OpenZeppelin Briefing

# OpenZeppelin Briefing ## Scope * https://github.com/paritytech/ink * https://github.com/paritytech/cargo-contract It will likely also be interesting for you to see how the execution environment for ink! contracts works. This environment is called `pallet-contracts`, you can find its code [here](https://github.com/paritytech/substrate/tree/master/frame/contracts). We have a standalone node that contains a vanilla Substrate blockchain with this `pallet-contracts`. You can find it here: https://github.com/paritytech/substrate-contracts-node. The configuration of `pallet-contracts` in this node can be seen [here](https://github.com/paritytech/substrate-contracts-node/blob/main/runtime/src/lib.rs#L322-L356). ## Resources ink! - [Blog Post "What is Parity's ink!"](https://www.parity.io/blog/what-is-paritys-ink). - Videos intros/background: - [What is Parity's ink!?](https://www.youtube.com/watch?v=_J6BsbOaedw), contains some walkthroughs of workflows. - [Overview over the tech behind `pallet-contracts`](https://drive.google.com/file/d/1hDEg_RrNPi-5CEQ7grBgL6nFobCKIPM_/view?usp=share_link) - The ink! documentation portal: [https://use.ink/4.0.0-alpha.1/](https://use.ink/4.0.0-alpha.1/) - Make sure to be viewing the 4.0 documentation and not the current default 3.0. - [High level architecture document](https://github.com/paritytech/ink/blob/master/ARCHITECTURE.md) - Crate documentation - https://paritytech.github.io/ink/ink/ - [`ARCHITECTURE.md`](https://github.com/paritytech/ink/blob/master/ARCHITECTURE.md) for ink! ### Example Contracts - The ink! repository contains a number of contract examples in `examples/`. - Simple full-stack Dapp: https://github.com/paritytech/link. - Uniswap v2 and more: https://github.com/AstarNetwork/wasm-showcase-dapps - https://github.com/Supercolony-net/openbrush-contracts - These aren't vanilla ink! contracts, but there is more complicated stuff in there than in our examples - PSP-22 is a standard analog to ERC-20 for ink!/Polkadot: https://github.com/w3f/PSPs/blob/master/PSPs/psp-22.md. It was created by an ecosystem team. ### Deployments - Production deployment: https://shiden.astar.network - Parachain on Kusama by the Astar team. - Soon to be production deployment on Aleph Zero: https://alephzero.org/ - Substrate based chain, not connected to Polkadot ## Attack vectors we can think of ### ink! * Storage * `pallet-contracts` exposes just `seal_set_storage` and `seal_get_storage`. In ink! we have logic to map e.g. a `Mapping` to these methods. If there is something exploitable here one could e.g. modify the storage in a way that other entries are overwritten (e.g. the address of a privileged admin account). * Any `seal_` call accepting untrusted/arbitrary arguments. * Storage overlaps/ability to override storage entires through the use of `AutoKey/ManualKey`. * `cargo-contract` is the build tool for ink! contracts. It has heavy influence on the resulting contract. It should be examined as well. ### General Process * Any Parity `core-dev` can publish releases of ink! and `cargo-contract`.