 To know a little bit about the audience and see how we could make better use of your time and understand So how many of you would consider yourself, you know, in solidarity is my contract like, you know You're starting with it. You're not, you know, it's the first time to it. You're just getting started You have quoted a few things, but you know, you're still pretty new Okay, so I would figure that everybody else considers themselves to be intermediate or advanced level of security. All right So, I don't know how much What I'm gonna say, perhaps I've already You already know about it So we could have more of a dialogue and you could and and you could have We're gonna have room of the at the end of the session for some questions That's for mostly also why Gonzalo from diligence is here because they work on security on their everyday basis So if there's a person that I'm not able to address He'll for sure be able to At least help me So how many so how many of you are from our have taken any class or anything in Frateria more How many of you take courses or do you teach yourself? How many of you take courses? How many of you learn yourself? All right, that's good. All right, how many of you learn like from Gate hub or repos from people that's that's mostly where people learn it from Yeah, if not, what were they usually if you want to learn about Ethereum, where do you go to? I'm sorry. Read the dogs. You read the specs the dogs. Yes And just have a curiosity because we're always about how many people here's consensus Yeah, we're always there All right So let's see if we can get started because honestly the room is full so actually they'll give us out there for more time of Work on this So considering that most of the audience is Advanced or intermediate. I'll try to go maybe a little bit fast about about some of the topics also I don't know how well some of the code will be we'll be able to be beaten on the back So we'll see how that goes So we have more time for questions and answers or like concerns about how to address for focus security and maybe Consolidate the thing to tell you a little bit more about, you know, how audits are conducted For smart contracts. All right So let me go back to you first. Well, welcome. So I'll choose myself and all that and Salo So my name is Carlos. I got involved in the blockchain space and 2014 I had my startup at that time and basically I was just you know, trying to I was just using Bitcoin blockchain to stamp documents Because my startup were having a lot of documentation and using docuSign didn't seem like something a startup would do So I started with it, but to be honest, I didn't really got Like you didn't excited me that much then but I run into a fear and that for me was really a People my mind and it made me get into the space and little by little I've been doing things in the space until I joined consensus I think about year and almost two years perhaps and I work in the educational arm I'll tell you a little bit more about it later But also in this session, I want to introduce you to Being a part of the relationship my consensus we mostly do security audience. We also build security tools Mostly automated analysis tools I don't know That my story of getting into here Exciting right now, but yeah, I've been doing I've been hanging for most of my life and I found it here a while ago late 2016 I have been breaking smart loan back several seas. Yeah here to answer any questions And you might have in the end or throughout the session Yeah, if you if you have any Any smart undercutting in spotting please come to me So as probably everyone here knows their consensus You know we were pretty broad and we do a lot of different things But without that in that there's also the educational arm that's consensus academy and basically on one side We tried to get developers skilled and ready to be able to build you think a theory of technology And we're also trying to get business leaders managers and You know lawyers and all the non-technical people to understand the technology enough to identify business opportunities It is as important as that we have really strong developers community that we also have traction in the business and That the companies understand how to use it because probably not necessarily your cases But if you're in the education in the blockchain education space and for whatever reason you work with enterprises 90% of the idea as you hear that they want to use blockchain force honestly not a good use case So it's very important that they understand when this technology is relevant and what is it good for and I think it's part of or Commitment and or value to the ecosystem also to help that happen and a little bit. That's what we try to do in the academy since everybody here is kind of a Intermediate level. I'm just gonna say that well we have trainings online Like central's developers actually is a cohort that October 30th We have this code, but if you're also looking to get into the space like looking for a job You might be interested in certifications. Those are certifications that are issued by a census There's my contract developer at CDC and here developer basically is my contract and apps smart contract developers just mark contracts and EPP is a theory and business professional In case you're interested or anything we're looking for a job. Those could be things that you might be interested in and Also, like I've said we have here Gonzalo from and from diligence and diligence basically what they help you with and correct me if I explain it wrong on solidly is They help developers startups companies and basically anyone who has a smart contract to you know Feel safer when they are in the main net that you know, they will not make the news because somebody had them I guess that's one way to put it and Luckily in the senses, there's you know the people that have really looked into this and and and I would say that probably one of the Bride some of the brightest minds in this aspect is in this team So, you know, if you feel very confident to approach them if you have anything Security All right, so We're gonna go a little bit about some co-recommendations We're gonna talk a little bit about some of the common attacks that you might run into and some of Simple ways or a little bit of simple ways to address it And I guess most of you have ever have made it if you know if you're curious you have already made it So if you're you know familiar with this, but we're gonna see how that pack of the bow happened And so you could understand how it run and we're gonna run the code so you could kind of a see what actually What what is the problem or what happened there as one of the most renowned attacks that happen in the space so as Basically when you are something important that you understand is that the smart contract at the end is code and it is from it is compiled to bite go which is what the adherent virtual machine understands and runs and Ideally we're trying to make that code as secure as possible And if you really really want to get into the to the security level understanding honestly Some people are actually especially for gas optimization. They actually work at the bite code level So they understand the bite code and they actually at the end they work with the bite code So if you're really into this eventually the next step or the next frontier for you is to actually be able to get to Understand what's happening at the bite code level and actually try to optimize there for security Not necessarily is the the only thing or the most important thing But it is important that for gas that you consider because sometimes There's a level like even just like rearranging things on the smart contract So the important thing that I wanted to get started for the people are new is that At the end a contract in the theory is is just another account That that it's it's created by a transaction and basically the code is stored there so as there's two types of accounts you have you externally owned the base is managed by the private key that as a user you hold and Basically, you are the one who holds to make the decisions However, the contract accounts are governed and ruled by the code. So they only will do what the code says That's it. That's why you cannot change you cannot You could trust a code that it's there because you know that you will only do what it says it does and You could also trust this the fact he has his ups and downs that That no one can change it One funny story. Oh, not fine. Sorry, but one of the things when we're like working with the people were training them and how to to get their first smart contracts Everybody or not everybody most of everybody of most of the students forget to get the function to get the money out of the contract You will not you would you don't believe how many people forget that because everyone's used to that money just ends in the bank You know, they don't they that's the mindset of changing the mindset of how this works It's actually more challenging that people expect So you have no idea how many contracts are out there that have either locked because somebody forgot to have to make The function to get the money out, right? So it's important that and we'll see that when you actually Try to run here that fell fast, which is kind of a something we heard a lot web development in in a job And everything done necessarily is the approach for smart contract. It's actually I don't know the opposite But it's important that you are careful what you do or what you don't do So everything just for the point of view of execution is you know The code is just taken by the IBM from the state from the count the input data comes in a different section All that is run based on whatever the function says and then at the end of the state the account the idea of the storage or Whatever information that is there is updated, you know, that's that's the logic of it And the word is that if something goes wrong, you know, then you know that the state is regarding and That's important because we're gonna see one of the attacks where basically that's what you enforce to happen so that The whatever function you're trying to run never ends or never gets to the finalization period point So it's always regarded and then you kind of a have a denial of service kind of As you know from those of you this is for the for the new people there's a smart contract has Different spaces or different scope for variables and what we use what we do with that and how to use them but also where we store them and the point of view from the point of view of the The space on storage everybody knows that that's very expensive on the main you know You need to optimize as much as you can for that So there's there's like the temporary memory that's the memory in this tag that basically you can have variables that you Will only be using While your code is running, but then they will not be there They will not be stored they will not be safe and there of course whatever you need important Which is state variables should be unless you allocate memory to it should be on the on the on the permanent memory of this So that you store there and you don't lose that information Probably the only cases where you want to have something that is usually memory you want to store is if you have a very big array and You know you don't you cannot look through it infinitely because you have the gas limitation So you may want to store the last Position of the array so the next time you run and you don't start from zero because otherwise you'll never look through the entire array So those are kind of things that you may want to think about when you're coding and that information that you're gonna need it for the Whatever next call you make with that contract should be in the storage or in the permanent memory otherwise You know you'll for example in the case of the array You'll never look through the entire array because you'll start from when you initiate initialize it in one and We'll just go until you run out of gas. So it's very important to take those right now And as you know Ethereum has a balance model not as a UTXO as Bitcoin So basically, you know, it's much simpler for a lot of different things and getting like your balance and everything It's it's a simpler process. It's just basically a field a data field and in the structure Rather than a compilation of all the people in addresses and everything and adding them up and all that So it's very simple to use and simplifies a lot of things. However, you know It does not allow sterilization like a lot of transactions in parallel like the UTX model does That's what it has as well. It's frozen comms But so basically that's why it's important that you know any transaction You have to make sure that the previous transaction has finished to get us started. Otherwise You know, you're not gonna have it. You're just not gonna have it All right, so that's a little bit of a quick intro that I just wanted to to make sure that we've got some basic concepts out there so As I was saying Very important that You have to understand that the code here like in this environment There's a high pose of failure and not only from the point of view of security Which we all know but for everything if for whatever reason, you know You need to update or change the code of the smart contract if you have not really thought about they How do you get a migrate data or how you're gonna manage the data from the beginning? It is it could be a very big pain to make that change. So Thinking about it's it's very hard sometimes when you're thinking about what your smart contract will do because sometimes You don't even know what things are going to evolve how you actually what all you're gonna need in the future So it's very important that you are really really take a time take your time to think What your smart contract might be doing and also maybe if you want to start small and then growing Because if not, you know, you may run into some problem that the change Can you can make up? Maybe you get into a lot of trouble or like even into like issues with potential users that you have Because you have to stop or something the fact that they're immutable is good because we have trust and you have that But it also implies a challenge that you cannot you know, oh, I'll just try this if it doesn't work I'll just fix it or you know, like I'll just try to fix this as an in runtime That important thing that I was saying you feel fast is not the approach And you need to think very carefully how you're gonna address this then I Guess this is what we have Inevitable and and they're always and they might be there. I mean I would say like, you know The doubt thing happened, you know, and you want to make a mistake So it's very important that you you are aware of this and you're not afraid to To be open to testing it with others to have it there use, you know External party services to order your code for example like for some diligence or anything to run tools that you have there formal verification You know, it's still happening You know, so people there's new tools How is it Ellie? I think it's a new tool for formal verification out there. There are a few of the tools out there They're coming still is an ongoing thing like everything in the space Do you have any any sort of Thoughts on Mexico or for like testing month and auditing and verification I have like You should use Instead of drill bits we we have the equivalent of Yeah Or we tax.io There's also like a symbolic Static analysis and they buzzer they both they all working that them just like they do in the trailer with single system But it's basically the same thing. They're both in symbolic engines So you should use them Yeah Make that says easier to use so for people that are just starting developing smart contracts I think you should be using Also And I guess I don't know One of the things that it scans life so actually will help you like some new vulnerabilities identified and added to the SWF This yeah, they will let you know Registry of all of that they're excess so they check about that If a new thing makes it to that list they add it and then you you'll go directly to that And they use also like I'll have you to that be able to scan what's already in the main Another important thing and I usually run into this that you know you need to make your code or try to keep your code as simple as possible and usually it's for example, it's good to start with Baby steps in a lot of things for example There is this was this person that we're trying to get it was more of a permission But while in New York real estate is a big thing and and there's a lot of permission and documents that go back and forth A lot of between a lot of different parties So they were trying to sell it to use blockchain for this makes perfect sense and it kind of it does However, basically what we said is that yeah But don't start with trying to get the whole workflow on smart contract or everything like blockchain because you know It changes if I can change a lot you can change and then something so right now I'm start just by you know figuring out a way how to stamp or how to make sure that someone could verify that the documents valid And nobody has changed it But you know don't try to get the workflow yet until you really get the tested and you know that it works And you know that's gonna change because if you want to get you know governmental board You really want that you don't know what they're gonna request to you You know dance so first have it running get it there and then you know figure it out What becomes actually transaction on repetitive that doesn't change and then try to go try to go from there So it's important that that you also take those into account important thing is as you guys know a lot of the things we do is import contracts or use contract that are exists out there and They're they're safe. There's some that are safe and you can trust because there's the people that are behind them However, not necessarily everything out there is safe So it's very important that if you're working with an external contract you really pay attention to it And you really understand what it does and how You know all the dependencies and other contract that you use especially, you know So that you import one contract importance imports a lot that imports on everything So you really have to check everything that it's related to your country because you never know if there's Something that not necessarily it's a you know with a bad intention But you know, maybe there's some vulnerability to some of the contract that you know, they've done person was just not really that diligent with it and And just you know Forgot to check something or to change something or just did a break some cones thing So it's very important that you take into account that yes Or the compiler Exactly is I think it's yeah, I think later when you also mentioned that on the compiler You know it changes and everything especially because you know, I mean solidity is still and there's no one yeah, right? So it's it's it's important that you take into account everything there and And So now let's get a little bit more about those recommendations about the code and a few things So some codes that we're gonna see a you know, like basic mistakes that people made is You know how it is executed There's there's it's important in the order of how things happen So the last thing that you want to that you want to do in the code is to send money You first need to make all the chain all first check all the conditions It's very important that you first check conditions so that you know that everything's correct That's you know normal programming then affect all the state variables that need to be changed Because and this is what we're gonna see reentrancy attack happens when you know I first send you the money and then I change your balance in that in that small period of time a fallback function kicks in and you know gets all the all the all the hacking and So it's very important that you always try to remember prior to part to live to do everything that implies an External thing of your contract for the last Everything that is internal to your contract should happen first and it's very important that you you always make that you know your everyday Better brought your everyday, you know like don't forget to do that Then you also see another interesting thing is that if you have a call that you check that you know Whatever it's coming in when they wouldn't call that it doesn't have any strange data on it So you get out that small require there just to make sure that you know, there's nothing strange coming in through your contract for the fallback Important as There were was mentioned, you know Changes happen in solidity very often like new words get deprecated and you would tell us it's impossible to know exactly What will happen in the future, but as much as you can try to work with the most reliable and up-to-date version Everything because they're introducing changes quite often, but those changes are really important And as much as possible try to always work with the most latest and most stable version of whatever is out there Especially with the code and just like he was saying it's very important that you fix the compiler to a specific version Even if you could put like anything from here and above usually that would work But it's better if you fix it and you leave it fixed so that you never get the chance that some word is deprecated or Something could be done in a different way because you never know Every time you fix something you broke something somewhere else So you never know what will what other backdoor will be open when we close one So it's very important that you always at least as much as possible try to know what you're facing and So we're just gonna explain a little bit based on that like your re-entrancy attack. I Know that this pattern. Let me see how well in This But that's just I'm just gonna quickly show to be too smart to Simple smart contracts just to show like the malicious and the vulnerable contract There's there's nothing really complicated here for those of who are also new I don't think you're gonna have any issues on understanding it but basically this is just a contract that just gets money and you know, it will give you back One ether at a time. That's that's all it does. That's nothing. They're just two functions Oh, yes, basically the deposit that it will just get money one ether or more. Yes Yeah, good idea. Thank you. I Think that's better So basically just get one ether or more. That's it nothing else Yes, just for the purpose of the exercise there's the function that takes the money out and This is what we're saying the issue that we have here is that your first kind of sending the money and then you're affecting the Variable the state so my balance is like, oh, okay I'm gonna give you five so I first give you five and then I go on down on the ledger So that's that that's the issue that basically this country has and then you just have you know function just to get balance So that's what you know the the vulnerable contract has this is a reentered Seattle, you know then the malicious contract honestly, the only thing I'm having is as Probably you'll know or most of you probably know You can hurt is an object or in the programming language. So basically what I'm saying is just I'm just creating the I'm just inheriting everything from the contract and I'm just passing it the address of The contract that I want to attack because I have that address and you know, you can import it there Really depends on how you do it Basically there and then you just have everything and the important thing here the story is if you see I have a fallback function and The fallback function is just checking if the contract has money that's one that's one ether or more That's maybe he does He just asked he calls the function will draw again That's what the fallback function is doing here, right rather than being just an empty thing Where you're just, you know, just have it there just in case or whatever something consider something though I have actually a Piece of code that will run when this function is full, right? And basically the structure is similar. So because the internet connection was a little bit bad, I Just don't want to take it any risks. So here's basically This is the code of the same code. I'm not really gonna make it that big because honestly you've seen the code is trust me It's the same thing. And so basically I have the two contracts employed, right? Everybody knows rivets here. I figured yes. I know there's some people that is you so basically all I'm gonna do is like let's say this For guy over here. It's gonna deposit Ten eighth here, right? So I deposit to the world will contract, right? So if we get the balance All right, oh, yeah I don't know if you can be made bigger but it has 10 10 99 That's what it has right if you get if I get check the balance of the malicious contract. He just has 22 So the only thing that right now if I if I just want to get it out I just I need it the first Contract the first thing that I need to do is that I need to get this malicious contract in the mapping In the in the contract that I want to attack So the first transaction that actually happened is what this contract deposited one in In the vulnerable contract so that it is in that in the mapping of people that could withdraw money Because if you read the code you could see that you know if you're there you're able to withdraw money That's the only thing that the previous step that happened there, right? So now the only thing I I I have to do. I know that this is the attackers address withdrawal and If you see it takes some time because it's just it's good It's just running and if we just check this balance here You see now it doesn't have 10 just out the 999999 because I took all the time he out If I just check this contract here, you see it doesn't have 22 we have 32 But the code says only to take one and then get the money why because what it's happening is That At the time that they send me the bunny in the book in there in the malicious contract the full back function kicks in So it calls the function again So the function sends another money calls the function again, and it just stays there Until the condition is out, which is when you don't have one e. That's why there's nine nine ninety nine There so that's the re-enhancing attack and something similar to this is what happened with the doubt and And it's something that is not really hard to avoid. It's just We were explaining before it's just a matter of how you affect everything so whatever you're doing externally to your contract Should always be the last thing that the function should do No after any assert Basically before any effort Another kind of a common attack how many of you are familiar with the DX origin attack? Okay, so listen, so I'm gonna go into more into it basically, there's How many of you are familiar with the MSG dot sender? Construction or keyword or term table so MSG sender basically just gives you the address of whoever is giving its Interacting with your contract, so whatever sender transaction whether whether that's a contract or a person So as you guys know what happens a lot in this phase is that you actually have some person that sends something to a contract and that Contract may call someone so for whatever reason the third contract or the second contract in this equation Wants to know because you are gonna send money and you don't want to send it back to the to the first contract You want to send it directly to the user? Right to avoid gas and a lot of potential reasons for that You use DX origin so you know what which is the address that it started the whole transaction itself, right? So That's handy in that case So you if you're being withdraw or like taking money out It would be handy so you don't have to pay for whatever reason anyone who's in the middle, right? Or like or have a lot of transactions happening for everything that is in the middle, however in it also could work to impersonate someone and What happens is that let's say what's your name? Philippine So let's say I want to to impersonate him So what I would figured out and let's say that your name is JC JC So the the contract he wants to really track with is JC So what it happens is that I figured out a way to trick him to think that I have JC's contract I don't know I put you know the fishing I put whatever it looks like it or something and he thinks it's wallet or you know It's change or whatever thing. I don't know I just figured out a way to trick To trick him so he will send a transaction to me And what I will do is then then I will send it to JC, right? But you but because he uses DX origin Then he's gonna think that it's actually him who's getting the money for whatever reason depending on how the code is I would be able to perhaps do something that I'm not supposed to do maybe not necessarily still funds Because it's still he's just gonna refund it your EPTX origin address But I might be able to break something or to maybe get it in the fallback function or do something there that you know I don't want that thing is not really accounting for now That's that's the hard thing here where your code is public is that people could be really clever and figured out how to Attack it So that's a little bit about the DX origin so I'm not saying not to use it, but you have to be careful For what you use it so just so that you are not really opening the door for someone to if they manage to make this trick To you to do to try to do something to your code or to take advantage of anything that is in your contract and so So another thing that could happen is is similar which is kind of a denial of service kind of a thing I don't know that's the best name of it, but but Basically what happens is that similar? let's say this is an example of let's say I have a magazine and you subscribe to it and Monthly or for whatever reason you you pay me or on a recurring basis But I also have in my function that you refund fees for something out of refund everybody You know, I'm shutting it down. I'm refunding everybody because I'm changing the code to a new code People just for them to be happy. I'll just give them back the money and they just Because I'm going to change the smart contract and have a new one I don't know whatever, you know, if you figured out what we said for some time These cases is like really hard to find a specific one But let's say that I have a function where I look through the an array of all my the people that has been subscribed and To refund everyone so basically what I could do here Is that I could get rather than someone's like an externally on account address there? I could get a contract and what happens is that when this person is like, okay I'll give you back your fee and I pop your address out What I actually do is that here I have a pullback and just get it there. So that this this function never finishes Because I just keep keep it trapped. I'm not earning money out of it. I'm not really doing the only thing Just to break your system. There's not necessarily any any economical gain for me But I just find a way to break your system and the thing that happens is basically that so because it will not happen Or I could put a condition for example like One equal zero that's false. It will always be false require one equal zero that's always full So it's gonna turn back give back an error. So this thing is gonna revert So you're never gonna be able to pop my address out of the array and you're never gonna be able to look through the entire array I didn't get any money. I didn't got anything out of it. Just you know, maybe cause you a lot of pain with your users Because of course if you don't have any other functions any other way to refund the users You're not gonna be able to refund them Right. So this is why I don't say it's very important that you have to think about all the things that that could go wrong And again, it's as simple as first take that address out affect everything internally in your contract Then do whatever you do an external, you know, that could you know, not necessarily solve everything but probably will probably a lot So how do you? Face this vulnerabilities back and said there's the SWC director list, which you know there you could go. It's very very it's You have examples of code there. You have examples of solutions there So I definitely saw a resort that you should check and then you should you know pay a visit every now and then because it's a dated But there's also called design patterns There's things that you know people try to put in place so that you kind of a if you implement those in your code You're I'm not gonna say your bulletproof But at least you know that you're prepared to face some of the most common things that Until somebody more much much more smarter comments in and finds another Backdoor, you're gonna be able to at least protect yourself better. So I'm just not I'm not gonna go through all of them This is quite simple and even if you know some you for you might be obvious We have in this time for a reason. It's very important that you try to take advantage of the modifiers and have permissioning to What who could do what? Because if not if you just have it public or if you have it or you didn't put private or you don't have anything, you know anyone could execute something and again, sometimes People forget how different it is to work on for you guys probably named like second nature now But for all their developers that are more used to on premises or all the kind of things It's it's it's a shift in their mindset. So it's very important that you always also forget Don't forget about these kind of things. So you take advantage of the modifiers. You're using us who has permission to do what on your contract then Kind of over saying the very important that You know, you do you do who can explain the difference between require and assert for conditions When to use one? Yes One difference is that assert will burn or will take all the gas that you have there require We'll give you back in case of failure. We'll give you back the remaining gas. Yeah, that's that's that's true Yes, sir should never occur at one time. Yeah, that's true So usually you first Require and you leave a certain for the last piece of it Okay, this usually that's an important ordering that you have for how it happens Like whatever is really extreme or everything should that you know It's the one percent thing that might happen that could break or it's something more than you can get The reason for you to use a certain is to a certain variance, right things that you never want to happen, right? So like if you let's say if you don't want the Balance of your smart background to ever be one the way you design that should never be below one ether, right? the way a certain is implemented in solidity is that it actually uses a different outcome, right and invalid outcoding as opposed to the After-reverting structure Now what this allows is that when you use like formal verification tools be like From from consensus diligence or from the drill bits You should use the consensus diligence ones, but although no work the same way you can use the assert condition For those tools to be able to see if anything is violated in your smart contract, right? I do think that the celebrity team like also has the SNP checker of late it right now to be able to order generate these Assertion violations based on your code alone But yeah, you can add these yourself and then run the tools and make sure that none of these assertions are violated with the health of like automated For example, I know that some of the people that it's made ICOs or something like Something something that they act or something they had like a search like if the transaction is over 10% of the volume Stop it So what's the benefit of burning the gas for a church for is it is it to the extremity of it? You want to? Oh There may be like a game here Incentive behind that but I said that the way they're used today Most please that they should never be treated. So like that's why we've heard is better, right? Like in the beginning but if they The job code that actually returns the remaining gas to the user didn't exist right to the guy who paid for the transaction That didn't exist. So this is all you want Gaining existence it doesn't make much sense to use this unless you want to and these are again These are meant to be invariance stuff that will not happen effort by Specification so you're basically specifying here, but you're basically Translating intent into Right, it's like you're saying this should never happen and if it does Everything to stop and that's when those automated tools tools that I said Verify that your assumptions were wrong Like there is only there should be this remaining have to come out and they should be above this I know that like I say in some ICO Contracts on the changes that you asked why was that if there were two transactions aware like about 5% of the total token supply or a few things like very strange things that should not happen on a legal normal cases to have that stopped so one except when you get a little business maybe more confusing than it is not I don't know you tell me but like one good example of like the liver versus a certain Discussion is safe by opens up. Do you guys know what safe methods the library that actually checks the dirt Overflows and and there wasn't what not do not have great. It's a safe way to do math In basically it was implemented with asserts And what this meant in opens up its head was that if it's an assert It should never happen so your code should already make sure that overflows do not happen However, people were not using it. No people were using it to protect themselves from all And it's intent right so opens up in green road safe back to use refer As opposed to asserts because now it's a safeguard now It's supposed to be to protect you at runtime as opposed to never happen, right? Yeah, and if this is confusing or not, but I'm having to talk to you later I Don't know about what you do You know, but it sounds like the only actual One Yeah, that's the only actually yeah During gas difference They all stop execution, so they Require statements used to report off those so like they actually return gas Message But yeah, you could put like a not something whatever condition you just want to know and just put it out there Yeah, this might be like earlier go to the beginning to require a statement Stephen even allow you to put messages And now they both used to refer it off, but at least it meet the event before stopping execution so that But important that I mean that you always try to make sure either with require with if statements or serve depending on You know kind of a thing that you always check for behavior of your contract You always taste that because I think at the end that's the most important thing that your contract behaves as you expect that it will be Then Well, like I said, basically this is just all the tech and tech interaction Which is just you know everything internal then external and basically, you know update every Requirements state variables and then whatever those externals of payments on that That will save you a lot of trouble and it's very simple to actually remember Then there's also Time where you may want your contract to stop running Right like for example, like I will say no this guy from the ICO they figured out that, you know, they're being act They managed to stop there's a section, but you know, you didn't ever know something else will come and they know I want to stop. I want my contract for a time to stop, right? So you could have those and they're not that difficult. Just, you know, a bullion thing variable basically that only specific person with the Permissioning to do it will open or close that door and have it there so that you just make sure but you could have This emergency stop in case something happened, you're you know, you're finding out that oh somebody's figuring out a way to take money out You know, not if not happening by now as I see the money going down I want to stop this or something right? It's very important that Using to know all those kinds of things and like I said, this is just like thinking from the beginning It's like do I want it? Do I don't want it? You know, it's it's very important that you stop to think what your contract what features you want to have your contract as once it's out There, you know, it's pretty it's not that simple to make changes to it. I'm sorry Do you then add in like that is stock? flag throughout your code like you do checks against that or Yeah, basically Do not turn this and but basically if you see at the end is like emergency withdrawal in this specific case What you just have is like yeah your contract has to be stopped and for whatever reason like somebody's taking the money out It's not safe. So you tell like hey, it's not safe. I need to take the money out So it's tough you stop it and then you take all the funds out, you know So yes, you put it there and under the circumstances that you stopped it You check that that variable is stopped or like if it is before any payments You may want to check that it is it really whether you do it or not It will depend on you know how credible it is or how important it is But you could always have plaques that could allow you to stop something or even to put time or some things Here's a stop go-no-go, but you also have a timer for example, so that something doesn't happen, you know 5% of you cannot you cannot withdraw Over 5% if not in 24 hours kind of a thing, you know, for example, you could have something there for that You usually have like a modifier like not stop But you want to make sure that I don't recall this function. It's not stopped And it usually opens up. It has like very standard Libraries to this or just contract safety in there From their frame. I'm talking a lot about opens up with that Yeah, you search for open that thing in Google like they have a bunch of stuff including their framework Which like they have an OS they have like the normal like silly reframing that just has a lot of reusable component city Then you know like all of variable contracts I don't think basically what you have there is just you have proxy contract that is the only thing is just being connecting you between Data and the logic of the contract sometimes so for in this example for basically what you just have here is that You know, you have what's called the address of the latest version of the contract that you want to use for whatever things that you're running or for Whatever Processes there that you want to have and basically this contract the only thing that it does is just holding the data right and So basically if you needed to change because A new version of a contract that say in that new version you added the stop for example, right For whatever reason so you would come here You would update the the you'll tell it now whatever thing that happens you have to interact with this new contract that I avoid So you kind of a given the new address point to rather is like I was working with this contract now You tell them now this is what the contract so that contract that whatever reason you no longer want to use You know, you could save a little you could solve the structure If you just leave it there whatever you want to do But now the important thing and this is kind of a way also they kind of a split a little bit of blood Like the data and the maybe the logic the business logic of your application and how So it's called the same path will turn on storage in case you want to go to the green belt Because honestly has a lot of more things, but just to make it real. We kind of short it a little bit Another and this is more about like Recommendation things is like you guys know like I said the storage is important Everything is a by 32 word and all that so even if Doesn't seem like a big Difference or like something that you would say like the ordering. How do you order your your state variables matter? Because if you're able to pack them in 32 in fact of 32 that everything you make a more optimal use of space and It actually reduces down gas consumption. So another recommendation there is You know when you have your state variables and you have everything there, you know If for whatever reason you get out of way how to better arrange them It could be important depending on a lot of the circumstances of what your smart contract does or why you're doing it It's a contract factory or different things out there It could be a Consider Yeah, for example here to say What happened is that we're gonna come around and sell it is that Basically, you're not gonna there's gonna be any spaces in the middle because the word is 32 So it's 32. They said 16 now I need to put 32. Oh, I don't have space So I use another I use another space in the stack. Oh now I got 16 So there's gonna be empty spaces. So if you put 16 16, they're gonna be better packed Well, just may look dumb, but the way this little new compiler works by reading from top to bottom Like whatever whatever happens, you'll always read stuff from top to bottom and in the reason why he's so so this this way He would read 16 bytes and he wouldn't trim it into us and then the way it works this way is exactly because there are Slots that can use right so this would be started slot number zero and now it tries to write to the second slot because obviously If each slot is 32 bytes these 32 bytes won't feed in the first one now If you do it like this this little compiler will put this in the first part of the 32 bytes in the zeros slot Right, and then it still has like another 16 bytes addressable by it and then it takes these just like puts them in front of the Yeah I was thinking this I think the C compiler actually does like actual C does like packing optimization What do you mean? Yeah, this is this impacts it up. So like actually like Everything is 32 If you put this in C you'll kind of I did Sure This gets complicated fast. I am not complicated But like these cats really fast and the reason why is that so it's because it has inherited this right and Each of these slots They are shared in between contracts So like if solidity if there are not like if there isn't like a clear ruling the clear rule as to how Solidity does that time backing and then right now is from top to bottom Maybe like a better solution could be discussed even though like it's it's just a Expect to do this right like like you can do it a million ways with like this is this is how it doesn't like if you inherit from These contract the layout storage at the inherited contract will be exactly the same, right? so like it's literally like just like Randomly Back stuff in different places when you inherit this from another contract or when you have some storage like Any reason you wouldn't be able to map it to where it is Thank you. We have this we can also talk about this over years And I'm interested What's the difference between transaction costs in execution? Basically the transactions for example like sending one each is 21 that's a cost of the transaction But it's not the gas cost is far more than one Yes, so like transaction costs Like 21,000 gas Because like that's the message that here this this might I don't know this This was me writing even this might be wrong in the sense that This may be what I may have written this and what I meant here It was that by execution I mean like when it has been executed at least once first I don't know Yeah, it doesn't it doesn't make much sense to talk about execution costs if you just deploying