Coinbase unveils 'Solidify' tool to auto-audit smart contracts and DeFi clones
Coinbase has unveiled a new tool that can automatically audit smart contracts built on Ethereum that use the Solidity programming language.
Designed to be used by smart contract auditors, asset issuers, and other exchanges, the firm has plans to make the tool open source later this year
In a June 23 post, Coinbase’s principal blockchain security engineer Peter Kacherginsky announced the firm's new security analysis tool dubbed “Solidify”, which was created to improve on the “time-intensive and error-prone” process of manual smart contract analysis.
The engineer noted that the exchange’s token listing process requires extensive security reviews and “risk mitigation recommendations” for every smart contract to keep consumers safe.
The firm required an analyzer that can work quickly, safely, and at scale, but was unhappy with other options on the market:
“To solve this problem we developed a tool called Solidify (a play on Solidity) to increase the rate of new asset security reviews without lowering our high-security standard that Coinbase customers have come to expect for protecting their tokens.”
The Solidify tool has around 6,000 unique signatures which can be used to quickly match risks against Ethereum smart contracts. It looks at potentially dangerous functionality and insufficiently tested operations.
Kacherginsky explained that: “Solidify uses a large signature database and a pattern matching engine to reliably detect contract features and their risks, standardize and score smart contract risks, suggest mitigation strategies, and generate detailed reports.”
Solidify is not yet able to quickly analyze complex assets such as automated market makers (AMMs) and DeFi apps, because the large amount of complicated custom code involved requires additional manual analysis.
“However, Solidify is still beneficial for these applications when analyzing DeFi clones or for eliminating standard libraries from the manual review scope so analysts can focus on the custom logic,” Kacherginsky notes.
The tool is a work in progress and developers will focus on “improving accuracy of signature generation and detection logic” and “Integrating formal verification techniques to reduce the need for manual analysis.”
They also hope to expand support to the Vyper programming language, which is utilized by the Ethereum Virtual Machine (EVM).Source