Smart Contract Dependencies: Recommendations and Security¶
As software supply chain attacks increase in prevalence, it is crucial to protect smart contract development environments from potential risks. This involves a careful understanding of all dependencies in a project, including both the smart contracts and the development tools. This article aims to outline essential practices to enhance the solidity project's software supply chain's robustness.
Use Known-good Libraries¶
Utilizing well-known libraries, such as the OpenZeppelin smart contract collection, is highly advised. Third-party code should ideally be audited by a reputable company with publicly accessible audit reports. The repository should also adhere to a strict open-source workflow with transparent review processes for pull requests. When third-party codebases are mission-critical, commissioning an audit company to examine their security might be a wise investment.
Regular Dependency Checks¶
Trust should never be placed blindly in third-party dependencies, regardless of their open-source status or auditing history. Each dependency should be reviewed at least once. Fixed versions of all third-party dependencies should be explicitly declared. Checking for new dependency versions, reviewing their code, and testing them are tasks that should be frequently carried out. Simpler dependency checks are often executed during automated build and continuous integration processes. Regularly reviewing the repository precedence configured in the development tools is vital to avoid dependency confusion attacks.
With each additional dependency, the attack surface of a smart contract increases. Therefore, it is crucial to implement diligent internal quality assurance processes that ensure redundant dependencies get removed. The development team must comprehend the function of each dependency and its role within the broader system. In the same spirit, developers should avoid using huge dependencies when only a small subset of their code is required. If the overlap between two dependencies exists, the one with the highest overlap with the project requirements should be chosen.
Review Security Bulletins¶
It's vital to stay on top of security-related news for a particular project's dependencies. This could involve subscribing to mailing lists, participating in forums, or following library developers on social media platforms. The development community is often the first to become aware of security issues, making it a valuable source of timely updates and alerts.