Chat with us on Riot at riot.im/app/#/room/!#hydra:matrix.org.
[Warning]: The Hydra framework is an early research prototype, and is still undergoing the extensive testing, validation, and documentation processes required to recommend it for production. Please help us by trying to break the below bounties, and stay tuned for further release announcements!
Until then, remember: there be dragons here!
Programmer errors, compiler bugs, or language-specific flaws have caused a range of past smart contract failures, costing ecosystem participants millions. Hydra directly tackles these failures, and requires a rigorous specification and development methodology that can help stamp out future losses.
Hydra directly addresses these losses by creating an exploit gap, turning usable exploits into trustless bounties while incentivizing honest disclosure.
To power the Hydra, a brand new technique called N-of-N version programming inverts the old fault tolerant software idea of N-Version programming (NVP). While NVP emphasizes availability, NNVP requires consensus among its implementations to emphasize integrity. Each Hydra contract is composed of several subcontracts, or heads. These heads can be written in different languages, compiled with different compilers, and/or created by independent developers. By making sure all these heads agree at every step of computation, the Hydra framework is able to detect potentially security-critical bugs before they can lead to loss of funds. These include compiler errors, developer errors, and/or language specific flaws.
Unlike traditional NVP, which requires complete independence of programs to accomplish reasonable guarantees of correctness, Hydra works even when multiple heads are vulnerable to the same exploit. As long as there is a single head in the Hydra that is not vulnerable, the contract cannot be critically exploited. Because it is possible to estimate how likely it is that any two contracts have an identical bug, we can analyze exploiting the Hydra contract as an economic game, and rigorously model the size of the bounty required to disincentivize attackers. Not only is this the first rigorous bounty-setting model for smart contracts, but multiple heads mean that smaller bounties provide more economic protection than with traditional contracts.
The start to a comprehensive Hydra is a rigorous specification, allowing developers to implement heads independently.
Specification is always useful when developing with high assurance.
With specification in-hand, each developer can implement the target contract, and unit tests that exercise all its functionality. These test suites can all be run on the Hydra contract to find further errors.