ongoing support, you can trust us to provide comprehensive solutions tailored to your specific needs. Partner with Crypton Studio for robust and secure smart contract development.

Visit our website: https://crypton.studio/en

Now You Understand: Central Bank Digital Currency (CBDC) Explanation and Usage - Part 1

Crypton Studio — Fri, 09 Feb 2024 07:09:35 +0000

CBDCs have been much discussed in recent years, and various countries are exploring the possibilities of implementation. You may have heard or read about this digital currency, but do you have a good understanding of how CBDC is structured, how it can be used, and what impact central bank digital currency will have on the future of finance? We'll tell you all about CBDCs, welcome to Crypton Studio's Now You Understand articles.

The Crypton Studio team explains and educates about web3 and blockchain technologies in the Now you understand article series. We are happy to share our expertise with you and strive for an open dialogue. Don't forget to share your opinion in the comments if you like our work. Enjoy reading!

What is CBDC?

Central Bank Digital Currency (CBDC) - a digital form of national bank money that is created, controlled and maintained by the central bank. It is legal tender and is the same central bank debenture as ordinary banknotes. CBDC is operated by a digital ledger that might or might not be a blockchain.

This provides faster and more secure trsansactions between banks, institutions and individuals. Central banks control the issuance of CBDCs and stand as guarantors of this form of money as compared to cryptocurrencies.

CBDCs now can take the following forms:

Retail is used for settlements between individuals and legal entities, is designed for simple payments and represents a digital form of currency.
Wholesale is used for interbank payments as a new infrastructural solution.
CBDCs can also represent digital assets, they are also registered in a digital registry, which can be distributed or not distributed.

CBDC is a major step forward the digitalization of money and the economy as a whole, increasing its transparency, security and efficiency, including the automation of many processes and the reduction of transactions costs.

CBDC: Use Cases

CBDC is implemented mainly on platforms based on distributed ledger technology (DLT) with support for smart contracts (applications). That gives us many areas of usage and makes this implementation of a digital form of currency really useful for the financial system. Due to the platforms support for smart contracts it allows CBDC to be not just a digital currency but also a programmable form of currency.

Smart contract support allows you to deploy programs that interact and operate with digital currency. For example, when we execute a property deal, we need someone to check the deal for compliance, approve it and register.

In the case of CBDC, we do not need a third party to do this, we can just implement a smart contract, the logic of which will be similar to the logic of the deal. For instance, to control that one side owns the property, the other side has paid the declared value, and then make the transfer of this property, as an option in the form of a token.

In this way we can automate the majority of transactions with almost any property, which significantly increases their availability, speed and performance.

It also removes the workload from the infrastructure that is created for deals, cutting out the need for intermediaries and thereby reducing transactions costs.

Tokenization is the process of converting rights to assets or property into digital tokens. Exactly it allows to make transactions fully digital and automated with the use of smart contracts.

It has been researched that the cost of clearing and settlement of securities for the Central Banks of the G7 countries is more than $50 billion per year, due to the resource costs of asset transfers and account reconciliation.

A DLT-based CBDC successfully solves the problem of inefficiencies and vulnerabilities compared to the current infrastructure. CBDC is natively digital and does not demand the expensive and labour-intensive reconciliation currently required for e-commerce and cross-border payments.

It also allows to optimize the operation of any registry that is responsible for storing records of rights to property or assets. For example, DLT technology can replace and improve the work of registries of movable and immovable property, securities such as stocks, bonds etc.

It also makes it possible to make deals available 24/7 by eliminating the need for a third party to determine the availability of transactions. Digital property/asset transactions increase the accuracy and security of transactions.

Offline payment technology, which provides access to the financial system in areas not covered by banking services and allows transactions to be made without access to the Internet, is currently being actively researched and realized.

We can see that CBDCs move the financial system into a digital form, which opens up many possibilities and optimizes the operation of the system as a whole. Thanks to this, CBDC has a direct control over the money supply, simplifying the distribution of state benefits, improving the control over transactions for tax control. Thus, timely payment of taxes or payment of bond coupons can be automated.

The implementation of CBDC also allows to reduce costs and increase the availability of cross-border payments, including reducing credit risks by providing payment versus payment settlement.

CBDC vs Stablecoins: what’s the difference?

There are several types of stablecoins: fiat-backed, cryptocurrency-backed, commodity-backed and algorithmic. In this comparison, we will focus on the first type - fiat-backed ones, because they have more in common with CBDCs and are the most popular. Examples of this type of stablecoins are Tether (USDT) and USD Coin (USDC).

The principle of Stablecoins is that organizations issue tokens based on the reserves of traditional money in their accounts. That is, in this case the issuance and control of such tokens remain with private institutions and they are not directly controlled by Central Banks.

While CBDC is a form of national currency, their issuance and control is owned by Central Banks, which provides higher security. Due to such regulation CBDC can ensure compliance with tax policy, while in stablecoins do not. It is also important to note that stablecoins use private money as collateral, while CBDCs are backed by government-issued money.

What is the difference between private solutions and public blockchains?

Public blockchains are primarily defined by the fact that they are open to the public. That means anyone can join and participate in the network. Public blockchains are such as Ethereum.

The consensus mechanism means that such a network is managed by the majority.

In particular, transactions are verified and included in new blocks. They are completely open and transparent, everyone can see all transactions and balances of any accounts.

In order to complete a transaction in a public network, it is necessary to verify and confirm the agreement of the majority of participants, which involves commissions, which are the motivation, as well as a longer waiting time due to the fact that it is necessary for the majority of nodes to reach an agreement.

Among the advantages of this solution, we have full transparency and no need to rely on a single control structure due to the high decentralization of the network, which ensures that no single entity controls the network.

A private network is closed and restricted to authorized participants who have full control over the network and transactions on it.

Private solutions allow centralized control over the network and also enable private transactions and private smart contracts. This solves privacy challenges that are very important for governments and corporations.

Private solutions consensus mechanisms involve a very limited number of participants who verify and approve transactions, so transactions are much faster because they do not require majority verification.

They also do not need such a concept as native currency and there are no transaction fees. These solutions appeal to governments and companies because of their centralized control and confidentiality solutions that also allow them to control the legality of their operations. Guarantee of this network are their participants, for example, governments and corporations. Examples of this type of solutions are Quorum, Corda, Hyperledger Besu etc.

CBDC: Why use private solutions?

There are several key reasons why public solutions are not suitable for CBDC implementation.

High volatility: Public cryptocurrencies mean an open market and they are subject to significant price movements, which entails heavy risks for both the government and ordinary users. This makes it difficult to use as a payment method, as changes in value can be in the tens of percent.

In the case with private solutions, the Central Bank is the guarantor and has full control over the digital currency. CBDC is a form of currency rather than a cryptocurrency in its traditional meaning.

Privacy considerations: In public solutions, all data is publicly available. Open data potentially brings risks for directions in which this is a key factor. In private solutions, it is possible to control privacy issues through private smart contracts, private transactions, and restrictions on network participants.

Account control: With public solutions, accounts and funds are under the control of the users themselves or organizations to which the users have delegated control. In the case of private solutions, account control is usually performed by authorised entities.
_
Read "Now you understand: Central Bank Digital Currency (CBDC) explanation and usage, Part 2" about the most popular platforms for CBDC implementation around the world, the real story behind the Brazilian example, and global trends._

Ethereum Scaling 101: A Quick Dive Into Understanding Layer 2 and Sidechains

Crypton Studio — Mon, 29 Jan 2024 11:05:32 +0000

There is a lot of confusion right now about the definitions of what are Layer 2 solutions and what are not. The reason for this is that every scalability solution is called Layer 2, which is technically not always correct, as not all solutions fall into this category.

If you try to understand this on your own, it is extremely difficult to find accurate and clear answers to these questions. So, in this article, we will take a closer look at some of the most popular Ethereum scalability solutions today and find out how they differ from each other. We will also understand exactly what sidechain, Layer 2, ZK-Rollup, and Optimistic Rollup are.

Why is there a need for scalability?

Let's start with why there is a need for scalability in the Ethereum network.

The Ethereum main network has a throughput of only 15 transactions per second. As its popularity grew, this was insufficient, and transactions on the main network became expensive and slow. The high cost of transactions is a result of the network's growing popularity and the limited throughput.

What if more transactions are sent than can be processed? Validators (those who add transactions to the blockchain) will select transactions that have a higher reward (fee). In this case, there is competition between the senders of transactions, and the cost starts to skyrocket. As the network becomes congested and costs increase, the speed of transactions also decreases.

Blockchain scalability challenges

In understanding how scaling solutions work and the limitations they come with, it's easier to start with the blockchain trilemma, a theorem that says that the blockchain network has three main characteristics:

Security - responsible for the network's resistance to attack.

Decentralization - responsible for the resistance to control by a lesser number of people.

Scalability - responsible for the blockchain's ability to handle large volumes of transactions.

Only two of these three parameters can be increased to the desired level at the same time.

The Ethereum network is designed to have extremely high decentralization and security, which in itself is very good for the network. But as we found out from the trilemma - you can't have all three parameters at a huge level at once, so the Ethereum network doesn't have the highest throughput.

There is a demand to process a high volume of transactions at a lower cost, which results in the need for scaling. Off-chain solutions for scaling the Ethereum network are being actively developed. Off-chain means that the main computations are moved outside the main network.

The most popular solutions are sidechains and layer 2. Let's discuss them in the following.

What are Ethereum's off-chain scalability solutions: Sidechains and Layer 2?

Layer 2 is a platform or service that is an overlay on top of the main network (Layer 1). All transactions in Layer 2 change the state of the main network, this way the security of the main network is inherited. Rollups are a way to implement layer 2 solutions. It's worth noting here that Layer 2 solutions are a platform, and it doesn't have to represent a blockchain.

Sidechains - This is a separate blockchain that runs in parallel with the main network. It is important to understand that Layer 2 always changes the state of the main network, inherits its security, and is on top of it, while sidechain is always a separate blockchain.

What is a sidechain?

A sidechain is an isolated blockchain. This means transactions in sidechains do not change the state of the main network (layer 1/Ethereum).

Because it is a separate blockchain, it could have its own consensus algorithm, set of validators, configurations that may differ from the main network, and its own native currency.

This also means it may have a different balance of security - scalability - and decentralization. Sidechains usually sacrifice a level of decentralization or security to achieve high throughput. They are linked to the main network only by a cross-chain bridge that allows assets to be moved between the sidechain and the main network. Sidechains can be non-EVM compatible as well. A prime example of a sidechain is Polygon POS (MATIC).

What are Layer 2 solutions? Take rollups as an example

Rollups are a Layer 2 scaling solution for Ethereum.

The general principle of rollups is that the transactions (TX) are being processed on a platform outside of the main network; a rollup is made from a multitude of transactions and sent to the smart contract in the main network (Layer 1), changing its state.

As the rollup of these transactions is stored in the main network, its security is inherited. Actually, there are two types of Rollups implementation - Optimistic and Zero Knowledge.

How are Optimistic Rollups designed?

As mentioned above, transactions are packaged into a rollup and sent to the smart contract on the main network. In the case of Optimistic Rollup, the smart contract in the main network does not check the sent data and trusts it by default, so it is called Optimistic.

But what if someone wants to cheat? The idea is that these transactions are not being considered confirmed for a certain amount of time. During this period, any validator can send a fraud proof. Here, it should be noted that to become a validator, you need to place a stake in a smart contract.

When a fraud proof is sent, the smart contract checks it. If cheating is detected, the validator who tried to cheat is penalized from his stake, and the validator who sent the cheating evidence is rewarded, motivating everyone to stay honest and watch the honesty of others.

If a wrong fraud-proof is sent, the validator who sent it is penalized to prevent spamming. If no one has sent a valid fraud proof within this period of time and the period has expired, the transactions are moved to the confirmed status.

The special feature here is that until this period expires, transactions are not confirmed, which means a long period of transaction confirmation. An example of a protocol working on the Optimistic Rollup principle is Optimism.

What is the general structure of ZK Rollups?

ZK Rollups, different from Optimistic Rollups, do not depend on trust but on zero-knowledge cryptographic proofs called validity proofs.

Zero Knowledge Proofs allow one prover to cryptographically prove something to another verifier without providing any additional information.

The way it works is as follows: a set of transactions is computed and compressed into a rollup.

After that, a validity proof for this data is generated. With the data, the validity proof is sent to the smart contract of the main network. The smart contract verifies this proof, and if everything is correct, the transactions are immediately considered confirmed. In this case, everything is cryptographically linked, and there is no long waiting for confirmation of transactions. An example of this kind of protocol is StarkNet.

What are the differences between Layer 2 and sidechains?

Layer 2 is a solution that takes the computation and transaction processing outside the main network, but data verification still takes place in a smart contract on the Ethereum network. While sidechains are completely separate blockchains and are not directly

linked to the Ethereum network, they work in parallel.

Conclusion

Blockchains can only have two of these three parameters at the right level simultaneously: security, decentralization, and scalability. Sidechains are individual blockchains that reduce one of these parameters to achieve high throughput.

Layer 2 solutions inherit the security of the main network and modify its state. Optimistic Rollups and Zero-Knowledge Rollups are Layer 2 solutions.

Optimistic rollups work on the basis of trust and use fraud proofs within a certain time period. Therefore, they have a delay in confirming transactions.

With zkRollups, there is no such delay in transaction confirmation because they are not based on trust and instead are based on zero knowledge cryptographic proofs. These proofs are called validity proofs.

Solutions are compared by key parameters in the table.

It is important to understand that Layer 2 solutions inherit the security of the main network and are on top of it, while sidechains are just separate blockchains with different
configurations.