The ethereum virtual machine (EVM) now has what appears to be its first ever decompiler designed to revert smart contracts into source code.
Announced onstage today by the founder of cybersecurity startup Comae Technologies at the DefCon hacker conference in Las Vegas, the open-source EVM decompiler was designed to make it easier to identify bugs in ethereum smart contracts.
Coming at a time when a string of ethereum hacks have exposed the difficulty of writing secure smart contract code, the decompiler, called Porosity, promises to let developers revert difficult to understand EVM bytecode back to its original state.
Porosity developer and Comae founder, Matt Suiche, told :
“The initial problem I was trying to solve by writing a decompiler is to be able to have the actual source code, without having access to the actual source code by reverse engineering.”
Also announced today, Porosity is now integrated with JP Morgan’s open-source Quorum blockchain created for enterprise-grade solutions, and it will now be available on the bank’s Github page.
Tested with the help of some of JP Morgan’s own engineers, Porosity and Quorum are expected to be packaged together to help run real-time smart contract security checks. The bundle, integrated directly into the Go-language ethereum implementation geth “out of the box,” incorporates security and patching processes for private networks with formal governance models.
JP Morgan blockchain lead Amber Baldet described to what she believes is the significance of the technology, stating:
“Porosity is the first decompiler that generates human-readable Solidity syntax smart contracts from Ethereum Virtual Machine bytecode”
A time of need
While Suiche said he’s new to blockchain, the serial entrepreneur who sold his previous startup to VMware was rather well prepared to build the decompiler.
As a reverse engineer, Suiche is familiar with starting with a product, and figuring out how to strip it down to its most basic parts.
So in February, when he began researching ethereum smart contracts in depth, he almost accidentally built the decompiler as part of his own personal research.
As Porosity’s launch comes in a month when ethereum smart contracts written for CoinDash, Parity and Veritaseum have all been hacked, Suiche thinks his chosen profession as a reverse engineer is about to see increased demand.
“The security community in ethereum is going to grow,” he said “And we’re going to see more and more reverse engineers.”
The business of decompiling
Still, there’s more to the business motivations driving decompiler use than just ensuring your funds remain secure.
Because vulnerabilities are frequently discovered long after a smart contract is implemented, an EVM decompiler can also bring peace of mind to investors, according to Alex Rass, CEO of customer software provider and cybersecurity consultant firm ITBS LLC.
According to Rass, decompilers are common among most “major” programming languages, in part because they help provide investors assurance that what they invested in is what is being used.
“With a decompiler someone with half a brain can go, pull the contract binary code for that contract and see that contract, and provide investors with what they purchased.”