译文/Translated:
如果智能合约的漏洞可以被人利用,它会影响其支持的应用的基础。2018年,Klevoya的创始人和CEO Moti Tabulo意识到,他可以提供一个服务来调试智能合约。Tabulo是技术专家也是一个企业家,他大学专业是电子和信号处理,最终他却被吸引到区块链生态来了。
Moti认为,“写出安全的智能合约代码是非常专业的技能。知道怎么合理做到这一点的专家寥寥无几。因此,如果区块链技术还想要履行其承诺我们的目标,依靠这么一点专家是非常难以实现区块链的规模化的。所以我们非常需要能够自动验证智能合约的方法。”
Moti发现,其他区块链网络还在努力实现规模化。“我想把注意力放在已经解决规模化问题的网络上。所以,我才打算致力于EOSIO。”
安全和功能代码工具
选了网络、也清楚地知道自己的目标是什么,Moti选了Klevoya这个名字,这个名字来源于法语词“clairvoyant”,有远见的人。他希望能够给开发者超能力,看到自己代码的漏洞。“我们实现的方法是构建软件即服务开发者工具包,让开发者能够轻松地测试和验证其智能合约的功能。”
在EOSIO区块链上,智能合约控制了涉及数字权利、资产、代币的权限。此外,智能合约的特点包括API以及一旦它们被部署在公共区块链上了,它们就不能被更改。一旦部署完成,智能合约就成为强大工具,成为区块链应用的支柱,只要有恰当的预防措施,它就能保证安全性和功能性。
今天,获得了EOS VC资金的Klevoya帮助开发者审核和部署兼容 EOSIO 2.0 的安全码,这样,开发者就可以稳健地测试智能合约,这样,黑客就不能窃取代币或破坏整个系统的安全性。Hydra就是这样一个工具,开发者可以用它来测试智能合约的功能。此外,Inspect已经进入beta轮测试,这个工具的设计思路是开发者不需要维护本地节点,就可以运行多个测试,检验漏洞。
从EOS VM中获益
Moti说,他的团队是站在巨人的肩膀上的,这些巨人通过修改Block.one为区块链有意构建的WASM, EOS VM,创建了Hydra。开发者可以用它来部署安全的、和EOSIO 2.0兼容的智能合约,这些都不需要维护本地节点。
为了更方便开发者,Hydra还去掉了EOS VM关于区块生产的功能。团队还修改了代码,让它在多个用户中运行时更加灵活。开发者可以用多种方式编写测试用例,如JavaScript和TypeScript,同时还可以是用现代的测试框架,包括Jest和Mocha。
“Hydra给了你这个非常好的环境,让你能用非常精确和详细的方法测试用例,你也不用担心在本地节点运行的问题。”Moti说,“它还让你能平行运行测试,而不会被区块生产时间限制。此外,你开可以重新构建不同的测试场景,所以如果你在实时主网运行的时候出现漏洞,你可以利用Hydra很轻松地重建它。”
智能合约深入分析
Hydra已经是开发者每天工作流的一部分了,而Klevoya的团队在对另一个工具,Inspect,进行beta轮测试,这个工具能够检查智能合约是否有已知问题。
Moti解释了代码如何进行一个叫做静态分析的过程。“我们逐渐了解了整个智能合约、挖掘信息、寻找现有漏洞的规律,去判断智能合约中是否存在这些漏洞。”
Moti说,工具最终能整合一起工作。“我们认为,开发者会在不同阶段使用我们的工具。你在开发智能合约的时候会用Hydra,它能让你有效地运行许多不同的测试而不需要维护本地节点。Inspect则专门是用来寻找已知的漏洞的。”
实现建立在区块链上的未来
Moti说,未来Klevoya会引领一个项目,让社区成员能够利用一个稳健的CVE格式提交漏洞的集体文档,实现众包输入。“识别漏洞是社区共同的事。现在就有很多知识池。”
Moti相信,最终区块链会成为每家每户都知道的说法。“到了某个阶段,就像人们不再说‘云‘一样,网络应用在区块链运行总会成为理所当然的事情。为了实现这个未来,我们要打开开发者的蓄水池,让尽可能多的用户能够编写和开发智能合约。所以说,我们的目标真的是让编写安全的智能合约和编写前端网页应用一样简单。”
工具包背后的团队
Moti Tabulo
Klevoya创始人、CEO,技术和产品领袖,Moti Tabulo是一个全能的连续创业者。Klevoya是他创办的第三个初创企业,前面两个成功的企业分别是软件和机器人企业。他最热衷于从想法开始构建产品、而后集成用户反馈、最终在市场上形成规模。
Christoph Michel
Klevoya的首席开发者Christoph Michel在全栈开发领域有十多年经验,他还有几年智能合约开发和审核经验。
Srinjoy Chakravarty
Klevoya安全搜索工程师,Srinjoy Chakravarty过去两年内在几个区块链安全公司编写和审核智能合约。在那之前,他在普华永道当了四年网络安全顾问。
Abell Wandili
Klevoya的软件工程师Abell Wandili大学专业就是计算机科学。迄今,他一直致力于提供Klevoya的WASM反编译引擎。
建立在EOSIO之上?
我们的 #建立在EOSIO 系列展示了利用EOSIO科技的一些卓越的项目,它们都能为我们更加安全和联系的世界添砖加瓦。如果您想给我们下一个阶段的项目提建议,请给我们的开发者关系小组发送邮件spotlight@block.one
–Block.one开发者关系小组
. . .
重要通知:所有提供的材料都受此重要通知的约束,您必须自行熟悉此间条款。该通知包含与我们软件、出版物、商标、第三方资源以及前瞻性声明相关的信息、限制和约束内容。通过访问我们的材料,您接受并同意此通知的条款。
原文/Original:
When a smart contract has an exploitable bug, it can shake the very foundations of the application it supports. In 2018, Klevoya Founder and CEO Moti Tabulo realized that an opportunity existed for a service that could debug smart contracts. A technologist and entrepreneur with degrees in electronics and signal processing, he eventually found himself drawn towards the blockchain ecosystem.
According to Moti, “Writing secure smart contracts is a very highly specialized skill. There are only a few experts that actually know how to do that properly. And so relying on those few experts is really unscalable if blockchain technology is to fulfill the promise that we think it has. What’s really needed is an automated way of verifying smart contracts.”
Moti saw other blockchain networks struggling with scalability. “I wanted to focus my attention on a network that I think had solved that scalability problem which is why I decided to focus my attention on EOSIO.”
Tools for Secure and Functional Code
With a network chosen and his goal in mind, Moti says he chose the name Klevoya, inspired by the French word “clairvoyant”, meaning one who can see the future. He wanted to give developers the supernatural ability to see bugs in their code. “The way we do this is by building software-as-a-service developer tools that allow developers to easily test and verify the functionality of their smart contracts.”
On EOSIO blockchains, smart contracts control a number of critical permissions for digital rights, assets, and tokens. In addition, smart contracts feature open APIs, and when deployed on a public blockchain they are immutable. Once deployed, smart contracts become powerful tools that form the backbone of a blockchain application when proper precautions are taken to ensure security and functionality.
Today, tools built by EOS VC grant recipient Klevoya help developers audit and deploy secure code compatible with EOSIO 2.0 so that developers can perform robust testing on smart contracts to prevent hackers from hijacking tokens or otherwise disrupting system integrity. Hydra is one such tool built to test smart contracts for functionality. Now in beta, Inspect is another tool designed to run multiple tests for vulnerabilities without the need to maintain a local node.
Reaping the Benefits of EOS VM
Moti says his team stood on the shoulders of giants to create Hydra by modifying EOS VM, Block.one’s purpose built WASM for blockchains. Developers can use it to deploy secure EOSIO 2.0 compatible smart contracts, all without having to maintain a local node.
To make it easier for developers, Hydra removes EOS VM features related to block production, which are not required for testing. The team also modified the code to make it more resilient when run across multiple users. Developers can write test cases in a number of formats such as JavaScript and TypeScript and also use modern testing frameworks, including Jest, and Mocha.
“Hydra gives you this really nice environment where you can write your test cases in a very granular and detailed way and then don’t have to worry about running a local node,” says Moti. “It also enables you to run tests in parallel, without being limited by block producing time. Plus you can also recreate different test scenarios, so if you’ve had a bug running on a live mainnet, you can recreate that very easily with Hydra.”
Deeper Analysis of Smart Contracts
While Hydra is already becoming a part of daily workflows for developers, Klevoya’s team is in the beta phase with another tool called Inspect, which will check smart contracts against known issues.
Moti explains how the code undergoes a process known as static analysis. “We develop an understanding of the whole smart contract, and mine the information, and look for patterns of known vulnerabilities to see whether those patterns are present in the smart contract.”
Moti says the tools will ultimately work together. “We like to think that developers will use our tools in different stages. Hydra is used when you’re in the process of developing your smart contract and it allows you to effectively run lots of different test cases without having to maintain a local node. Inspect on the other hand is specifically built to find known vulnerabilities.”
Enabling a Future Built on Blockchains
Moti says that in the future Klevoya would like to lead an initiative that leverages crowdsourced input by allowing members of the community to contribute collective documentation of vulnerabilities in a robust CVE format that cybersecurity organizations use. “Identifying vulnerabilities is sort of a community effort. There’s a lot of pooled knowledge that’s out there.”
Moti believes that eventually blockchains will be a household term. “At some point just like people don’t say cloud anymore, it’s a given that a web application runs with blockchain in the background. To make that future possible, we need to open up that pool of developers and allow as many people as possible to be able to write and develop smart contracts. So our intention is really to make writing secure smart contracts as easy as it would be to write front end web applications.”
The Team Behind the Toolkit
Moti Tabulo
Klevoya Founder, CEO, Technology and Product Leader Moti Tabulo is a well-rounded serial entrepreneur. Klevoya is his third startup after two previous successes in software and robotics. He has a passion for taking products from an initial kernel of an idea, integrating customer feedback, and then scaling them for the market.
Christoph Michel
Lead Developer at Klevoya Christoph Michel has over a decade of experience in full-stack development and several years of smart contract development and auditing.
Srinjoy Chakravarty
Klevoya Security Research Engineer Srinjoy Chakravarty has spent two years authoring and auditing smart contracts at several blockchain security firms. Prior to that, he worked for four years as a cybersecurity consultant at PwC.
Abell Wandili
Klevoya’s Software Engineer, Abell Wandili, graduated with a degree in computer science. To date, he has focused on improving Klevoya’s WASM decompiler engine.
Building on EOSIO?
Our #BuiltOnEOSIO series showcases some of the amazing projects leveraging EOSIO technology to build a more secure and connected world. If you would like to suggest a project for us to feature please send an email to spotlight@block.one for our Developer Relations team to review.
– Block.one Developer Relations team
For more information on how EOS VC supports the EOSIO ecosystem through strategic investments and venture capital partnership funds, visit vc.eos.io.
. . .
Important Note: All material is provided subject to this important notice and you must familiarize yourself with its terms. The notice contains important information, limitations and restrictions relating to our software, publications, trademarks, third-party resources and forward-looking statements. By accessing any of our material, you accept and agree to the terms of the notice.
原文链接/Original URL:
