The founder of Canonical, a firm specializing in Plutus smart contracts, Jonathan Fischoff, posted a public service announcement last week detailing an exploit affecting every Cardano dApp.
Despite the potential ramifications of Fischoff’s findings, the Cardano community remains unfazed.
But, should this development be sparking more significant concern around the viability of Cardano? Especially as Fischoff claims, patching it has consequences on smart contract design and efficiency.
What are the potential ramifications of this Cardano dApp exploit?
Fischoff opens his research by saying, since mid-October, this exploit is an issue that affects every Cardano dApp. However, he adds that this doesn’t impact UTXOs.
“Since Mid-October, every Cardano dApp with publicly accessible smart contract code, has had a similar exploit in their initial smart contract.”
UTXO refers to a verification system, employed by the Cardano protocol, that records the movement of assets by way of “unspent outputs,” as opposed to an accounting system. Proponents say because each UTXOs can only be consumed once and as a whole, this method is more secure and offers better privacy and scalability.
The article does not give precise details of the exploit, perhaps due to security reasons. However, Fischoff said that he is in contact with Plutus developers to educate them on preventing the issue.
Nonetheless, of great concern, Fischoff explains that mitigating the exploit significantly impacts the “design and efficiency” of Cardano smart contracts. The upshot being, a need to redesign the smart contract and potential delays to rollout.
“Additionally, mitigating the attack has ramifications around the design and efficiency of smart contracts, which can lead to considerable amounts of redesign if you are not aware of the design constraints early on.”
How the community responded
Cardano has been pitched as a safer, more secure platform compared to others. But Fischoff’s smart contract research pokes holes in this view.
In a Reddit post on the matter, the community, as a whole, appears untroubled by the findings. With some comments even joking about the situation. One commenter played down the potential significance of a universal exploit, passing it off as irrelevant FUD.
“Thanks. Got my daily dose of Cardano FUD early today.”
Others praised the processes in place, saying it’s fortunate that the issue was discovered now and before anyone lost $ADA as a result of the exploit.
In any case, given that Cardano is already under pressure for a distinct lack of dapps, Fischoff’s findings only add fuel to the fire.