Move, a Revolution for Smart Contracts' Security
Move, a Revolution for Smart Contracts' Security 
By Starcoin community

In the age of discovery of blockchain, all main public chains have carried out a lot of exploration in different fields. Especially after the outbreak of DeFi, blockchain technology has been gradually applied in the public’s daily life through GameFi, NFT, DAO, Web3, Oracle and other channels, allowing everyone to share the dividends brought by the blockchain. However, while advancing fastly, endless security issues have been plagued the entire industry, and hundreds of millions of assets suffer losses due to bugs every year. Especially in the DeFi era led by Solidity, the data on the chain is exposed to everyone, the requirements for developers are very high, and security issues are infinitely magnified.

Starcoin is a new generation of layed smart contracts and distributed financial networks. From the beginning of the design, the issue of security has been the most important concern. On the one hand, Starcoin hopes to solve common security problems, on the other hand, Starcoin hopes to lower the security threshold for developers. In the end, Starcoin chose Move as the smart contract language. Move has many advantages, and the biggest highlight is security. Move introduces many security features for smart contract scenarios without increasing the burden on developers. This article will analyze the real security vulnerabilities in history, and take an inventory of the out-of-the-box security features of Move.

Resource-oriented Programming

Resource-oriented programming is one of Move’s biggest innovations. So, what exactly is resource-oriented programming? What is the relationship between resource-oriented programming and security?

Let’s first learn the definition of resources on Wikipedia:

Resource refers to any tangible or intangible object with limited availability, or anything that helps to improve livelihoods.

In the definition of resources, there are two words “availability” and “limited”. Very strictly speaking, resources' quantity is limited and can generate value. Since resources have these two characteristics, it means that the following constraints should be followed when programming resources:

  • Can’t be dropped arbitrarily (what a shame that “valuable” objects are lost);
  • Copying is prohibited (No matter where it is, under any circumstances, copying is not allowed. Even if it is just a segment of binary in memory, copying must be prohibited, otherwise it would violate the definition of “limited quantity”)

Move introduces a resource type, and guarantees that the resource type follows the above constraints from the virtual machine level, and can neither be dropped nor be copied. Developers only need to simply declare the structure as a resource type, and the structure will be protected by the virtual machine, thus avoiding many common security risks, such as unlimited additional issuance vulnerabilities caused by memory copying.

Move’s resource-oriented programming is a brand-new programming model that can easily avoid many common security problems and lower the development threshold.

1643697424087

Ability

Ability guarantees Move’s implementation of resource-oriented programming, making resource-oriented programming very simple and easy to understand.

1643697550185

Move has 4 type abilities: Copy, Drop, Key, Store, which can be used in any combination. For resource-type structures, ability without Copy and Drop is enough. It is easy to use, safe and reliable, and can avoid asset loss and unlimited issuance, which can secure assets on the chain.

starcoin_move_struct_ability

The ownership and operation authority of the data belong to the personal account

In the Solidity project, the data generated by everyone through the contract is stored centralized in the contract account that generated the data. This is a very unsafe practice and has significant security risk. On the one hand, it is unreasonable that the personal data of a certain user is centrally stored in another account; On the other hand, once there is a security issue in the contract, everyone’s data will suffer loss.

In the Move project, data is stored dispersedly in the personal accounts, making it clear that the ownership of the data belongs to the respective users, and at the same time, only he can actively operate his own data. In this way, the data is stored dispersedly, even if there are bugs in the contract, hackers have no authority to modify everyone’s data, which greatly reduces the scope of the vulnerability, protects the data, and avoids the security problems caused by large arrays at the same time.

starcoin_account_example

Pure Static Call

In the DeFi era, many well-known security vulnerabilities are related to the dynamic call of Solidity, such as TheDAO attack. Although dynamic call is very convenient, there are many uncertainties:

  • The implementation of called contract is uncertain, as long as the function signature is the same, the specific implementation can be customized

  • In the process of dynamic call, context switching, especially the change of sender user, can easily lead to unlimited permissions

  • You can construct a loop recursive call, TheDAO vulnerability constructs a recursive call.

In the special field of blockchain, dynamic calls have led to a lot of security vulnerabilities. Move has learned lessons from experience and adopts pure static calls, which can greatly avoid security risks.

1643698072074

More Reasonable Fault Tolerance Mechanism

Real bugs of the Solidity contract, some vulnerabilities are caused by overflow, which causes the condition to be missed, which leads to the theft of lost on the chain, and other vulnerabilities are due to the use of default function visibility when the function is defined, so hackers obtain permissions that should not be obtained, such as the Parity wallet vulnerability.

In the case of overflow, Move will directly throw an exception and roll back the transaction.

For function visibility, in addition to private and public visibility, Move also adds script and friend visibility. At the same time, the default is private visibility to avoid function leaks due to negligence. Move has a more reasonable mechanism in many details, which can avoid some low-level vulnerabilities caused by negligence.

Complete Testing System to Guarantee Security

In order to better guarantee security, Move has designed a complete test system, including Unit Test and Functional Test. Unit Test is usually used for unit testing of a single function, and Functional Test is used for functional testing. Make good use of Unit Test and Functional Test, discover possible security risks before launching, and better guarantee the security and reliability of assets on the chain.

Formal Verification

Formal verification is to prove the security of the code through mathematics, which is a very new field.

Many industry practitioners hope to increase the features of formal verification in the Solidity system, but it has not been maturely implemented. Since the launch of Move, it has always had a set of mature formal verification tools, including move-prover verification tools and SPEC language. Developers can use Move’s formal verification tool to find out some potential bugs in the Move contract code, fix and prove the security of the Move contract code.

starcoin_move_prover

Starcoin more Move, make your data more Secure

In the age of discovery of blockchain, everything is exploring upgrades and rapid iteration. Move is a revolution in the smart contract language. It has implemented language-level security reinforcement for financial scenarios, which makes assets more secure without increasing the burden on developers. Starcoin have paid more attention at the issue of security. In the case of ensuring a layer of security, Move is used as a smart contract language to make DeFi more secure and data more assured.