Coders gathered this weekend at Thomson Reuters headquarters in London’s Canary Wharf for a two day HackETHon where numerous teams formed to code on the spot ideas, build a basic prototype and compete for the winning spot.
For the first time in the digital currency space, one of the giant multinationals, Thomson Reuters, presented a public blockchain product, BlockOne ID, an ethereum HD wallet that incorporates an identity system for situations where Sybil resistance is required or to comply with Aml/Kyc regulation. The wallet is to go live on Ethereum’s testnet soon, suggesting we may receive more assistance in public blockchain coding and development from the many household brands that are now working on blockchain tech.
Numerous presentations took place with Nick Johnson, Software Engineer at Ethereum Foundation, presenting BlockHooks – a new project that allows you to broadcast blockchain events on social media so you can follow, for example, Poloniex’s eth address. Jack Gavingan from Zcash gave a presentation on blockchain security and privacy while Péter Szilágyi, Software Developer at Ethereum’s Foundation, addressed lessons learned on smart contract security.
Speaking to CCN, Szilágyi summarized the HackETHon as a “fantastic venue, fantastic organizers, fantastic participants” before adding:
“We had really great discussions with a lot of people and I think we’ve got some nice projects put together in this tiny amount of time too. So, I think it was an overall success.”
And the Winner Is…
Football on the blockchain – FantETHy – “a fantasy sports game implemented in smart contracts that run on Ethereum allowing users to create their own fantasy leagues,” says David Acton, member of the winning team.
Together with David Coleman, Andrew Smith and others, Acton created FantETHy in just two days to disrupt the huge fantasy sports market which has 56.8 million players in North America alone, producing a yearly revenue of $2 billion and growing.
The game allows you to pick a virtual team of real athletes, with points awarded based on performance. The user with most points at the end of the league receives a financial reward.
Each league is a smart contract, so payment is automatic with users able to verify the smart contract code themselves, thus reducing any cheating. We may therefore soon have the first football game on the blockchain as the team wishes to take the project further, according to Acton.
Winner of Smart Contract Security Challenge
“Truth of Stake” by Matthew Di Ferrante, Josef Jelacic, Will Harborne, and Ronan Sandford won the smart contract security challenge. The project addresses a potential single point of failure, corruption of data feeds used by smart contracts to determine the outcome of events, especially in insurance.
Developers currently use Oraclize to easily integrate smart contracts with data providers, but Oraclize could be hacked, might experience some downtime or there might be an unintentional error. A potential solution is described for CCN by Matthew Di Ferrante, a software engineer at Clearmatics:
“The Truth of Stake system is meant to fix this single point of failure by incentivizing many parties to provide their own source of data for an event to the blockchain, and keeps them honest by having them have a deposit at “stake”, if they act maliciously, or are too error prone, they will lose their deposit. The more providers there are, the more robust the median output value is, and the higher the security and reliability of the data.”
Di Ferrante states they will continue developing the project, with a number of ideas in the air, including his favorite:
“[C]reating an oracle data feed for hashing binary releases for things like the Ethereum clients, where each Oracle compiles the source code independently and deterministically, auditing the commits and submitting the fingerprint to the blockchain, that can become a reliable source of truth when downloading software so that you don’t accidentally download backdoored binaries, or binaries from phishing sites, etc.”
Szilágyi’s favorite project – “[p]rimarily because I think that’s something our ecosystem dearly needs: more tools for security!” – Bountymax, was runner up.
We spoke to one of the team members, Makoto Inoue, a web developer at an insurance company called SimplyBusiness, “the biggest UK business insurance provider,” -he says. He further runs London Ethereum Codeup, a group of 180 ethereum coders which meet at SimplyBusiness’s premises to help each other learn how to code on eth. Inoue explains:
“Bountymax is a “smart contract bounty smart contracts” platform. Traditionally bounty sites are non standardised, and reporting process is manual and can cause disputes (who claimed first and whether the claim is legit). We provide a platform and sandbox environment where smart contract owners can post their smart contract (target contract) as well as another contract which checks whether the contract can be hackable or not (invariant contract) with some rewards of Ether [if it is hackable].
Any security researches (or white hackers) can submit their exploit contract to prove that it can hack the contract. Once the hack is proved, the security researcher can get reward automatically.”
Of course, you wouldn’t want to exploit the contract in a live environment, so an “off-chain sandbox environment to run the exploits and get the result via oraclize.it” is provided by Bountymax.
The team already has a business model – charge 5% per bounty – but the more interesting aspect is the insurance model. Inoue states:
“At our PoC, each contract owner puts rewards for their own contract violation. The amount will be small unless you have big pockets. We can group the contracts together and have compound bounties so that a researcher who breaks one of the contracts can get a payout of the entire bounties combined.
Once we get enough data about the probability of contract violations, insurers can (potentially) underwrite policies so that we can have higher bounties than total rewards (aka premium) combined.”
At scale, this could be significant. Exploit data would be public, so insurers wouldn’t have to worry about gaming the system. We can imagine therefore, for some systems, bounties in tens or even hundreds of millions. This would address one of the points Emin Gün Sirer, Cornell Professor, has raised regarding security in the blockchain space.
As we have seen from previous hacks, the rewards for exploits in this space can be tremendous – $70 million for the alleged Bitfinex hack, $60 million for the DAO (had it not forked) and, of course, the biggest hack perhaps in the world, half a billion from MT Gox. This raises two aspects. Firstly, blackhat hackers are not incentivized to go whitehat and reveal the exploit and whitehat hackers are not incentivized to spend time to audit smart contracts for any flaws.
The DAO hacker got away with about $3 million (if he can cash them out), amounting to around 5% of the total value. A bounty of half a million or one million, therefore, would have probably been sufficient, especially as he can freely spend them and instead of being seen as a villain can actually brag about it.
Thomson Reuters is to hold another HackETHon in Switzerland around January 2017. The event, therefore, has clearly been a success and judging by the ideas above we look forward to the next one. Truth of Stake’s Di Ferrante states:
“The HackETHon showed how far and how quickly the Ethereum ecosystem has matured where all the different teams were able to come up with useful and impressive applications over the course of two days. Innovation from this space will only increase, and I’m grateful to Thomson Reuters for the opportunity to showcase the capabilities of Ethereum and for their work on their Ethereum Wallet!”
Another hackathon that is gearing up to become epic is ether.camp. Almost one thousand hackers have registered and the judges panel keeps adding impressive members, including from Bloomberg, BoostVC, Skype and Deloitte. We definitely look forward to it as a blockchain coding boom seems to have now begun.Advertisement