DEV Community: Ebuka Ukatu

Security Best Practices for Smart Contracts in Django Projects

Ebuka Ukatu — Wed, 09 Aug 2023 14:01:35 +0000

Prerequisites

You should have an intermediate understanding of the following to understand the topic and follow along with the case studies and analysis in this article:

You need an understanding of solidity programming language, and if you don’t, preview this tutorial.
Intermediate understanding of Python.
You need an understanding of Django and how it works with smart contracts.
An understanding of Git.
An understanding of hardhat.

Introduction

Smart contracts are programmable codes that execute a predicted outcome when the conditions of an agreement are met. Unlike traditional contracts that need the enforcement of third parties, with smart contracts, there's no need.

Django is a web development framework that works with Python, and there are several uses of smart contracts in Django:

You can use smart contract to save the data of your Django application on a blockchain.
You can use smart contracts for crypto payments on your Django application.
Smarts are used in Django to explore and interact with already existing external contracts.

Security is essential for smart contracts. Like any software application deployed for public use, developers consider security. Here are a few crucial benefits of security in smart contracts:

Security in smart contracts prevents exploits by malicious actors. A DAO hack is one instance. There are others.
Better security means increased trust in smart contracts because there are few incidents where users could lose any asset.

There are best practices developers can use to bolster the security of their smart contracts in Django applications. Using these practices helps developers achieve optimal contract operation.

Smart Contract Security Recommended Practices

Smart contracts are immutable once deployed, and developers must carry out practices that improve smart contracts. Understanding these practices is a prerequisite for smart contract development. Let's delve into them.

A. Use a Linter to Detect Bugs and Vulnerabilities

Linters are programming tools that analyze program source codes and give feedback on bugs and syntax errors. Developers then use this information to better their contracts by fixing the issues before they deploy.

Developers use this information to optimize their smart contract code by fixing the issues before deploying.

There are a few linters for smart contracts written for solidity:

Slither: Built using Python. Slither is a security framework that allows you to analyze your contract code, check for errors and vulnerabilities, and then output detailed visual information about these errors if there are any and has an Application Programming Interface (API) that lets anyone write custom analyses.
Mythril: Built for EVM chains, this is another security analysis tool for smart contracts. Developers use it to detect common vulnerabilities in contracts like integer overflows. However, it doesn’t apply to the business logic of a function in a contract.

Case Study Using Slither

Here, using a contract example, you will analyze the contract and figure out where you can use the information returned by Slither to optimize your code. Using Remix Integrated Development Environment (IDE), you need to have the following installed:

Solidity.
Solidity compiler.
Solidity compiler version.

You can install each of these independently. However, since you are using Remix for this case study, you don’t. Get into your terminal and write the command and run it:

npm install -g @remix-project/remixd

If you want to have it situated in a directory of your choice, then run the command without -g :

npm install @remix-project/remixd

After you have successfully run the command, you should have this:

Now that you have it installed, you need to run remixid in your terminal using the command:

remixd

You will have this in your terminal:

Now that you have done so create a folder for your smart contract, get into your terminal and run the command:

mkdir [new-folder-name]

In your terminal, in place of the new-folder-name, put the name you wish to call your folder.

Afterward, head over to Remix on the homepage, and follow the steps to access the folder:

Click on the area shown and select Connect to Localhost:

After the folder loads create a new file for your smart contract.
After you have input this solidity contract code in, save, and compile it:

// SPDX-License-Identifier: MIT
pragma solidity ^0.4.4;


// ERC20 token interface is implemented only partially.
// hence some functions are left undefined:
//  - transfer, transferFrom,
//  - approve, allowance.

contract PresaleToken {

    /// @dev Constructor
    /// @param _tokenManager Token manager address.
    function PresaleToken(address _tokenManager, address _escrow) {
        tokenManager = _tokenManager;
        escrow = _escrow;
    }


    /*/
     *  Constants
    /*/

    string public constant name = "TEST Presale Token";
    string public constant symbol = "TST";
    uint   public constant decimals = 18;

    uint public constant PRICE = 606; // 606 SPT per Ether

    //  price
    // Cup is 10 000 ETH
    // 1 eth = 606 presale tokens
    // ETH price ~50$ for 28.03.2017
    // Cup in $ is ~ 500 000$

    uint public constant TOKEN_SUPPLY_LIMIT = 606 * 10000 * (1 ether / 1 wei);



    /*/
     *  Token state
    /*/

    enum Phase {
        Created,
        Running,
        Paused,
        Migrating,
        Migrated
    }

    Phase public currentPhase = Phase.Created;
    uint public totalSupply = 0; // amount of tokens already sold

    // Token manager has exclusive priveleges to call administrative
    // functions on this contract.
    address public tokenManager;

    // Gathered funds can be withdrawn only to escrow's address.
    address public escrow;

    // Crowdsale manager has exclusive priveleges to burn presale tokens.
    address public crowdsaleManager;

    mapping (address => uint256) private balance;


    modifier onlyTokenManager()     { if(msg.sender != tokenManager) throw; _; }
    modifier onlyCrowdsaleManager() { if(msg.sender != crowdsaleManager) throw; _; }


    /*/
     *  Events
    /*/

    event LogBuy(address indexed owner, uint value);
    event LogBurn(address indexed owner, uint value);
    event LogPhaseSwitch(Phase newPhase);


    /*/
     *  Public functions
    /*/

    function() payable {
        buyTokens(msg.sender);
    }

    /// @dev Lets buy you some tokens.
    function buyTokens(address _buyer) public payable {
        // Available only if presale is running.
        if(currentPhase != Phase.Running) throw;

        if(msg.value == 0) throw;
        uint newTokens = msg.value * PRICE;
        if (totalSupply + newTokens > TOKEN_SUPPLY_LIMIT) throw;
        balance[_buyer] += newTokens;
        totalSupply += newTokens;
        LogBuy(_buyer, newTokens);
    }


    /// @dev Returns number of tokens owned by given address.
    /// @param _owner Address of token owner.
    function burnTokens(address _owner) public
        onlyCrowdsaleManager
    {
        // Available only during migration phase
        if(currentPhase != Phase.Migrating) throw;

        uint tokens = balance[_owner];
        if(tokens == 0) throw;
        balance[_owner] = 0;
        totalSupply -= tokens;
        LogBurn(_owner, tokens);

        // Automatically switch phase when migration is done.
        if(totalSupply == 0) {
            currentPhase = Phase.Migrated;
            LogPhaseSwitch(Phase.Migrated);
        }
    }


    /// @dev Returns number of tokens owned by given address.
    /// @param _owner Address of token owner.
    function balanceOf(address _owner) constant returns (uint256) {
        return balance[_owner];
    }


    /*/
     *  Administrative functions
    /*/

    function setPresalePhase(Phase _nextPhase) public
        onlyTokenManager
    {
        bool canSwitchPhase
            =  (currentPhase == Phase.Created && _nextPhase == Phase.Running)
            || (currentPhase == Phase.Running && _nextPhase == Phase.Paused)
                // switch to migration phase only if crowdsale manager is set
            || ((currentPhase == Phase.Running || currentPhase == Phase.Paused)
                && _nextPhase == Phase.Migrating
                && crowdsaleManager != 0x0)
            || (currentPhase == Phase.Paused && _nextPhase == Phase.Running)
                // switch to migrated only if everyting is migrated
            || (currentPhase == Phase.Migrating && _nextPhase == Phase.Migrated
                && totalSupply == 0);

        if(!canSwitchPhase) throw;
        currentPhase = _nextPhase;
        LogPhaseSwitch(_nextPhase);
    }


    function withdrawEther() public
        onlyTokenManager
    {
        // Available at any phase.
        if(this.balance > 0) {
            if(!escrow.send(this.balance)) throw;
        }
    }


    function setCrowdsaleManager(address _mgr) public
        onlyTokenManager
    {
        // You can't change crowdsale contract when migration is in progress.
        if(currentPhase == Phase.Migrating) throw;
        crowdsaleManager = _mgr;
    }
}

Now that you complied it, head over to this part of your Remix interface, click on analyze, then the Slither section.

From the errors, you can then work on fixing the smart contract presale code using the error as pointers.

B. Perform Thorough Testing on your Smart Contract

Testing your smart contract helps you identify possible exploitable errors you wouldn't have ordinarily noticed even after going over the code yourself or using any linter.

Given that smart contracts are immutable when deployed to the mainnet. Since they usually deal with massive valued assets, any exploitation would lead to user losses.

Since Linters don't work on the logic of codes, you should use an advanced technique to determine if your code can be deployed and integrated with your Django application. To do this, you could perform the following:

Unit testing: Performing thorough unit tests on your smart contract code is necessary because each function gets tested individually to see if the function's logic works. This development process divides all testable parts into units.

Doing this helps you as a developer to know if parts of your
code work as you intend it to and meets the minimum requirement
for security, usability, and reliability. If it doesn't meet these requirements, you can fix the bugs and save those
interacting with it from future exploitation.

Unit tests are an automated type of testing because you use
scripts to carry it out. And to properly carry out a unit test,
you have to consider the following:

You should comprehensively understand your smart contract's business logic and workflow.
Know the assumptions associated with your smart contract.
Check and measure the code coverage of your smart contract.
Use a well-developed testing suite like:
- Foundry
- Truffle
- Brownie
- Remix

Using these suites allows you to perform unit testing faster.

Fuzz testing: Your unit tests could be good enough to let you figure out vulnerabilities in your code. However, it's good to run more than one type of test. Fuzz testing enables you to input millions of unexpected data against your smart contract to cause surprising behavioral logic.

It is fast, efficient, and easy to test scenarios or assumptions you might have yet to think about with your smart contract code.

Most programmers use Diligence fuzzing for their smart contracts. It's also good to note that fuzzing used the scribble standard to identify complex vulnerabilities better.

Case Study using Consensys Diligence Fuzzing

Consensys, for a while, had launched the beta version of their diligence fuzzing. However, earlier this year, they launched the tool for use within the developer community.

This case study will use the Consensys diligence fuzzing tool to test a staking smart contract. To run fuzz testing, follow the tutorial:

Step 1: Create an account

You must create a diligence account to carry out the fuzzing test. When you signup, you get 10 hours of free fuzzing time. Use the Google sign-in option to sign up or input your email and create a password:

Step 2: Get an Application Programming Interface (API) key

Head over to this part of the website:

Click on Create a new APT Key:

Give it a name, create, and copy the API:

Step 3: Create a Working Hardhat working Folder

Here you need to create a working Hardhat project folder. After you have created it, head over to this GitHub repository:

https://github.com/Consensys/scribble-exercise-1/blob/master/contracts/vulnerableERC20.sol

Copy the code into your Hardhat project, and create a new folder for your contracts. Afterward, create a new file for the solidity code, and paste the code.

After you have, compile it by running this command in the project contracts directory on your terminal:

npx hardhat compile

Step 4: Install dependencies

Navigate to the root folder you had created for the Hardhat project in the previous step on your terminal and install project-related dependencies by running these commands:

pip3 install diligence-fuzzing

After running the command, next, run this:

npm i -g eth-scribble ganache truffle

And after you do, get on with the next step.

Step 5: Add your Created API Key

Now that you have installed the dependencies, get into the Hardhat root folder you created and create an env where you can add your API key by running this command:

echo FUZZ_API_KEY='your API key here' > .env

In place of your API key here input the key you created initially and run the command.

Step 6: Annotate the Contract

Get into the root directory, and find the contract,
contracts/'the name you saved it with'.sol. After you have, add this to the top of the contract:

/// #invariant "balances are in sync" unchecked_sum(_balances) == _totalSupply;

And above the transfer function, add this:

/// #if_succeeds msg.sender != _to ==> _balances[_to] == old(_balances[_to]) + _value; /// #if_succeeds msg.sender != _to ==> _balances[msg.sender] == old(_balances[msg.sender]) - _value; /// #if_succeeds msg.sender == _to ==> _balances[msg.sender] == old(_balances[_to]); /// #if_succeeds old(_balances[msg.sender]) >= _value;

After you have, run this command:

fuzz arm

And then deploy the contract to your chosen network.

Step 7: Run Fuzz Test

To run the fuzz test from the root folder in your terminal, run the command:

make fuzz

Head over to your dashboard at Diligence and wait a few minutes. The failure or errors in the smart contract will show.

You can further click through the properties to see what’s wrong with the contract and how you could fix its logic.

C. Write Simple Smart Contracts

Smart contracts can be complex depending on what objective you aim for with them. However, simple rules can help you write simple smart contracts.

Simple, smart contracts make your code easier to audit and run tests on, saving you time and making your code more effective. The following are simple rules you can use:

Depending on the complexity, break your whole code into more minor contracts focused on a functionality.
Apply modular programming principles when writing your contracts to make them reusable across projects.

D. Apply Safe Maths Operations in Contracts

During arithmetic operations, overflow tends to happen, and most times this isn’t the programmer's fault because it is assumed that a data type will hold the data assigned to it. Also, underflows happen, and this is due to the result of an arithmetic calculation being in an absolute value that gets represented.

In solidity, however, unlike most high-level programming languages where an error is shown for an overflow or underflow, this isn’t the case. And since solidity doesn’t show this error, safe maths is used to revert the mathematical operation or transaction when an overflow or underflow happens.

Importing the safe math library when writing a contract helps to validate if a logic will cause an overflow or underflow. However, this library is only available and works for versions of solidity from 0.8 and lower. So, if you use a lower version of solidity when writing your smart contract, importing this operation is a good security measure to prevent the loss of assets or funds.

To import safe maths operations in your solidity code, use this:

Import "https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v3.0.0/contracts/math/SafeMath.sol";

E. Use Reentrancy Security Strategies in your Contract

Reentrancy attacks have seen contracts drained of their fund. In solidity, the attack happens when a malicious actor finds an exploitable error in a function. The function getting exploited gives up the control flow of the transaction because the smart contract makes an external call to the contract written by the malicious actor. The unfavorable contract then makes a recursive call to the contract holding the funds, where it then drains it.

Reentrancy attacks are of three types, namely:

Single Reentrancy Attack
Cross-function Reentrancy Attack
Cross-contract Reentrancy Attack

These attacks can happen in different ways. However, a common pseudo-code example is this:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;


contract PaymentSystem {
    mapping (uint256 => bool) public payments;


    function payUserA(uint256 userId) public {
        if (!payments[userId]) {
            // pay user
            payments[userId] = true;
        }
    }


    function payUserB(uint256 userId) public {
        payments[userId] = true;
        if (!payments[userId]) {
            // pay user
        }
    }
}

If you check the functions in the code, the first one is exploitable because if a malicious actor is smart enough, they can send multiple transaction payout requests and get paid more money before the mapping gets set to true. However, the second function checks for this, and the first interaction or call gets set to true and subsequent requests won’t pay out.

Using common best security smart contract strategies to prevent reentrancy attacks is the best route to take, namely:

Pullpayments
ReentrancyGuards
Pausable

Using this in your smart contract will help against a reentrancy attack. Pullpayments prevent these attacks by preventing a paying smart contract from interacting directly with a reciever address. Here the malicious actor won’t be able to block execution. To use it in your smart contract, do this:

import "@openzeppelin/contracts/security/PullPayment.sol";

Also, ReentrancyGuards prevent a reentrancy attack on a function, like demonstrated above, to use this in your code:

import "@openzeppelin/contracts/security/ReentrancyGuard.sol";

Pausable is an emergency stop mechanism you can use in your smart contracts by an authorized account. To use it in your code:

import "@openzeppelin/contracts/security/Pausable.sol";

Perform Audits and Maintenance

Applying security best practices to your smart contract codes is a good thing. However, you will want always to be ahead of any situation should it arise. And for that reason, you should perform regular security audits on your smart contracts because this will help you discover bugs that must have escaped scrutiny.

During security audits, when vulnerabilities are found, you want to carry out a patch or an update quickly before a malicious actor discovers it. Security is always necessary, and you must regularly and constantly carry out audits and maintenance to safeguard against attacks.

Conclusion

Security practices are used to give the best positive outcome possible, increase trust, and prevent exploits of smart contracts. When building your Django applications and integrating smart contracts into them, you wouldn’t want any user to fall prey to security vulnerabilities because smart contracts mainly deal with funds.

We looked at the common types of attacks on smart contracts and how they happen, from arithmetic overflow and underflow to reentrancy attacks. This article's discussions and case studies are enough to set you on a path for applying best security practices in your contracts.

Building Smart Contracts for Django Applications

Ebuka Ukatu — Fri, 21 Jul 2023 18:20:22 +0000

Introduction

Contracts are binding and have been around for a long time. Until the internet revolution in the 1990s, contracts were only enforceable by the action of a third party. For example, if you had an agreement with someone who sells fashion clothes, and part of the agreement was that you paid an advance to receive it at a decided date where you would also pay up the remaining cash.

And for some reason, the other party doesn’t hold their end of the bargain; the third party makes this enforceable, usually using force.

In contracts, you hope and trust that the other party comes through, and there won’t have to be a need for the enforceable actions of a third party, which brings up unfavorable situations.

What are Smart Contracts?

Smart contracts are programmed agreements written in code, which executes the programmed command when all agreement conditions are met.

To break down this understanding, let’s use the analogy of the workings of a vending machine:

A young man Bobby visits his friend in a hospital and is exhausted and needs to have a carbonated drink, Coke. Bobby decides to use a vending machine he finds in the vicinity, he walks up to the device and chooses Coke, and the engine returns the amount he needs to release the drink.

He inserts the required amount, and the vending machine verifies the correct amount. Afterward, it dispenses the carbonated drink to Bobby.

From the analogy, Bobby couldn’t have committed any fraud to get the carbonated drink because the vending machine is programmed only to dispense when the other party has inputted the correct amount required for a product.

Another example would be the use of an escrow service. Alice is a woman who lives in California, USA, and goes on a trip to Europe, and unfortunately runs out of dollars. She needs it and decides to use an escrow to exchange her dollars for euro with a local she met, whose name is Isaac.

Alice sends the amount she wants to exchange to the digital escrow, and Isaac sends an equivalent of the euros to the same digital escrow. After the program verifies that both have sent the required amount for the transaction to happen, it releases the euros to Alice and the dollars to Isaac.

Here there is no requirement for using a third party to enforce the agreement between both parties, and the smart contract program handles that, which makes the transaction more credible and boosts trust.

I. - Getting Started with Blockchain Smart Contract Development

Blockchain smart contract development is the programming and deploying of agreements in code to the blockchain where it is transparent for all to check and which executes agreements on the blockchain.

Here is a guide on getting started with Blockchain smart contract development:

1. Install Solidity

To install solidity, we will use an easy approach. First, you have to install Visual Studio Code on your system. To download Visual Studio Code:

Head over to the website to download the software; depending on the operating system you use, as shown in the diagram below, choose your operating system, download, and run.
After downloading and running Visual Studio Code, head over to this part of the software as highlighted below:

When there, input “solidity” in the search bar as seen below:

Afterward, click on the first result shown below, and click install:

To confirm you have installed solidity correctly, you should check this part of the picture highlighted below:

You are good to go now that solidity is installed in your Visual Studio Code.

2. Choose an Integrated Development Environment (IDE) like Remix

For easy coding, deploying, and debugging of smart contracts for Ethereum and EVM-compatible chains, Remix online Integrated Development Environment (IDE) is the safest and fastest option you could go with.

To use Remix IDE, head over to the website and launch it. When you do this, this is what you should see on your screen:

Now that you have this, let’s create our first contract.

3. Write and Compile your First Smart Contract

To write your first contract, we need to create a file for the solidity in its format or extension, which is .sol. To do this, head to the contracts folder.

When you do, right-click on the folder and create a new file using the name you want your file to be, ending it with .sol. I called mine Django_App:

You must understand the basic syntax and style guide to write your first solidity code. For consistency, the style guide requires four spaces for indentation; for declarations, you should surround them with two blank lines. When declaring functions, they should have an empty line space.

Let us write a simple, smart contract. To do this, open the file you created earlier, ending with the .sol extension. Next, we need an SPDX license identifier comment at the top of the code; this helps trust and makes source code available. Note that in solidity, every comment begins with //.

Write your first line of code, which is the comment:

// SPDX-License-Identifier: GPL-3.0

Next, we use the pragma keyword, as this helps the compiler we use to run specific features and checks. To prevent future problems with compilation incompatibility, we use a version pragma. Here we use:

pragma solidity >=0.7.0 <0.9.0;

This means this code is written for solidity version 0.7.0 up till 0.9.0 and no more. Subsequently, we create a contract and name it App:

contract App {
}

The contract we have created so far is empty because it doesn’t contain codes that tell the contract to perform a specific action.

To compile your contract, click on compile interface highlighted below:

When you do so, and there are no syntax errors in your code, you should click here to compile your contract:

4.Testing your Smart Contract Using Ganache and Metamask

Now that you have written your first smart contract using an IDE named Remix and have complied with it let’s test it.

To do so, we will use Ganache, a personal Ethereum blockchain that provides you with virtual accounts and test Ethereum tokens to test your smart contracts before deploying to the mainnet.

To set up your Ganache, head to the website, choose your operating system, download it, and then run the application. To set up your account with Metamask, do this:

First, choose the quickstart option; you will see this interface below. All you have to do is choose an account you will use:

Next, you need to connect Ganache to your Metamask. If you don’t have it installed, use this guide and get started. To connect with Ganache, head to the settings display on your Metamask:

Next, copy the RPC from your Ganache desktop application:

After you have, you should input it in Metamask to connect it. In the settings area, choose networks. After you have chosen networks, proceed to add the network you want. And manually input the network, placing the right answers in the necessary sections below. However, note that in the RPC server section, you should paste the one you copied:

After putting the required information, save it.

You need to import any of the Ganache accounts into your Metamask so you can easily deploy and test your contract. Choose any account and tap on the key icon and copy the private key:

After you have copied the private key, go into your Metamask and import it:

If you did so correctly, this is what you would have on your screen:

After you have followed all the steps outlined and have correctly done so, You need to connect your Metamask wallet to Remix IDE. To do this, head to Remix and choose the deploy and run option. After you have done so, choose “injected provider-Metamask” and connect your wallet. Next, choose a contract, in this case, the Django_App contract we created earlier, and deploy:

Afterward, confirm the transaction on your Metamask:

If the contract deployed successfully, you should get this:

If you got the notification, congratulations! Your contract worked, and you are good to go.

II. - Integrating Smart Contracts in a Django App

Django is a framework that helps Python developers build scalable web applications. And in this section, you will learn how to integrate a smart contract in a Django app.

1. Create a Django Project

Since the installation we ran applies to all the systems, we should create a Django application to perform further activities. After you have completed creating a Django project following this guide, you should install the necessary packages we need.

Get into your terminal, still in the virtual environment you had begun to create your Django project, and run this command:

pip install web3

You will see an output as this after you have successfully installed the package:

2. Connecting to a Blockchain Network Using Django

To connect to the Django framework, you first need to choose the network you wish to connect to, and for this guide, we will connect to the Ethereum Blockchain; to do so, we will use the web3.py library.

Create an app within your Django project and create an eth.py file within your designed app, and import web3 there:

from web3 import Web3, AsyncWeb3

Since we need to connect to a blockchain network and have decided it will be Ethereum, we will use Infura provider. Open an account and copy the API keys:

And head over to the eth.py file of your Django app and input this there:

infura_url = "https://mainnet.infura.io/v3/78955d8b4dde48dbbc963ac94fce1b92"

It helps us specify our provider, which is in HTTPProvider. Also, note that you must assign your URL to a variable; here, you assign your API to the infura_url variable. Next, instantiate a connection using this:

web3 = Web3(Web3.HTTPProvider(infura_url))

To check if your connection worked, add this line of code:

print(web3.is_connected())

If it is connected, you will get a true statement in your terminal when you run the code.

So far, you should have something like this:


from web3 import Web3, AsyncWeb3

infura_url = "https://mainnet.infura.io/v3/78955d8b4dde48dbbc963ac94fce1b92"

web3 = Web3(Web3.HTTPProvider(infura_url))

print(web3.is_connected())

3. Sending a Transaction Using `web3.py` in your Django Project

You can send eth using web3.py from your Django app. To do this, get into the views.py file in your Django app and import web3, views:

from web3 import Web3

As we did with Infura earlier, specify the ganache API within a variable; here, we use ganache_url, given as:

ganache_url = (YOUR_API_KEY/RPC)

Next, instantiate the connection using this:

web3 = Web3(Web3.HTTPProvider(ganache_url))

Next, you load your account via the eth account:

acct1= w3.eth.account.from_key(pk)

From your Ganache account, let's choose the first account, get the private key, and put it in place of pk in the line of code above. What this does is load the account's data into variable acct1.

Next, we assign the address we want to send eth to a variable:

some_address = "0xe1488a47b923aD2FC150Ac4DeE4dcE5605Ed5fce"

For the address to assign to some_address, use the second account or any of your choice in your ganache.

Next, we need to build out the transaction to send eth. To do this:

transaction = {
      'from': acct1.address,
      'to': some_address, 
      'value': 1000000000,
      'nonce': web3.eth.get_transaction_count(acct1.address), 
      'gas': 250000,
      'gasPrice': web3.to_wei(8,'gwei'),
}

In the code, from specifies the account you are sending the eth from to identifies the receiving address. The value is the amount of eth you wish to send, the nonce is put to ensure it sends once, gas specifies how much you want to send, and gasPrice is the gas price for the gas you wish to pay for the transaction.

Next, you should sign the transaction using the private key of acc1. Here's how to do it:

signed = w3.eth.account.sign_transaction(Transaction, private key)

Lastly, we send the signed transaction:

tx_hash = w3.eth.send_raw_transaction(signed.rawTransaction)
tx = w3.eth.get_transaction(tx_hash)
assert tx[" from'] == acct1.address

Here's the full code:

from web3 import Web3

ganache_url = "HTTP://127.0.0.1:7545"
web3 = Web3(Web3.HTTPProvider(ganache_url))

acct1 = web3.eth.account.from_key("0xc1bf30defcd506bc3692de90ac0295763c29e79eb92c81bbcf78378d50a76db3")

some_address = "0xe1488a47b923aD2FC150Ac4DeE4dcE5605Ed5fce" 

transaction = {
      'from': acct1.address,
      'to': some_address, 
      'value': 1000000000,
      'nonce': web3.eth.get_transaction_count(acct1.address), 
      'gas': 250000,
      'gasPrice': web3.to_wei(8,'gwei'),
}

signed = web3.eth.account.sign_transaction(transaction, "0xc1bf30defcd506bc3692de90ac0295763c29e79eb92c81bbcf78378d50a76db3")

tx_hash = web3.eth.send_raw_transaction(signed.rawTransaction)
tx = web3.eth.get_transaction(tx_hash)
assert tx['from'] == acct1.address

To send the eth, run the file in your terminal. To confirm it worked, check your Ganache and your transactions. You should find this:

4. Deploying a Smart Contract from your Django Project using web3.py

Earlier, we had created a smart contract and deployed it using injected Web3 provider in Remix IDE; this time, we will be deploying the smart contract from our Django project using web3.py.

As we had done earlier, create a new file, name it deploy.py, open it, and initiate a connection to Ganache:

from web3 import Web3

ganache_url = ()
web3 = Web3(Web3.HTTPProvider(ganache_url))

Next, using the contract we had created earlier. Head on to your remix, and get the abi and bytecode of the contract. After you have done so, head over to the deploy.py file and write this:

bytecode = contract_interface['bin']
abi = contract_interface['abi']

Input your contract’s bytecode and abi into ‘bin’ and ‘abi’. The bytecode allows us to execute the code, and the abi lets us interact with the executed code.

Next, we have to set the pre-funded account as the sender. Here’s how to do it:

web3.eth.default_account = web3.eth.accounts[0]

After you have done this, to instantiate it in Python and deploy we do this:

App = web3.eth.contract(abi=abi, bytecode=bytecode)

Where App is the name of the contract we had created earlier, after deploying to get the transaction hash and receipt, we write this code:

tx_hash = App.constructor().transact()

tx_receipt = web3.eth.wait_for_transaction_receipt(tx_hash)

Here is the full code:

from web3 import Web3

ganache_url = "HTTP://127.0.0.1:7545"
web3 = Web3(Web3.HTTPProvider(ganache_url))

bytecode = '6080604052348015600f57600080fd5b50603f80601d6000396000f3fe6080604052600080fdfea2646970667358221220a2bebf97e45daed66e8c174b0fd5f4b9a2c72e36e6e3f6a7da610f0fa2a8fdc364736f6c63430008120033'
abi = '[]'

web3.eth.default_account = web3.eth.accounts[0]
App = web3.eth.contract(abi=abi, bytecode=bytecode)

tx_hash = App.constructor().transact()

tx_receipt = web3.eth.wait_for_transaction_receipt(tx_hash)

Congrats! You have deployed your contract from Django. To get your contract, go into your Ganache app, and check the transactions. You should find this:

Conclusion

Django is a Python web development framework you can use to carry out Web3 operations when you have web3.py installed. You have learned the concept of smart contracts and how to create and deploy one.

In addition, there are different considerations when it comes to smart contracts. Due to its nature, there are security vulnerabilities to watch out for, testing, auditing, and upgrading. Luckily, you have learned how to build smart contracts for Django Applications.

Use of AI and Machine Learning to Build More Effective Decentralized Applications for Web3

Ebuka Ukatu — Mon, 17 Jul 2023 22:42:31 +0000

Introduction

Decentralized applications (Dapp) are revolutionizing the way we approach decentralized Web3. They get built on the infrastructure of Web3. Usually, they are programs and protocols that a centralized authority can't control. These applications have helped change the scope of Web3 development.

However, considering this scope, there are spots or instances where the effectiveness and efficiency of decentralized applications could experience different drawbacks with maintenance, where updates are frequently needed.

Also, there is the scaling issue where the required level of security, integrity, transparency, and reliability, the computational power needed, would be great, and this is where artificial intelligence (AI) and machine learning (ML) could play a significant role.

Applications of Artificial Intelligence (AI) and Machine Learning (ML) in Web3

Artificial Intelligence (AI) mirrors human intelligence, the ability to reason and infer by computerized systems. AI systems can self-learn, self-correct, reason, and also display creativity. We could improve effectiveness and efficiency faster when aligned with Web3 and in application to decentralized applications.

By feeding these AI systems data and through machine learning, there could be an adaptation to peculiar situations without the need for explicit instructions using statistical models and algorithms that work with given data.

This way, AI could perform in a more efficient way, far better than humans could. Below are different applications of AI and machine learning in Web3.

I. - Fraud Detection and Risk Management

One of the drawbacks of decentralized applications is security, and there have been reports of different types of exploits and frauds. For example, bad actors could, through the use of phishing links, make unsuspecting individuals carry out transactions against their will.

Fraudulent transactions could be identified, traced, and retrieved using anomaly detection models; this can help improve the trust and efficiency in dapps and reduce the number of those who fall into fraudulent scams and attacks.

We could apply artificial intelligence and machine learning to risk management in Web3 and decentralized applications. Users often need a way to access the risk of certain transactions they take and can only take a wild guess; this leads to situations where users sign transactions that give malicious actors access to their dapps.

However, using AI and ML, there can be a predictive risk assessment of any transaction you want. Users can then decide whether transactions are safe to carry out, reducing the frauds they fall into.

II. - Improving Smart Contract Security

There have been different cases of smart contract exploitation, from Poly Network to Ronin; all of this has resulted in a lapse in the security of their contracts. Artificial intelligence and machine learning can help reduce these sorts of events.

We can detect vulnerabilities in smart contracts using artificial intelligence and machine learning. By seeing these vulnerabilities, smart contract engineers and programmers can improve the overall security of a contract by implementing correct logic.

Also, using ML classifiers for smart contract auditing could help smart contract auditors do a faster and better job than they would naturally.

III. - Optimizing Decentralized Infrastructure

Using AI, developers could allocate resources optimally to achieve a desired goal. Unlike when AI uses available data to make decisions quickly, it could take longer for humans, with more margins for error and bias, to reduce the overall robustness of resource optimization.

Also, applying this to load balancing in decentralized networks. AI can help distribute network traffic equally across multiple pools that support a decentralized application.

In addition, it could get used to maximize the performance of distributed storage and computing.

IV. - Content Recommendation and Curation

There's a lot of content in Web3, from seemingly good ones to others that are useless or targeted at misleading.

Using personalized machine learning-powered recommendations for content and suggestions for marketplaces and Web3 tools could reduce the time people spend researching.

These recommendations would reduce the number of frauds or scams people fall victim to and help them have better options for making choices.

V. - Automated AI Model Deployment

In decentralized computing infrastructure, one of the lapses is the time it takes to individually carry out functions from different networks working together for a system.

Although in contrast to the centralized computing infrastructure, it’s known to be more effective because the performance of each network pars the needs of any application.

We could deploy AI and ML models to handle the workloads on this infrastructure further to enhance the performance of this decentralized computing infrastructure, making it operationally faster and more effective.

Challenges in Using AI and Machine Learning to Build More Effective Decentralized Applications for Web3

There are different challenges the use of AI and ML for decentralized applications is bound to face due to the nature of decentralization itself, and we go through a few here.

I. - Data Collection in a Decentralized Environment

One of the challenges is the collection of valuable data in a decentralized environment. Since there is no centralization, accessing data and collecting would be threefold tricky due to the inherent structure of decentralization itself.

Individually scraping out and cleaning data from different independent networks would take a while and might prove unnecessarily tiresome for many.

II. - Securing ML Models Deployed on Blockchain

There's a challenge with the security of models deployed on the blockchain, which is honest. What chances are models deployed won't get corrupted by malicious actors? A model inversion poses the greatest threat to the security of models.

In an attack, malicious actors aim to expose the privacy of training data which can hurt confidentiality in models.

Also, there could be data poisoning, where AI models get trained with data manipulated to predict this AI's behavior. An attack such as this could alter, for example, a personalized recommendation system by AI models, where fraudulent marketplaces get shown as options for users to choose from, increasing the possibility of them falling for scams.

III. - Model Training Using Distributed Datasets

Training models using distributed datasets could be cumbersome and time-consuming due to labeling and cleaning.

Although, it could be fast when the model training is done concurrently for each dataset and could help for time-sensitive tasks.

Future Prospects

There are different future possibilities that AI and ML present for decentralized Web3, and we touch on a few possible below.

I. - AI-driven Smart Contracts and Dapps

We could train AI to engineer smart contract development and make the whole development cycle from scratch to deploy easier, faster, and more secure. Also, decentralized applications could be run solely by AI-trained models, reducing the possibility of interference by centralized malicious actors.

II. Self-learning Decentralized Applications

We could do dapps that self-learn and take inputs from user experience to help make the experience of users more smooth and more effective.

For example, if a user encounters a bug when using a decentralized application, it could learn from that and help to make other users not face the same bug that caused the previous user to have a horrible experience.

Conclusion

There has been a recent fear of losing out (FOMO) on AI and what it poses for the future of humans and technology.

However, through AI alignment in decentralized applications for decentralized Web3, there could be advances that would prompt robust advancement and progress.

However, this isn't without challenges, as there are security, data collection, and training using distributed data sets that could make this goal harder to reach.

Regardless, there are bright prospects that the alignment of AI in decentralized Web3 poses to bring to the user experience and technological advancement over time.

DEV Community: Ebuka Ukatu

Security Best Practices for Smart Contracts in Django Projects

Prerequisites

Introduction

Smart Contract Security Recommended Practices

A. Use a Linter to Detect Bugs and Vulnerabilities

Case Study Using Slither

B. Perform Thorough Testing on your Smart Contract

Case Study using Consensys Diligence Fuzzing

Step 1: Create an account

Step 2: Get an Application Programming Interface (API) key

Step 3: Create a Working Hardhat working Folder

Step 4: Install dependencies

Step 5: Add your Created API Key

Step 6: Annotate the Contract

Step 7: Run Fuzz Test

C. Write Simple Smart Contracts

D. Apply Safe Maths Operations in Contracts

E. Use Reentrancy Security Strategies in your Contract

Perform Audits and Maintenance

Conclusion

Building Smart Contracts for Django Applications

Introduction

What are Smart Contracts?

I. - Getting Started with Blockchain Smart Contract Development

1. Install Solidity

2. Choose an Integrated Development Environment (IDE) like Remix

3. Write and Compile your First Smart Contract

4.Testing your Smart Contract Using Ganache and Metamask

II. - Integrating Smart Contracts in a Django App

1. Create a Django Project

2. Connecting to a Blockchain Network Using Django

3. Sending a Transaction Using web3.py in your Django Project

4. Deploying a Smart Contract from your Django Project using web3.py

Conclusion

Use of AI and Machine Learning to Build More Effective Decentralized Applications for Web3

Introduction

Applications of Artificial Intelligence (AI) and Machine Learning (ML) in Web3

I. - Fraud Detection and Risk Management

II. - Improving Smart Contract Security

III. - Optimizing Decentralized Infrastructure

IV. - Content Recommendation and Curation

V. - Automated AI Model Deployment

Challenges in Using AI and Machine Learning to Build More Effective Decentralized Applications for Web3

I. - Data Collection in a Decentralized Environment

II. - Securing ML Models Deployed on Blockchain

III. - Model Training Using Distributed Datasets

Future Prospects

I. - AI-driven Smart Contracts and Dapps

II. Self-learning Decentralized Applications

Conclusion

3. Sending a Transaction Using `web3.py` in your Django Project