friends台词
Given the fact that all of Ethereum’s computations need to be reproduced on all the nodes in the network, Ethereum’s computing is inherently costly and inefficient. (In fact, Ethereum’s developer docs on GitHub state that we shouldn’t expect more computational power from Ethereum than we do from a 1999 phone.)
考虑到以太坊的所有计算都需要在网络中的所有节点上进行复制,因此以太坊的计算从本质上讲既昂贵又效率低下。 (实际上,以太坊在GitHub上的开发人员文档指出,我们不应该期望以太坊比1999年的电话具有更多的计算能力。)
So, security on the Ethereum Virtual Machine — meaning, the security of smart contracts deployed on Ethereum blockchain — is of paramount importance. All the errors on it cost real money — whether it’s errors thrown by badly-written contracts, or hackers exploiting loopholes in contracts, like in the well-known DAO hack, which caused a community split and sprang the Ethereum Classic blockchain into existence.
因此,以太坊虚拟机的安全性(即部署在以太坊区块链上的智能合约的安全性)至关重要。 它上的所有错误都需要花费真金白银–无论是由于合同编写不当而引发的错误,还是黑客利用合同漏洞进行攻击,例如著名的DAO黑客,该漏洞导致社区分裂并导致以太坊经典区块链诞生。
Turing Completeness — and a whole range of other design decisions that have made Ethereum a lot more capable and sophisticated — have come at a cost. Ethereum’s richness has made it more vulnerable to errors and hackers.
图灵完整性 -以及使以太坊更加强大和复杂的一系列其他设计决策-付出了代价。 以太坊的丰富性使其更容易受到错误和黑客的攻击。
To add to the problem, smart contracts deployed on Ethereum cannot be modified. The blockchain is an immutable data structure.
更严重的是,无法修改部署在以太坊上的智能合约。 区块链是一个不变的数据结构。
This and this article go into more depth regarding security of smart contracts, and the ecosystem of tools and libraries to help us to make our smart contracts secure.
这和这文章进入智能有关合同的安全性更深入,以及工具和库生态系统,以帮助我们,使我们的智能安全的合同。
Let’s look at some amazing upgrades to our toolset we can use today to utilize the best practices the Solidity environment can offer.
让我们看一下我们工具集的一些惊人升级,我们今天可以使用它们来利用Solidity环境可以提供的最佳实践。
One of the coolest tools in the toolset of an Ethereum developer is OpenZeppelin’s library. It’s a framework consisting of many Solidity code patterns and smart contract modules, written in a secure way. The authors are Solidity auditors and consultants themselves, and you can read about a third-party audit of these modules here. Manuel Araoz from Zeppelin Solutions, an Argentinian company behind OpenZeppelin, outlines the main Solidity security patterns and considerations.
以太坊开发人员工具集中最酷的工具之一就是OpenZeppelin的库。 它是由许多以安全方式编写的Solidity代码模式和智能合约模块组成的框架。 作者本身就是Solidity审核员和顾问,您可以在此处阅读有关这些模块的第三方审核的信息 。 来自OpenZeppelin的阿根廷公司Zeppelin Solutions的Manuel Araoz 概述了主要的Solidity安全模式和注意事项。
OpenZeppelin is establishing itself as an industry standard for reusable and secure open source (MIT) base of Solidity code, which can easily be deployed using Truffle. It consists of smart contracts which, once installed via npm, can be easily imported and used in our contracts.
OpenZeppelin正在将自己确立为Solidity代码可重用和安全的开源(MIT)库的行业标准, 可以使用Truffle轻松地对其进行部署 。 它包含智能合约,一旦通过npm安装,就可以轻松导入并在我们的合约中使用。
The Truffle Framework published a tutorial for using OpenZeppelin with Truffle and Ganache.
Truffle框架发布了将OpenZeppelin与Truffle和Ganache结合使用的教程 。
These contracts are meant to be imported and their methods are meant to be overridden, as needed. The files shouldn’t be modified in themselves.
这些合同将被导入,而它们的方法将在需要时被覆盖。 文件本身不能修改。
OpenZeppelin’s library contains a set of contracts for publishing tokens on the Ethereum platform — for ERC20 tokens, including a BasicToken contract, BurnableToken, CappedToken. This is a mintable token with a fixed cap, MintableToken, PausableToken, with which token transfers can be paused. Then there is TokenVesting, a contract that can release its token balance gradually like a typical vesting scheme, with a cliff and vesting period, and more.
OpenZeppelin的库包含一组在Ethereum平台上发布令牌的合同-用于ERC20令牌,包括BasicToken合同,BurnableToken,CappedToken。 这是一个具有固定上限MinableToken,PausableToken的可铸造令牌,可以暂停令牌传输。 然后是TokenVesting,这是一种可以像典型的归属方案一样逐步释放其令牌余额,具有悬崖和归属期等的合约 。
There’s also set of contracts for ERC721 tokens — or non-fungible, unique tokens of the CryptoKitties type.
还有一套针对ERC721令牌的合同 -或不可替代的CryptoKitties类型的唯一令牌。
ERC827 tokens contracts, standard for sending data along with transacted tokens, are also included.
还包括 ERC827令牌合同, 该合同是与交易令牌一起发送数据的标准。
There’s also a set of crowdsale contracts — contracts for conducting Initial Coin Offerings. These can log purchases, deliver/emit tokens to buyers, forward ETH funds. There are functions for validating and processing token purchases.
还有一套众包合同 -进行首次代币发行的合同。 这些可以记录购买 ,向买家交付/发送令牌 , 转发ETH资金 。 有用于验证和处理令牌购买的功能。
The FinalizableCrowdsale contract provides for execting some logic post-sale. PostDeliveryCrowdsale allows freezing of withdrawals until the end of the crowdsale. RefundableCrowdsale is an extension of the Crowdsale contract that adds a funding goal, and the possibility of users getting a refund if the goal is not met.
该FinalizableCrowdsale合同规定execting一些逻辑售后。 PostDeliveryCrowdsale允许冻结提款,直到众筹结束为止。 RefundableCrowdsale是Crowdsale合同的扩展,增加了资金目标,并且如果未达到目标,则用户有可能获得退款 。
Destructible contracts can be destroyed by the owner, and have all the funds sent to the owner. There are also contracts for implementing pausability to child contracts.
所有者可以销毁可破坏的合同 ,并将所有资金发送给所有者。 也有用于实现对子合同的可暂停性的合同 。
OpenZeppelin provides many helpers and utilities for conducting ICOs — like a contract which enables recovery of ERC20 tokens mistakenly sent to an ICO address instead of ETH. A heritable contract provides for transferring of ownership to another owner under certain circumstances. The Ownable contract has an owner address, and provides basic authorization/permissions and transferring of ownership.
OpenZeppelin提供了许多用于进行ICO的助手和实用程序-例如一项合同,该合同可以恢复错误地发送到ICO地址而不是ETH 的ERC20令牌 。 可继承的合同规定在某些情况下将所有权转让给另一所有者。 拥有合同具有所有者地址,并提供基本的授权/许可和所有权转让。
The RBAC contract provides utilities for role-based access control. We can assign different roles to different addresses, with an unlimited number of roles.
RBAC合同提供了用于基于角色的访问控制的实用程序。 我们可以将不限数量的角色分配给不同的地址。
Zeppelin also provides a sample crowdsale starter Truffle project which hasn’t been audited yet, so it’s best used as an introduction to using OpenZeppelin. It makes it easy to start off with a crowdsale and a token fast.
Zeppelin还提供了尚未进行审核的众筹入门Truffle示例项目,因此最好将它用作使用OpenZeppelin的简介。 它使从众筹和快速令牌开始变得容易。
ZeppelinOs is an open-source, decentralized platform of tools and services on top of the EVM to develop and manage smart contract applications securely.
ZeppelinOs是一个基于EVM的开源,分散式工具和服务平台,可安全地开发和管理智能合约应用程序 。
In effect, this is a kind of middleware layer on top of EVM, which would be a step further than the current OpenZeppelin framework. What Zeppelin Solutions promise here is enabling developers to opt-in to mutability for their deployed code through upgradeability patterns. Those who write smart contracts for the EVM know that one of the concerns/restrictions is immutability of deployed contracts: once on the blockchain, contracts cannot be changed. That is one of the things that make the promise of ZeppelinOs interesting.
实际上,这是EVM之上的一种中间件层,它将比当前的OpenZeppelin框架更进一步。 Zeppelin Solutions在此承诺的是, 使开发人员可以通过可升级性模式来为其部署的代码选择可变性 。 那些为EVM编写智能合约的人知道,关注/限制之一就是已部署合约的不变性:一旦进入区块链,合约就无法更改。 那是使齐柏林飞艇的承诺变得有趣的事情之一。
Up until now, in order to “update” a contract one would have to deploy two contracts — one as a proxy with the interface, and the other as the implementation. The proxy’s functions would be called, forwarding requests to the implementation. Then, if a change was needed, the implementation is switched out in the proxy (another implementation is retargeted, and optionally the original one is killed off with a suicide function) and the new implementation seamlessly activates.
到目前为止,为了“更新”合同,一个合同必须部署两个合同-一个作为接口的代理,另一个作为实现。 将调用代理的功能,将请求转发到实现。 然后,如果需要更改,则在代理中切换该实现(重新定位另一种实现,并且可以选择使用suicide功能杀死原来的实现),并无缝激活新的实现。
We are waiting to see the future adoption of ZeppelinOs by the community. Zeppelin Solutions are already namedropping some non-trivial players like OpenBazaar, district0x, storj.io as some who are using ZeppelinOs.
我们正在等待社区进一步使用ZeppelinO。 Zeppelin解决方案已经在删除一些不平凡的参与者,例如使用ZeppelinOs的OpenBazaar,district0x,storj.io。
The Truffle Framework is a development environment, testing framework and asset pipeline for Ethereum. It’s the most complete set of tools, with the most traction among the Ethereum developers. Truffle’s ecosystem includes a number of Truffle boxes — boilerplates that include front-end JavaScript code, Solidity contracts and workflow utilities like a boilerplate webpack project with its toolset — migrations, tests, build pipeline etc. Truffle Boxes can contain entire starter dapps.
松露框架是以太坊的开发环境,测试框架和资产管道。 它是最完整的工具集,在以太坊开发人员中具有最大的吸引力。 Truffle的生态系统包括许多Truffle框 -包括前端JavaScript代码,Solidity合同和工作流实用程序的样板,例如带有工具集的样板Webpack项目-迁移,测试,构建管道等。Truffle框可以包含整个启动程序dapp。
Some of the officially supported boxes are:
一些官方支持的框是:
Drizzle: a set of React/Redux-based front-end libraries that make creation of dapp front ends easier.
毛毛雨:一组基于React / Redux的前端库 ,使创建dapp前端更加容易。
React box: a bare-bones app to start interacting with smart contracts from a React, front-end application.
React box:一个简单的应用程序 ,可开始与来自React前端应用程序的智能合约进行交互。
React Auth box: brings a set of components needed for authentication powered by smart contracts.
React Auth box :带来一组由智能合约支持的身份验证所需的组件。
React-Uport: this authentication box connects the front end with the UPort blockchain authentication system.
React-Uport :此身份验证框将前端与UPort区块链身份验证系统相连。
Then there’s the webpack project boilerplate box we mentioned before.
然后是我们前面提到的webpack项目样板框。
Community-created boxes also bring along boilerplates for integration of contracts with mobile apps / Status IM, or provide Angular and Vue.js boilerplates, etc.
社区创建的盒子还带有样板,用于与移动应用程序/ Status IM集成合同 ,或者提供Angular和Vue.js样板等。
These boxes are integrated with Truffle, so we get started with them by running commands like truffle unbox react — which will download the React box and install its dependencies locally.
这些框与Truffle集成在一起,因此我们可以通过运行诸如truffle unbox react类的命令开始使用它们-该命令将下载React框并在本地安装其依赖项。
TokenMarket is another company that has published a repository of Solidity contracts and tools for managing token sales / ICOs. It’s a limited company incorporated in Gibraltar that does ICO consulting. It was awarded “The Best ICO Advisor” at Cryptocurrency World Expo Berlin Summit 2018.
TokenMarket是另一家发布了Solidity合同和用于管理令牌销售/ ICO的工具的资料库的公司。 这是一家在直布罗陀注册的有限公司,从事ICO咨询。 它在2018年柏林加密货币世界博览会上被评为“最佳ICO顾问”。
Tokenmarket’s ICO repository on GitHub says that one of its design goals/principles is to use or build upon the existing OpenZeppelin contracts, calling them a gold standard of Solidity contracts. So from this, a lot of the TokenMarket’s ICO codebase is based on OpenZeppelin’s code base, and then it builds further on it (by inheriting from it in OOP fashion).
Tokenmarket在GitHub上的ICO存储库表示, 其设计目标 /原则之一是使用或建立在现有OpenZeppelin合同之上,称其为Solidity合同的黄金标准。 因此,由此,TokenMarket的许多ICO代码库都基于OpenZeppelin的代码库,然后进一步在此基础上构建(通过以OOP方式从其继承)。
TokenMarket regularly (tries to) keep up to date with its upstream code base, OpenZeppelin. It adds more to it, though, such as the following:
TokenMarket定期(尝试)与上游代码库OpenZeppelin保持同步。 但是,它增加了更多内容,例如:
AMLtoken contract: this gives the Owner the chance to reclaim tokens from a participant before the token is released after a participant has failed a prolonged AML process.
AMLtoken合同 :这使所有者有机会在参与者未通过长时间的AML流程失败后,在释放令牌之前从参与者回收令牌 。
Gnosis Wallet: basically a multi-sig wallet, which requires consensus of multiple parties for certain transactions.
Gnosis钱包 :基本上是一个多签名钱包,需要某些交易方达成共识。
a Centrally Issued Token contract.
中央发行的代币合约。
KYCCrowdsale: a contract that only lets in investors who are not anonymous.
KYCCrowdsale :仅允许非匿名投资者进入的合约。
Relaunched Crowdsale contract: this restores a previous crowdsale and allows for changing of some parameters.
重新启动的众包合同 :这将恢复以前的众包销售,并允许更改某些参数。
Milestone Pricing: this contract provides for milestone-based pricing, and pre-ICO-deals.
里程碑定价 :此合同提供基于里程碑的定价和ICO之前的交易。
Although there’s a lot of the code in the repositories we talk about here, the EVM is Turing complete so all these various contracts do not, even remotely, exhaust its full capabilities. Provided that the system — Ethereum — survives and continues to be competitive, with enough people on the network, we can look forward to much bigger versatility in what these blockchain contracts attempt to solve.
尽管我们在这里讨论的存储库中有很多代码,但是EVM是图灵完整的,因此所有这些不同的合同都不会甚至耗尽其全部功能。 只要以太坊系统能够生存并且继续保持竞争力,并且网络上有足够的人员,我们可以期待这些区块链合同试图解决的问题具有更大的多功能性。
Consensys Ventures is a Swiss ventures/investing company that’s profiling itself as an angel/seed investing company in the decentralized space — and this particularly means the Ethereum space. Beyond other resources they offer their protege companies, they have put together a nice little compendium of best practices for Ethereum smart contracts. Although narrowly speaking this isn’t code, it still contains quite a number of good and bad examples of Solidity code.
Consensys Ventures是一家瑞士的风险投资/投资公司,它在分散化的领域中被描述为天使/种子投资公司 ,尤其是在以太坊领域。 除了提供给专业公司的其他资源外,他们还为以太坊智能合约组合了一些不错的最佳实践 。 尽管从狭义上讲这不是代码,但它仍然包含许多Solidity代码的好坏示例。
It’s mostly about best security practices of Solidity smart contracts.
它主要是关于Solidity智能合约的最佳安全实践 。
The complete list of topics goes a bit beyond the scope of this article, because the resource is comprehensive and is worth reading even to remind a smart contract developer of all they need to keep in mind when writing software for the EVM. And this especially goes if one writes programs from scratch (not relying on already made and vetted code like OpenZeppelin’s).
主题的完整列表超出了本文的范围,因为该资源是全面的 ,值得一读,甚至可以提醒精明的合同开发人员在为EVM编写软件时需要记住的所有事项。 如果从头开始编写程序(不依赖像OpenZeppelin这样的已经编写和审查的代码),则尤其如此。
Some of the articles deal with external calls, avoiding state changes after external calls, handling errors in external calls, favoring pull over push for external calls, staying aware of the tradeoffs between abstract contracts and interfaces, not assuming that contracts are created with zero balance, differentiating functions and events, multiple inheritance caution, warnings about timestamp dependence and gameability of such constructs — for example, with blocks — and many other such tips with a lot of code examples.
一些文章讨论了外部调用,避免了外部调用后的状态变化,处理了外部调用中的错误,赞成为外部调用进行过推,不了解抽象协定和接口之间的折衷,而不是假设合同创建时余额为零。 ,区分功能和事件,多重继承警告,关于时间戳依赖和此类构造(例如,带有块)的可玩性的警告,以及带有许多代码示例的许多其他此类技巧。
Then there are token-specific warnings, warnings related to token standards, software engineering techniques, security tools — for static analysis, testing, linters, etc.
然后是特定于令牌的警告,与令牌标准有关的警告,软件工程技术,用于静态分析,测试,短绒的安全工具。
They also list known attacks, from those that include calling on external code and contracts, functions that could be called repeatedly in such cases, reentrancy problems, cross-function race conditions, Here they analyze a whole range of problems, some of which manifested in the DAO hack.
他们还列出了已知的攻击,包括调用外部代码和合同的攻击,在这种情况下可以重复调用的功能,重入问题,跨功能竞争条件。在这里,他们分析了一系列问题,其中一些问题表现为DAO骇客 。
They further mention transaction-ordering dependence, timestamp dependence, integer overflow and underflow, different possibilities/points of DoS attacks, like DoS with block gas limit, then forcibly sending Ether to a contract; and they also analyze historical and deprecated attacks. Definitely give their docs a read.
他们还提到了交易顺序依赖性,时间戳依赖性,整数上溢和下溢,不同的DoS攻击可能性/点,例如具有限制气体限制的DoS,然后将以太强制发送给合同; 他们还分析了历史和过时的攻击。 一定要给他们的文档阅读。
In this introduction to the ecosystem, we went through some of the available resources for writing good, production ready smart contracts on the Ethereum Virtual Machine. This includes both reusing already audited, vetted code (OpenZeppelin claim there is over $4 billion worth of cryptocurrency running on their contracts) to practical resources to learn writing ones own secure, production-ready software.
在对生态系统的介绍中,我们介绍了一些可用资源,用于在以太坊虚拟机上编写良好的,生产就绪的智能合约。 这包括将已经审核过的经过审核的代码(OpenZeppelin声称在其合同上运行着价值超过40亿美元的加密货币)重用于实际资源,以学习编写自己的安全,可用于生产的软件。
We’re pretty certain the list isn’t complete yet. Did we miss anything worth mentioning? Let us know!
我们可以确定列表尚未完成。 我们错过了任何值得一提的东西吗? 让我们知道!
翻译自: https://www.sitepoint.com/solidity-openzeppelin/
friends台词