ZeppelinOS: tools for smart contract applications

ZeppelinOS: tools for smart contract applications(blog.zeppelin.solutions)

93 points by demianbrener 8 years ago | 36 comments

Rmilb 8 years ago |

Standard peer reviewed libraries for the new world of smart contracts is sorely needed. Hopefully the increased complexity does not increase the gas costs of the contracts too much. I think most devs would trade higher gas costs for a more secure platform to develop on. Anyone who lost funds in the parity wallet hack would probably agree.

https://www.coindesk.com/30-million-ether-reported-stolen-pa...

hrpnk 8 years ago | |

> Hopefully the increased complexity does not increase the gas costs of the contracts too much

It's possible to save gas by pulling in libraries' code into the contracts via the "internal" keyword [0]. This way JUMP will be used instead of DELEGATECALL.

Peer reviewed libraries will definitely help to make the platform more secure. However, the engineers decide whether to use libraries or not. What's needed is more discipline and willingness to raise the overall quality level of smart contracts and DApp development.

Writing software that handles money is different from some random web app, where bugs can be quickly fixed. We see some ICOs using OpenZeppelin [1] for their contracts, using practices like continuous integration and measurement of code coverage. However, we need much more quality-oriented practices to become widespread like mutation testing. In the current environment, developers are often more motivated to participate in bug bounties or exploit already deployed code, rather than contribute to the ecosystem/tooling.

[0] http://solidity.readthedocs.io/en/develop/contracts.html#lib...

[1] https://medium.com/@bocytko/would-you-trust-your-money-to-a-...

Rmilb 8 years ago | | |

Thanks for linking docs

edjere 8 years ago | |

Exactly. If a higher level of security and robustness of the platform is not achieved we will continue to see hacks like the Parity one over and over again. This is one of the main drivers for building zeppelinOS.

hossbeast 8 years ago |

Sounds interesting and important, but you probably need a new term for this category of software. "OS" is taken, and it means something else.

xellisx 8 years ago | |

Also it's built on top of Ethereum Virtual Machine. Quick look at http://ethdocs.org/en/latest/introduction/what-is-ethereum.h..., which calling that a VM from what I read isn't screaming VM to me, more like a distributed computing application.

tom_mellior 8 years ago | | |

Which sense of virtual machine do you mean? There are already at least two. One is a virtualization thing like VMware. Ethereum is not that. The other sense is a bytecode interpreter/compiler like the Java Virtual Machine. Ethereum is like that. Except that it duplicates computations across many physical machines.

m-j-fox 8 years ago | |

Also Zeppelin.

https://zeppelin.apache.org/

xellisx 8 years ago | |

Should be OSS. What is strange is that the refer to the core of their software as a "Kernel".

spalladino2 8 years ago | | |

OSS meaning operational support system?

sauravt 8 years ago |

I'm a big fan of Zepplin devs and the open source work they have been putting out there since the early days. Their medium posts are a goldmine for any beginner developer looking to develop DAPPs.

currymj 8 years ago | |

it's pretty hard to write even a simple smart contract that doesn't have horrible vulnerabilities. far harder, I would say, than writing C code that can't be buffer-overflowed on an old system with no protections in place. and solidity the language does NOT make this any easier. read all the resources you can. there are really counterintuitive best practices.

the reason for all these hacks is not stupidity or laziness of the developers. the EVM execution model just makes it very easy to write vulnerable code.

heliumcraft 8 years ago | | |

Quite the exaggeration, this silly meme has to stop. You make it sound like writing even a hello world would have horrible vulnerabilities or something. There are thousands of perfectly safe contracts deployed, one can't take some isolated incidents and make such conclusions from such a small sample.

dvcc 8 years ago |

So if I read this right, I am supposed to trust a contract that sits on top of a mutable 'OS' that is managed by the community? I feel like all of these contract-as-code groups really need to have a lawyer on their team as well; for some reason, it seems like developers believe they understand the purpose of financial/other contracts and how they're actually used.

Would you sign a contract that references a contract that can be changed at anytime without your agreement?

spalladino2 8 years ago | |

First of all, upgrades are opt-in, so you can build on top of the OS and only switch to a new kernel version under certain conditions, such as if all parties in the contract agree.

Also, keep in mind that financial contracts are not subject to hacks, unlike smart contracts, as we have seen several times. One of the goals of upgradeability is the possibility to roll out security patches as needed.

currymj 8 years ago | |

yeah, people do this all the time, to a greater or lesser extent! referencing past or future agreements, agreements between other parties, the prime interest rate published in the WSJ, etc.

the difference is, if someone does something really abusive with one of these clauses, a judge will throw it out.

themanual 8 years ago |

how does this compare to Tezos?

edjere 8 years ago | |

Tezos and zeppelinOS are very different things. zeppelinOS is building an operating system on top of the Ethereum Virtual Machine to provide secure infrastructure for the development of smart contract applications. A technology that is still being developed but used by thousands of developers, and maturing into it's next phase. Tezos is building a new blockchain with a different infrastructure altogether.

bshimmin 8 years ago | | |

Millions of developers are working with Ethereum?

lurchpop 8 years ago |

sounds the same as EOS

mattl 8 years ago |

What about this is an operating system?

dang 8 years ago | |

To avoid title disputes we'll use the word "tools" above.

edjere 8 years ago | |

It's an operating system insofar as it's a layer of services on top of the "bare metal" that is the EVM. Through those services it allows the development of complex applications in the same way a normal OS does.

mattl 8 years ago | | |

How does that differ from installing a web framework, or an application? That doesn't seem like an operating system to me.

throwaway91111 8 years ago | | |

Seems like "framework" or "library" would be better; this isn't exactly a scheduler or resource allocator in the same way an os implies.