Build your first smart contract Giovanni Toraldo GDG DevFest Pisa 2023 1st April 2023

About me DevOps Engineer @ Hyland ● Alfresco BDU ● Ansible playbook ● Helm charts Open Source enthusiast Medieval reenactor during the weekends 🎯 Twitter: @gionn

What is a cryptocurrency ● A digital currency that uses cryptography for security and integrity ● Decentralized, not controlled by any central authority ● Transactions are recorded on a distributed public ledger (blockchain) ○ provide users with a high degree of privacy and anonymity, as transactions are pseudonymous and do not require personal identification ● Offer lower transaction fees (but it depends) ● Anyone can start receiving currency just by running a software ○ For sending most of the times you need a third party to exchange your FIAT money

Total crypto market cap, a result of 12,301 cryptocurrencies tracked across 666 exchanges. https://www.coingecko.com/en/global-charts

Introduction to Bitcoin ● first and most well-known cryptocurrency ○ Born in October 2008 as a research paper ○ Release v0.1 in early January 2009 as OSS ● Limited supply: 21 millions ○ Inflation halvening ● Decentralized consensus: Proof-Of-Work ○ Easy to validate for everyone ○ Hard to generate ■ Each new block generates fresh Bitcoins ● Each transaction requires a fee depending on the network congestion ○ Block size limited, finite number of TX in each block, block emission requires time

Bitcoin desktop screenshot

Programming Bitcoin: Script ● Stack-based programming language ● Not Turing-complete (no loops) ● Foundation for transactions validation ○ Overspending ○ Requires 1 or more valid signatures ○ Time-lock ● These limitations was a design choice in order to: ○ Have predictable execution times ○ Avoid deadlocks / infinite loops ○ High security ○ Low hardware requirements

Introduction to Ethereum ● 2nd crypto as market capitalization ● Network up since 2015 ● Unlimited supply (new eth distributed for each block) ○ Deflationary since 15 September 2022: transactions fees exceeding a threshold get burnt ● Decentralized consensus: Proof-Of-Stake (since 15 September 2022) ○ One random validator randomly selected from the pool propose the next block transactions ■ Requires 32 ETH staked ■ Get punished if bad behaviour detected by other nodes ● Each transaction requires a fee depending on the network congestion ○ Block size limited, finite number of TX in each block, block emission with fixed cadency

Ethereum Virtual Machine (EVM) ● Ethereum is not just a blockchain ● Imagine a computer that everyone in the network can: ○ Have access to its state contents (storage) ○ Ask for a computation that can optionally alter the state ● Requests for computation are transactions ○ Consume gas to be evaluated that is paid by the requester ■ throwing an exception requires evaluation ○ There is a cap on gas usage known before broadcasting ● Code for computations has to be deployed before it can be evaluated

Use Cases for Ethereum Smart Contracts ● Decentralized finance (DeFi) ○ lending platforms, decentralized exchanges, stablecoins ○ no need for trusted intermediaries like banks, users can provide liquidity while keeping custody of funds (code is law) ● Non-Fungible Tokens (NFT) - ownership of a unique content ○ Digital art, game assets, physical world objects ○ Tradable on dedicated marketplaces ● Whatever is supposed to be public, verifiable by third parties, immutable

Dapp example: app.uniswap.org

Dapp example: app.aave.com

Dapp example: app.pooltogether.com

Interact with dapps via browser ● Install a browser extension for wallets ● Generate a new wallet using 24 seed words ○ Multiple derived address ● Buy gas necessary to pay transactions ○ Test networks has free faucets ● Connect to a web3 website ● Interact with the UI ● Emit a transaction via browser

No content

No content

Example transaction: gas usage and input data

Beware of scams ⚠ World is full of bad people and blockchain made very easy to run away with other people money. ● Do not use on google search sponsored links ○ Rely on saved bookmarks ● Do not enter seed words in any other place than your wallet first setup ● Do not save seed words on an internet connected device ● Do not interact with DM and replies with URL on socials and chats ● Beware of the other standard scam vectors ○ Domain typosquatting ○ Phishing emails ● Verify that the transactions you made are against the expected contracts

Smart Contracts on Ethereum ● Solidity code (compiled) can be deployed on Ethereum ⇒ contract created ● Each contract has (like a wallet): ○ An unique address ○ A balance in ETH ● Each contract has: ○ State (variables, constants) ○ Callable functions ■ Alter the state (requires a tx) ■ View only (query the state without a tx) ● Functions can: ○ Make computations ○ Alter the contract state ○ Call other contracts external functions

Once a Smart contract is created ● Only the bytecode is always available ● Sources can be optionally uploaded on Blockchain Explorers ● To interact with deployed contracts the ABI must be known ○ List all the available functions and corresponding parameters ○ Generated by the compiler as an artifact ● Contracts are immutable (!) ○ Migrate state from the old to the new contract ○ Separate data and business logic ○ Proxy pattern ● No concurrency issues - transaction are serialized within a block ● A transaction can succeed or fail

Solidity programming language ● Object-oriented ○ Inheritance ○ Standard types (boolean, int, string, array) ○ User-defined types (struct and enum) ○ Functions visibility and ● Statically typed ● Errors handling (revert transaction when error raised) ● Events ● Calls other contracts (any!)

Solidity storage simplest example

ERC-20 (standard token) example (from openzeppelin)

ERC-20: transfer (private function)

Introduction to Hardhat development environment ● Javascript-based ○ npm install --dev hardhat ○ npx hardhat ● Tasks oriented framework ○ Clean, Compile, Test, Run ● Plugin architecture ● Vscode integration ● Simple folders structure ○ contracts: solidity sources ○ test: mocha/chai tests ○ scripts: plain javascript automation

Create a new Hardhat project ● mkdir src/myproject ● npm init -y ● npm install --save-dev hardhat

Hardhat demo contract

No content

Writing tests with Mocha ● Automated testing is more critical than ever ○ Ensure that code behave in the expected manner ○ Ensure that all the inputs are sanitized ○ Ensure errors are handled as expected ● A bug in your code can have disastrous consequences: ○ March 2023: Euler lost 200M for a bug in a function to donate dust to the protocol

No content

Test state after deployment

Test transaction revert or succeed

Test the transfer happens once the lock expires

Deploy script (network agnostic)

Run HardHat test network ● Spin up a fully functional blockchain in memory that is compatible with Ethereum / EVM

Common security issues ● Attack vectors common also in other platforms: ○ Business logic errors ○ Rounding errors ○ Uninitialized variables ○ Unsanitized input variables ● Reentrancy attacks ○ Calling an external contract that recursively calls your contract which postpone state update ○ To avoid it, change state before calling external contracts (Check-Effects-Interactions) ○ Executing a transfer is actually calling an external contract ○ Reentrancy is not an issue if the effects are the same of calling the function N times

Reentrancy bug example

OpenZeppelin Opensource secure contracts library - openzeppelin.com ● Implementations of standards like ERC20 and ERC721 ● Role-based permission schemes (onlyOwner) ● Other secure components: ○ SafeMath (avoid overflows) ○ Payments splitter ○ Proxy (upgradable contracts) ○ Pausable ○ ReentrancyGuard

Ownable library example

Linters and static analysis tools Tools that are easily integrated into an hardhat project: ● Solhint: ○ Code style guide (mixedCase function names, underscore prefix for internal variables, …) ○ Best practices (max line length, cyclomatic complexity, …) ○ Basic security issues detection (missing visibility in a function, simple reentrancy) ● Slither: static analysis to detect vulnerable code ○ They maintain a list of hacks that could have been prevented if using the tool

More links ● https://ethereum.org/en/developers/docs/ ● https://docs.soliditylang.org/en/latest/ ● https://hardhat.org/docs

Thanks! (have you found the fish?)