L8 - Ethereum Design Patterns Flashcards
programming idioms
language-specific patterns for recurring programming problems (lower abstraction than design patterns)
design patterns
template solutions for recurring software engineering problems
solidity idiom
practice-proven code pattern for a recurring coding problem
What are access restriction idioms used for?
protect contract functions from unauthorized calls.
- all external and public functions can be called by anyone, third parties might execute a function they are not allowed to
How do access restriction idioms work?
Through function modifiers
modifier onlyOwner() {
require (owner = msg.sender);
_;
}
Why is the secure ether transfer idiom needed?
So that a malicious attacker cannot exploit the property of the transfer function to freeze the contract.
How is the transfer function used for malicious purposes in bidding?
contract BadAuction {
address highestBidder; uint highestBid;
function bid() public payable {
require(msg.value >= highestBid); if (highestBidder != 0) {
highestBidder.transfer(highestBid); }
highestBidder = msg.sender; highestBid = msg.value;
}
}
When the contracts wants to send the money back to the previous highest bidder (= malicious attacker) the malicious attacker throughs an exception and the sending contract gets disabled. Now the malicious bidder stays the highest bidder.
What is the secure ether transfer idiom?
Pull over push
- functions which send Ether should be isolated. A common pattern is to have a separate, isolated function which needs to be actively called by the sender (pull)
How can gas be saved with an idiom?
By tight variable packing.
- group all data types that should belong together into a single 32-byte slot and declare them one by one.
contract StructPacking{
// 2 strage slots
struct CheapStruct{
uint 128 a;
uint 128 c;
uint 256 b;
}
}
contract StructWithoutPacking{
// 3 strage slots
struct ExpensiveStruct{
uint 128 a;
uint 256 b;
uint 128 c;
}
}
Why are design patterns specifically important for smart contract development.
- Determinism by design makes use of external data and random numbers challenging
- code is immutable –> contracts cannot be updated
- financial value is at risk
- transaction finality –> stolen money is gone forever
- availability of source and bytecode makes it easier for attackers to find potential vulnerabilities
How can smart contracts use external data?
Through oracles
Two types of orcales
- synchronous oracle
- asynchronous oracle
–> draw both
How does a synchronous oracle contract work?
The oracle service pushes data regularly to the smart contract.
How does the asynchronous oracle work?
Oracle service waits for the emission of an event to act.
So my smart contract executes the getOracleData() function. Then the oracle contract executes the function invokeOracle() which reads data from an external oracle server (api).
Then the external Oracle server invokes a callback() function in the Oracle contract which then calls a function in my smart contract called _OracleCallback() external onlyOracle this writes back the message from the external server.
How to limit the forwarded gas?
(gas _gas)
–> _gas defines the to-be forwarded amount of gas.
Advantages of oracle pattern
- enables data retrieval from external sources
- either easy to use (synchronous Oracle) or live data (asynchronous Oracle)
- can be used for different purposes (randomness, stock data, weather data)
Disadvantages of oracle pattern
- costly in terms of gas consumption
- dependence on a third party in terms of data manipulation and availability
What are randomness patterns used for?
- Solidity does not provide any functions that generate random numbers due to the deterministic behavior. Having random numbers would make it impossible for other nodes to validate the correct output of a function.
