Adam Back blames EVM design for Bybit hack and he may be right

Adam Back points out that EVM flaws are largely to blame not only for the Bybit hack, but for all vulnerabilities seen in the Ethereum ecosystem.

Adam Back, a well-known Bitcoin developer and co-founder of Blockstream, has pointed directly to your X account, the design of the Ethereum Virtual Machine (EVM) as the main culprit behind the Bybit hack, among other similar vulnerabilities presented in the Ethereum ecosystem.

Back, who is a prominent figure in the Bitcoin ecosystem, has been a vocal critic of the weaknesses of the EVM and its programming language, Solidity. According to him, the design of the EVM, which is essential for executing smart contracts on Ethereum and other compatible blockchains, has structural flaws that facilitate this type of attack.

But is Adam Back right? Are the problems with EVM as serious as he claims? In this article, we will explore his arguments, look at historical EVM vulnerabilities, and reflect on why these problems persist in the industry.

Who is Adam Back and why does his opinion matter?

Adam Back is an iconic figure in the cryptocurrency space. As co-founder of Blockstream, a leading blockchain technology company, and one of the pioneers in the development of Bitcoin, his opinion carries weight in the community. Back has been a staunch advocate of security and simplicity in blockchain design, features he says are absent in the EVM architecture.

And this is where the Bybit hack, in which over $1.400 billion was lost, comes into the picture, as this event was the catalyst for Back to voice his criticism. According to him, such incidents are not just the result of operational errors, but have their roots in an insecure EVM design.

«The EVM is a fire that hampers the credibility of the ecosystem», he said in a recent post. For Back, the complexity of the EVM and its language, Solidity, are a breeding ground for vulnerabilities that put users and platforms at risk.

But what exactly is the EVM? The Ethereum Virtual Machine is the execution environment that processes smart contracts on the Ethereum network. It was designed to be Turing-complete, meaning it can run any algorithm imaginable. While this offers flexibility, it also introduces complexity, which Back says is a serious problem.

Adam Back's view: What are the structural flaws of the EVM?

Adam Back has identified several key issues with the design of the EVM and its programming language, Solidity, which he says facilitate attacks such as the Bybit hack. Among his most notable criticisms are:

1. EVM ComplexityBack claims that the EVM is overly complex, making it prone to errors and vulnerabilities. "The EVM is a fire that cannot be controlled," he stated in a recent post. According to him, this complexity not only affects security, but also makes it difficult to verify and maintain smart contracts.
2. Problems with smart contracts: Smart contracts, which are the heart of the EVM, have been the subject of much criticism. Back notes that these contracts, written in Solidity, often contain bugs due to the lack of proper tools to validate their security. In addition, the EVM's ability to execute complex code opens the door to attack vectors that are difficult to prevent.
3. Reentrancy and other types of attacks: One of the clearest examples of EVM vulnerabilities is the reentrance attack. This type of attack occurs when a contract calls an external contract, which in turn calls back to the original contract before the initial execution is complete. This type of attack has been responsible for some of the largest losses in cryptocurrency history, including the Bybit hack. In this regard, Back has pointed out that these attacks are possible due to the lack of robust mechanisms to prevent reentrance. “EVM allows contracts to communicate in an insecure manner, which opens the door to these types of attacks,” He explained.
4. State management failuresState management in the EVM has also been the subject of criticism. Back claims that the way the EVM handles state can lead to inconsistencies and unexpected behavior, especially in complex environments.
5. Solidity: an insecure language: The Solidity programming language, used to write smart contracts on the EVM, has also been criticized for its insecurity. Back claims that Solidity lacks the tools and mechanisms needed to prevent common bugs, such as integer overflows, reentrancy, and other types of vulnerabilities.

For example, in the case of the Bybit hack, attackers exploited a weakness in the signature management of multisig wallets. While this type of attack is not unique to the EVM, Back argues that the complexity of the EVM and Solidity makes it harder to identify and fix these issues.

EVM problems are not new

But surprisingly, Adam Back is not the only one to point out the weaknesses of the EVM. In fact, many of the problems he has identified have been known to the community for years. For example, the attack on The DAO in 2016, one of the most infamous hacks in Ethereum history, was made possible due to a vulnerability in the logic of a smart contract. An attack that was by the way warned of days before, warnings that were not heeded and that ultimately ended with Ethereum rolling back. It was this event that split Ethereum in two: Ethereum Classic (the original chain) and Ethereum (with The DAO rollback to recover funds and supported by Vitalik Buterin).

The DAO hack: a historical precedent

The DAO (Decentralized Autonomous Organization) was one of the most ambitious projects in the history of Ethereum. Launched in 2016, The DAO was designed as a decentralized autonomous organization that would allow investors to support projects through voting. It was considered a milestone in the implementation of smart contracts and a demonstration of the potential of the EVM.

However, The DAO also became a prime example of how vulnerabilities in smart contracts can have catastrophic consequences. In June 2016, an attacker exploited a weakness in The DAO’s smart contract logic, allowing the unauthorized transfer of over 3.6 million ethers, then valued at over $70 million.

This attack was made possible by a combination of factors, including:

1. Reentrancy: The DAO contract allowed an attacker to repeatedly call a function before the initial execution was complete, allowing funds to be drained in an unauthorized manner.
2. Lack of proper validation: The contract did not have the necessary mechanisms to prevent this type of attack, even though warnings about the possibility of re-entry had been pointed out by experts days before the incident.
3. Design complexity: The DAO’s contract was extremely complex, making it difficult to audit and analyze before implementation.

The DAO hack was thus a defining moment in Ethereum's history. Not only did it demonstrate the weaknesses of the EVM and its programming language, Solidity, but it also highlighted the need for greater attention to security in the development of smart contracts.

Certificate

Cryptocurrency Technical Analysis Course

Medium level

In this training we have Iván González, a professional expert in investments and cryptocurrencies, to teach you how the market works and how prices affect the behavior of investors.

FREE 7 lessons

Start now

Other warnings ignored

But The DAO hack was not an isolated incident. Over the years, there have been numerous warnings about the weaknesses of the EVM and Solidity. For example:

1. The problem of “re-entry”: Reentrance has been one of the most common attack vectors on Ethereum smart contracts. Although patterns and libraries have been developed to mitigate such attacks, such as the “Checks-Effects-Interactions” pattern, many developers do not implement them due to the complexity and cost involved.
2. The front-running attack: This type of attack, where a miner or malicious actor intercepts and alters a transaction before it is confirmed on the blockchain, is possible due to the transparency of transaction memories in the EVM. While there are solutions to prevent it, such as the use of state channels or privacy layers, these methods are not widely adopted.
3. Lack of static analysis tools: For a long time, Ethereum developers lacked robust tools to analyze and detect vulnerabilities in smart contracts. While tools such as Etherscan, Mythril, and Slither have improved the situation, there are still limitations in the ability to detect complex bugs.
4. The problem of "orphans" and "stuck" transactions: Some poorly designed contracts can result in “orphans” or “stuck” transactions, which cannot be executed or rolled back. This can lead to scalability issues and network congestion.

EVM security challenges: Can anything be done about it?

While the problems with EVM are serious, they are not insurmountable. There are several measures we can take to improve the security of smart contracts and reduce the risk of attacks like the one on Bybit.

1. Improved auditing and testing: One of the most effective ways to prevent vulnerabilities is to perform thorough audits and rigorous testing before deploying any smart contract. This includes the use of automated tools and manual reviews by security experts.
2. Using best practices: Developers should adopt best practices to write more secure smart contracts. This includes using patterns such as Checks-Effects-Interactions to prevent reentrance and implementing robust access control mechanisms.
3. Creating a regulatory framework: While decentralization is a core principle of cryptocurrencies, creating a regulatory framework that sets security standards could help reduce the risk of attacks. This could include requiring security audits before launching any smart contract.
4. Investment in research and development: EVM security requires continued investment in research and development. This includes developing new, more secure programming languages ​​and improving existing tools to identify and fix vulnerabilities.

 Is Adam Back right?

In any case, Adam Back has raised a valid and necessary criticism about the design of the EVM and its impact on cryptocurrency security. The problems he has identified are not new, but they are serious. The complexity of the EVM and the weaknesses of Solidity have created an environment in which attacks like the one on Bybit can occur.

However, it is important to note that EVM security is not an intractable problem. With a combination of best practices, investments in research and development, and a more robust security culture, many of these risks can be mitigated.

In the meantime, the community must heed the warnings of experts like Adam Back and take proactive measures to protect users’ assets. Only then can we move towards a safer and more trustworthy ecosystem.

Investing in cryptoassets is not fully regulated, may not be suitable for retail investors due to high volatility and there is a risk of losing all invested amounts.