CertiK notes that during the past few months, their team has conducted extensive research on the Bitcoin ecosystem and its developments.
CertiK also audited several Bitcoin projects and smart contracts based “on different languages, including OKX’s BRC-20 wallet and MVC DAO’s sCrypt smart contract implementation.”
Now, CertiK says their focus has shifted to Clarity.
After the completion of several Clarity bug bounty projects, during which they reportedly acquired additional insights into security issues and common practices, CertiK are “now in a position to share their insights.”
As noted in a blog post by CertiK, Clarity is a smart contract language “developed collaboratively by Hiro PBC, Algorand, and other stakeholders.”
It is currently utilized on the Stacks chain (Bitcoin sidechain). The primary goal of Clarity is to provide a high level “of predictability and security, ensuring that smart contracts behave as intended without any unexpected side effects.”
In this update, CertiK explore the concept “behind Clarity smart contracts, as well as best practices and security checklists for programming with Clarity.”
Clarity’s design stems from a deep analysis of vulnerabilities “in smart contract engineering — particularly those observed in Solidity.”
Its key features include the following:
- Interpreted Language: ensures that what you see is what gets executed
Decidable Property: guarantees predictable outcomes and finite execution - Security Measures: protects against reentrancy, overflow, and underflow, which are crucial for maintaining contract integrity
- Custom Token Support: eases development processes
- Post Conditions Attached to Transactions: enhance security by verifying state changes post-execution
As explained by CertiK, Clarity distinguishes itself by “taking inspiration from LISP, a language known for its simplicity and power in handling symbolic information.”
In Clarity, everything is represented as “a list inside of a list, or an expression within an expression.”
This nested structure is a core feature, “making the language highly expressive and flexible.”
Function definitions, variable declarations, and function parameters are “all encapsulated within parentheses, emphasizing the language’s syntactic uniformity.”
By understanding and leveraging these nested expressions, developers can “create secure and efficient smart contracts tailored to the Stacks blockchain’s capabilities.”
This approach not only enhances readability, but also “ensures that the contracts are deterministic and predictable — key features for maintaining security and trust in decentralized applications.”
Security has always been a paramount concern in DeFi, “particularly within the Bitcoin DeFi ecosystem where the Stacks network plays a critical role.”
Robust security measures are even more important now, given “that the TVL in the Stacks ecosystem is approximately $80 million, as of August, 2024.”
Up to now, Stacks has experienced “multiple incidents, resulting in more than $2 million in losses.”
These incidents underscore the necessity for security audits in Clarity smart contracts.
CertiK have summarized their learnings from extensive research, and compiled best practices and checklists for Clarity smart contract developers.
Here are the key points:
- Avoid Using -panic Functions
- Avoid Using tx-sender for Verification
- Modular Contract Design for Enhanced Flexibility and Future Upgradability
For extensive details on above points, review here.
Once a smart contract is deployed on a blockchain, it becomes “immutable and cannot be modified.”
This immutability presents a challenge compared “to conventional application development, where updates and bug fixes can be readily implemented.”
In smart contract development, ensuring flexibility and future-proofing requires “a strategic approach, as there is no direct method to update the contract code once deployed.”
CertiK has conducted extensive research on Clarity smart contract security.
As an auditing firm with vast experience in smart contract security, CertiK has “identified and reported vulnerabilities in various Clarity-based bug bounty projects.”
They are pleased to support the Stacks ecosystem.