Devcon 3 report: Day 3 – Dapp development
Other reports:
Sessions you should focus on and watch:
- uPort (will help solve end user access of Dapps)
- metamascara (metamask javascript client)
- Mist browser moon project (more secure Dapp engine)
- DappHub. Check out the DSAuth contract to handle Auth in a standard way.
- Real world smart contract development lessons
There were a bunch of sessions on Oracles today. Make sure you check out Microsoft’s version of it as well ;-) “Enterprise smart contracts” https://azure.microsoft.com/en-us/blog/enterprise-smart-contracts-resolving-the-truth-for-blockchains/
Intro to Solidity (2017 edition) - Hudson Jameson
https://hudsonjameson.com/speakingengagements/ slides here.
Solidity is like Javascript. Code is compiled to the EVM (Ethereum Virtual Machine)
Once deployed to EVM is completely isolated and cannot reach outside the EVM.
Easy to write contracts, hard to make sure they are secute
ERC20 is a standard to help with contract interoperability for tokens.
There is a `payable` modifier in solidity to mark that the function can take in Ether (helps protect against accidental ETH sending)
`constant` function modifier is being replaced with `view` and `pure` to be more specific.
Metamask + remix + etherscan demo
Metamask is a plugin that acts as a bridge between browser and Ethereum network https://metamask.io/
Remix is a solidity IDE, helps with debugging and static analysis https://ethereum.github.io/browser-solidity/
Etherscan is a blockchain explorer https://etherscan.io/
In the demo he opened up Remix, pasted in a contract, clicked deploy, Metamask opened and he confirmed the transaction, contract got mined/deployed, and could see it on Ethercan.
On Etherscan can see details about the contract, if it has any ETH in it. Can submit the source code to Etherscan, for transparency purposes of verifying what a contract does.
In Remix, can use the IDE to invoke methods on the contract. In Etherscan can see the data values updated in the contract.
IDEs you can use: Remix, Visual Studio, Visual Studio Code (see my blog post on setting that up), Vim, etc. /2016/11/18/configuring-visual-studio-code-for-ethereum-blockchain-development/
Tools: Truffle, Ethereum Package Management, solgraph,
Solgraph takes your function code and shows you a graph of all the potential function calls and the dependencies, to see where the security boundaries are.
Flexibility in Solidity - Dr. Christian Reitwiessner
https://github.com/chriseth
Language design is a game of balances. Functionality / complexity / safety.
The path for Solidity, the initial goal was to create a usable high level language as fast as possible. They succeeded… but now it is time to evolve it and make changes to help make it safer.
Structs can now be passed into Solidity functions!! (This has been a massive pain point for me! Happy to see this)
And you can return an array of structs!!
Can use require() and assert() to make your function safer.
For formal verification can use SMTLib2 / Z3. Can prove certain things about a function. Like variables will be in certain ranges, there is a divide by 0, stuck in an infinite for loop.
Can enable it in your .sol by adding `pragma experimental SMTChecker;` If an assertion fails, it will tell you why it failed with sample data.
If you have a simple function that takes in (int a, int b) and do a+b you could get an overflow. Will show you the issue at compile time. So you could put a require at the front to have an upper limit on a and b.
Asserts in your code are fine. Asserts should never be reached. If it is reachable then that is a problem. Asserts help the verifier to make sure it never happens and your function works as expected.
Mist: towards a decentralized, secure architecture - Everton Fraga, Victor Maia
Mist is there to host the Web3 project. Which is the vision of having a peer to peer decentralised internet with a Blockchain backend.
At Devcon 1 there was the first version of the Mist Wallet. Could to transfer, execute transavtions. But was waay too complicated for average user.
Devcon 2, released the Mist browser beta. Works for enthusiast user, full web power for smart contracts and Dapps. But requiring that the entire blockchain gets downloaded and synced first is a bit of a hurdle.
Ethereum wallet & mist have been downloaded 2.6 millilon times
Held a Mist summit in 2017 to talk about and decide on the future of Mist
Recently has focused on hardened security. Did an extensive audit by Cure53. They found 22 issues of varying security levels. From that they improved their test suite, and then fixed.
Have Ethereum bounty program to help encourage community to track down more.
Now has swarm integration to upload files to swarm. Bzz://aacfee00123412…
Has DNS integration so can also do bzz://my.website
Has ENS support for wallets.
To help with syncing times, supports Geth light client. (currently uses v1 light client protocol, v2 coming soon).
Built in Remix IDE. Can debug the steps that a transaction did.
Solo network, can use Geth with --dev flag to run an empty blockchain on your own node for testing.
Added a Windows installer. (Maybe I should talk with them about getting it onto the Windows Store)
Account management, standalone transaction signer. Means now you can sign locally, and then submit to Infura, or
switch between nodes.
If the accounts are managed by mist, means they now support different ethereum clients.
Did a major refactor recently, to help make it easier to add new features.
For Dapp developers, isolating local storage between networks. Different scopes to work with.
Sync jumpstart. Just get current headers, then sync the rest in the background.
Futures: better integration with remix, improve private net integration, puppeth kickstarts.
Could there be a Dapp trust level? Should dapps have access to HTTP (can be used for unencrypted tracking)?
Ethereum wallet.
Previously it was the best way to do your ethereum development (for deploying contracts), but now have Remix. So deprecating advanced features like contract creation. Creating a new Wallet.sol contract.
Q: Where is the decentralised web?
Still using centralised servers for Dapps. With centralised APIs, etc.
Mist relies on a lot of software stacks above and below it. How can you ensure that it is secure when we are dealing with keys that control real money.
Need to worry about javascript libraries you use. If you import them, they may modify the global space and add in trackers or modify web3 connection.
Web3.js has a lot of dependencies (showed a slide of the 60+ .js dependencies)
The web isn't ready for crypto :-(
we don't need a browser. We need a new app to access the decentralised web.
Announcing the moon project.
http://moon-browser.org
Gave a live demoFunctions are pure. UI layouts are on IPFS. Can build up a new UI by importing those different Uis and composing them. dapps are stored on IPFS for future retrival. Can take the code and create your own spinoffs. The decentralised web is mixable.
It looks promising
Video of demo at 1:13:00 https://youtu.be/k42YNyvG8CU?t=1h3m00s
Dapp Development using Remix, Mist, and Geth - Yann Levreau, Rob Stupay
https://ethereum.github.io/browser-solidity/
Remix is a solidity editor, integrated runtime environment with web3, and code analysis.
Can go to the compile tab and see compiler errors.
Can go to the run tab and execute functions on the contract
Does some static analysis. Can warn if gas requirements are too high.
Just talked about generic features of Remix.
It is colour themable..
DappHubb - Andy Milenius
https://dapp.tools
https://dapphub.com
DappHub is a self organizing network of logicians, researches, designers and developers.
Inspired by the Unix design philosophy for small reusable components. Want to make lots of free composable tools for Ethereum.
They are sick of Dapps that are using useless tokens. We want to free the Dapps of useless tokens.
People could take the Dapp, fork it, and remove the useless tokens
Created an ergonomic Ethereum toolchain.
They used it with MakerDAO
Share their tools using the Nix package manager https://nixos.org
One of the basic components is seth, which is an Ethereum swiss army knife. Make it easier to interact with blockchain instead of using web3. means you can use seth and make it composable on the command line with other tools.
Dapp tool for quick builds, powerful tests, easy deployments. Stack tracing.
Provable standard library for Dapp development.
Brings the same philosophy across to the smart contracts. Small reusable provable components.
There are 2 concepts: boxes & mixins. Can mixin Auth and Math and then use throughout the app (to bring in features).
Boxes are prebuilt components that have been put into a usable Dapp that you can just use off the shelf
DSAuth mixin, abstracts your Auth logic away from your Dapp business logic. Provides a DSAuthority property. Gives a canCall function, acts as a guard on the function, based on any arbitrary business logic, e.g. whitelist, timeboxed, role based, voter veto.
Example:
DSToken Box, is of type DSAuth.
It is a token that has 4 functions: stop, start, mint, burn.
Thinks Tokens should just be tokens. Just a DB of who owns them. Move the auth out from the business logic by using DSAuth
A traditional token is complex
An easier way is to think of them as single reusable components.
Real-World Smart Contract Development Lessons - Raine Revere
Suggestions for Dapp development.
Central logging: If you have a multi contract system, use a central logging contract to make it easier to track.
Modular libraries: Deploy code once, that other contracts can use over and over.
Think about having a data sctruct that can be reused. Then when you are calling other libraries you can just pass in the pointer to the data contract that has the struct, so it can read it easier.
Arbitration: use the blockchain as a court system / arbitrator. Assume people will act in their best interest cooperatively and the happy case most of the time off chain. Use the smart contract to execute and be the arbitrator.
User A uses the system and the counterparty does the right thing, execution is super simple.
User B uses it, has an issue. Raises a disupte, then does all the expensive logic and the bad party is punished by paying the costs.
Because the party behaving badly knows that they can be called out and will need to pay the costs, they are incentivised to just do the correct thing and everyone saves money.
Role analysis: who is interacting with the system
Buyer wants to buy, seller is putting up the assets, oracle is publishing the prices. Helps simplify code interactions
Context dependence
Send vs withdraw. Send is vulerable becaues the person you are sending it to could be doing something bad in the receiving code. But maybe you want to keep it simple. "it depends". Think about the tradeoffs
MetaMask: Dissecting the fox - Aaron Davis, Frankie Pangilinan
~200k users
Team has grown from 4 to 10
Will support HD wallets.
Mustekala project. Ethereum on IPFS to help bridge the two
Dan came on stage dressed up as a T-Rex
V4 will have a new UI, token management and responsive layout.
Metamascara
It used to be difficult to be able to get Metamask working in your website. Was a bunch of JS to check Web3 context, etc.
Now much easier, only 4 lines (I missed taking slide photo).
But it will also allow you to not need to have the Metamask browser plugin installed. It will now do it in JS and redirect you to https://wallet.metamask.io to use your wallet.
Web3.js 1.0 - Fabian Vogelsteller
Web3.js is middleware to save you converting values and transaction calls between JS and a node. Handles ABI encoding
EVM only knows bytecode. Everything that goes into it needs to be converted.
1.0 is a serious refactor.
It now has promises.
Blockchains have a weird async operation where you need to wait until it mines and is a few confirmations deep. Can use Web3.js PromiEvent to say when to move on once you've received enough confirmations.
Subscriptions based on WebSocket or IPC socket, instead of polling.
Web3.eth.accounts can now create, decrypt, sign
Web3.bzz allows you to interact with swarm to download and upload.
Web3.shh communicate on whipser.
Web3.utils.soliditySha3 allows you to make sure you hash the same way solidity does (important because Ethereum uses an earlier variant of Sha3)
Missing Links in the Ethereum Stack - Jack Peterson
Is the lead developer on Augur
Wants to look at Ethereum tooling, call out what he thinks needs improving, and is offering bounties to incentivise it.
Ethereum is a young ecosystem, is missing tools you may be used to in general software engineering. It feels like it is at the old early stages of computer engineering.
Lack of incentive to build good tools. Prefer to just go do another token sale.
Wish list:
We need a better debugger. Remix is too much, it is a full IDE, awkward for large projects, doesn't integrate with other tooling.
He wants to pull the remix debugger out to be portable (I agree, could bring it in as a VS Code extension)
Put a bounty of 2,000 REP for this https://augur.net/bounties/
Good code vs safe code. Need to think about how other safety critical software works. They do it via fewer features, less abstractions.
2nd bounty of 1,250 REP for a super simple solidity. That restricts things right down to not include inheritance, recursion, etc.
1,250 REP bounty to enable return values in transactions.
EthJS – Precision Ethereum Javascript Architecture for dApps - Nick Dodson
Ethereum in 2017 are a bunch of variants web3.js, EthereumJS, parity.js
He got frustrated with Web3.js and wrote ethJS
It follows Ethereum RPC specifications, and follows an identical provider model to web3.js
Metamask & mist are supported.
It is very similar, just with his opinionated improvements :)
ethjs-deploy, configurable contract deployment facility
Panel: Development Frameworks
On the panel is:
Creator of Embark
Jack Peterson, Augur
Andy, DappHub
Nick Dodson, Consensus, boardroom, Weifund, EthJS
Web3J, blk.io
Yann, Remix
Piper Merrium, python tooling ecosystem. Web3Py, populous, Ethereum Package management.
When they got started there were no tools, so they created their own tools.
DappHub: we wanted to solve problems in reusable ways
Nick Dodson: anger and confusion and questioning his own identity, spurred him on to create his own dev tools. Got frustrated with Web3 and wanted to do his own thing.
Lots of talk around how we lack a good package manager right now (EthPM later). We badly need one.
Nick: Don't waste your time creating another bullshit token ICO that will have a 99% chance of failing. Go and help out with tooling and help the long term health of the eco system. *cheers*
Uport – Usable Key Management for Multiple Identities Across Multiple Chains
"we have built Ethereum's user platform"
Can handle account management and login. Onboarding new users without Ether. KYC scnarios, etc
All Ethereum app accounts are in one easy place to manage.
Store credentials and badges
Create a completeuser profile store.
Mobile factor auth and signatures
Just because you lose your phone doesn't mean you should lose access to everything.
Your identity is handled by a simple contract called a proxy.
The private keys are kept on the mobile device.
Can do things like social recovery, with other recovery mechanisms coming in future
Started off as just on a single blockchain. But realised there are many networks. So now supports multiple networks
uPort handles account management for older web 2.0 and newer web 3.0
uPort connect library that uses web3 library and sends messages to your phone to authenticate.
Identity is always handled by the end user.
Users want to use apps, not worry about networks and gas.
Guide them through account creation and joining correct network. Solving gas issue by making all transactions going through uPort contract which pays the gas on their behalf?
Developers want to issue badges and other credentials to users. Giving some form of attestation
If you achieve a certain certificate, are over 18, just personal things that you can attest. Can keep it off chain.
There are enough companies out there that are doing KYC. Integrating in KYC providers. User shares their KYC badge.
uPort credentials is generalisable as user centric data that forms the basis for reputation systems.
If using an decentralised AirBnB want to track reputation
Demo video at https://www.youtube.com/watch?v=FPHXbJPVVaA&feature=youtu.be&t=1h51m10s
Data is the Missing Link: Enterprise grade oracles
Thompson Reuteur
They knew that they could be disrupted with Blockchain. Realised they could become a trusted oracle, as people trust them currently.
Decided to focus on the high value, low volume space.
Focusing on things like share prices, FX rates.
Corda & Ethereum. Currently only on testnets. Will be free, but need to agree to T&Cs.
Show an example of using oracles to pump in prices for ERC20 tokens, and have people buy/selling
Had to architect things differently, to keep their content they license from other parties within the usage agreements.
Looking to expand data coverage. Electricity & natural gas prices requested.
Looking to expand to KYC as a service, for governance & transparency to unregulated markets. So they can help token sales for example.
Secure Decentralized Oracles: Applying Intel SGX and TownCrier to external data, payments and off-chain computation - Sergey Nazarov
Smart contracts are unable to connect with external data.
Blockchain middleware takes external data and provides them as inputs into the contract.
Want to connect smart contracts to widely accepted bank payments systems, so can pay in local currencies.
Connect smart contracts from different networks so they can interact.
Centralised oracles are a point of failure. One node as a trigger
Town crier. Is open source.
Run it as a decentralised oracle network.
Use trusted hardware (like intel SGX)
Intel SGX probably returns the execution outputs. Here the executed software is the town crier software.
Scalable Onchain Verification for Authenticated Data Feeds and Offchain Computations - Thomas Bertani
Oracilze wants to help be the general provider of data to smart contracts.
Help bring in data feeds and have multiple parties give authenticity proofs.
Is a more general Oracle offering over Town Crier which is for scoped use cases. Allows chains of trust, and bring back more than one proof of the claim.
Snopes meets Mechanical Turk on a Blockchain: Reality Keys, On-chain Truth Verification and Subjectivocracy - Edmund Edgar
https://Realitykeys.github.io/realitycheck
What is truth? It is a big issue at the moment with US politics embracing "alternative facts".
Any paid advertise can push claims onto your screen. If you are faced with a claim, then you could spend time and effort trying to figure out the validity of a claim. But it is impossible to verify the constant barrage of bullshit so you just let it through. Get hit with enough stories again and again, start to take it as truth.
Created "reality check" Dapp. Is a mechanical turk for truth.
People who give correct answers get rewarded, incorrect get penalised. When answering you put down a deposit, returned if correct, taken if incorrect.
But what happens if someone gives incorrect biased answers, but puts down a MASSIVE deposit and makes it difficult for people to correct them. Can use an arbitrator to resolve it.
Mind the Gap: Application-driven evaluation of Smart Contract languages - Andrew Miller
Research papers. Compared the difficulty to develop apps on Bitcoin scripting vs Ethereum contracts