In the world of smart contracts, even the most refined financial institutions have to maintain an expert level of technology if they’re looking to get involved with the aforementioned methods. Smart contracts are liable to hacks that can essentially cost the underlying creator hundreds, if not millions of dollars. The most infamous instance of something this catastrophic was the DAO hack, where a hard fork was lanced to reverse the flow of funds from the hacker’s wallet.
Basic MAIAN Overview
Smart contracts are handy tools in financial programming, but they are in many cases subject to hacking, unfortunately. Even one misplaced letter can lead to over millions of dollars being left vulnerable to hackers.
To protect against vulnerabilities in these technologies, engineers had to develop innovative ways to ensure that before deploying the smart contract onto the blockchain that it was completely locked and rid of any potential flaws. After all, If you find the bug after you’ve deployed it to the blockchain, you can’t go back in and edit it.
As a result of this dilemma, MAIAN was born. An open source blockchain analysis tool that helps developers find errors in their code before it’s deployed. The tool was released publicly approximately nine months ago.
#MAIAN, a tool that highlights potential vulnerabilities in smart contracts is now publicly available: https://t.co/3wiRfGJd5a relevant article: https://t.co/3Pk3heD9OF main new feature: Multi-transaction analysis.
— Chris (@ethchris) March 14, 2018
MAIAN was released under the MIT license by Ivica Nikolic, Aashish Kolluri, Ilya Sergey, Prateek Saxena, and Aquinas Hobor free for all to use and contribute to. The initial case study released via Cornell’s database, found here, in which the visible portion of the Ethereum blockchain was analyzed and ran through MAIAN. Of those, about eight percent of all contracts maintained some vulnerability.
MAIAN classifies and siphons each smart contract error type into three main distinctions of vulnerability: “Prodigal,” “Greedy,” and “Suicidal.”
3 Main Vulnerability Types
MAIAN can be utilized by analyzing each contract for three main errors. The first is suicidal contracts. In these contracts, an unnoticed or wrongly-coded contract can potentially “kill” the whole contract. In smart contracts, the kill function will destroy the entire contract and return the funds to the owner of the contract. If an attacker owned the contract, a suicidal contract allows hijackers to keep the funds.
The second sort of vulnerable contracts is prodigal contracts. In prodigal contracts, an attacker can send funds to anyone on the blockchain. Instead of having to kill the entire contract, a prodigal contract possesses a flaw that enables any person to hijack ownership and then send funds from within the contract to a random user, many times over. More worrisome, is the fact that these operations can go relatively unnoticed.
Previously prodigal contracts will send small increments from the contract to remain unnoticed. If larger quantities of people contribute to a contract, the losses remain hidden.
Greedy contracts are the final error type. These contracts are more widely known among the retail cryptocurrency community as many were exposed to this sort of error in the case of the Parity Wallet hack, where a random user on GitHub accidentally locked up over 600,000 ETH, forever.
MAIAN: Under the Hood
MAIAN is coded in Python and is functional with the dependencies mentioned on its GitHub page. Although the tool works by using Python, the main MAIAN tool works with any Solidity coded smart contract. MAIAN does not currently work with EOS deployed smart contracts. MAIAN can analyze smart contracts in any of the following three forms:
- Bytecode source (Bytecode prior to being deployed on the blockchain).
- Solidity (.sol files).
- Bytecode compiled (Bytecode after it’s been deployed on the blockchain).
The program is designed to be easily customizable and editable; users have created their versions that employ a much more efficient accessibility angle. In its stock version, MAIAN has to analyze one contract and one error type at a time without further upgrades.
The back-end flow chart for MAIAN works by applying analysis specifications to the bytecode that is deployed. The bytecode is broken down to a readable version for the tool in the form of symbolic analysis by splitting the contract into “symbols,” which can be referenced in the future.
These symbols then cross-reference with pre-programmed “sample exploit symbols” placed into the program prior (keep in mind these sample exploits can be configured, so you can add as many types of errors as you want). These “sample exploit symbols” are compiled versions of the errors mentioned previously: Prodigal, Greedy, and Suicidal.
Using MAIAN, and its Subsequent Future
For those wanting to improve their development skills and start running their smart contracts through an extra layer of security with MAIAN, one can do so after installing the correct dependencies by navigating to the project’s GitHub, found here.
MAIAN also offers a way of configuring it with a GUI and instructions to do so can be found here. This can help users who aren’t entirely comfortable solely working on a command line, and those who prefer visual aid as opposed to strictly code.
The tool has been known to be somewhat buggy in the case of being installed on certain operating systems, and some users have reported previous dependencies are needed to keep it running. Many times the problem you’re encountering with MAIAN has also been met by another user. Be sure to check the issues tab on the project’s GitHub as many times you’ll be able to find a solution there. Regardless, it’s important to keep records and watch the upkeep of your contract.
While the last update for MAIAN hasn’t been released in some time, there is still an active development community looking to improving and build upon its current versions. Many smart contract devs run their contracts through MAIAN in combination with other analysis tools to ensure maximum security of their contracts.
A fair warning though: Although the proprietary technology in MAIAN is great, blockchain infrastructures are constantly changing. What works with MAIAN and today’s Ethereum deployed smart contracts may not work tomorrow.
