Insecure Code Delays Mass Web3 Adoption
Move on Sui was designed to be inherently secure and address vulnerabilities of other programming languages.
Without trust, there is no Web3 adoption. Other significant hurdles stand in the way of getting the first billion users—confusing user experiences, complicated authentication patterns, and an uncertain regulatory system—but none as great as the skepticism and distrust most people have of blockchain technology.
To many, blockchain equals crypto equals scam. Stories of hacks or rugpulls make up a large percentage of Web3 stories that breakthrough to mass media. In just the first eight months of 2023, almost $1B was lost to malicious activity on-chain. Until people trust that blockchain is secure, Web3 will fail to become standard infrastructure for popular products.
Just as technology presents many risks, so too are there many components to security. But one key aspect to maintaining safety on the blockchain is writing secure code. Insecure code can lead to theft, fraud, and unauthorized access of individuals' assets, which in turn can reduce investment in high value industries like DeFi. Vulnerable code can be exploited by attackers leading to data manipulation and financial losses. Users rely on the security of cryptographic code to trust the integrity of transactions and smart contracts. Breaches due to poorly written code can undermine this trust and lead to a loss of confidence in the system.
Ethereum launched as the first smart contract platform in 2015. Ethereum’s programming language, Solidity, remains popular, along with Vyper, for most EVM and EVM-compatible chains, despite known security flaws. Even with improvements in tooling and auditing, many major breaches and large hacks have been caused by vulnerabilities known since the inception of smart contract programming. New languages have been developed to combat these issues and offer greater security for both developers and users. On Sui, for example, a variant of the programming language Move is used because it is inherently secure while being expressive.
Move in particular aims to be inherently secure, and was created, in part, to address Solidity vulnerabilities such as reentrancy attacks, double spending, DoS attacks, and compiler issues. Those types of attacks continue to cause major financial losses, including a reentrancy attack on Curve Finance pools in July 2023 that exploited $60M worth of digital assets. Although Move is explicitly designed to remove many of the flaws in Solidity by protecting developers from writing certain bugs and vulnerabilities into the code, it does not prevent people from writing malicious code on purpose. Audits and other checks are still required to find those and other vulnerabilities.
Another built-in security feature of Move is the bytecode verifier. It ensures a smart contract’s bytecode is valid and safe to execute. EVM only has source code verification which confirms the source code is the equivalent of the bytecode to be executed but not the correctness of the smart contract itself. The bytecode verifier is designed so that malicious code that creates fake coins, artificially increases the value of coins, or copies/destroys existing coins will not be executed on-chain.
Sui, being object-centric, also helps minimize the amount of executions of insecure code. By nature, every function clearly shows which object it is touching. Just by looking at the function signature you are able to determine the maximum damage that could be done should the contract be designed maliciously. You know exactly what arguments the function takes in and exactly what arguments a function takes out. For example, when you're accepting a coin balance, it is clear you're touching the coin balance in your wallet. It's not a surprise. With contracts written in Solidity, it is not as clear.
While a completely secure coding language doesn’t yet exist for smart contracts, Move and particularly Move on Sui are inherently more secure than other languages currently in the market. Get started learning Move today.