Cryptocurrencies

             

The concept of having no central entity control currency seems attractive to a lot of people. However, trust in some decentralised entity means trusting the way that they operate their business - how they’re able to audit their code, and write bug-free software. The only thing I know about software is that it isn’t ever bug-free. To reduce MTBF, you implement things multiple times, in disjoint environments.

That said, the latest hack on a cryptocurrency/smart wallet I saw, made me wonder about their testing. How many bugs are they looking for, in terms of both their standard operating environment, as well as for security.

First, let’s benchmark a project that gets c.91% code coverage that I work on almost daily. ygot has (excluding demos, and generated code), 22,380 LOC. Of these 13,928 are test code. To get 91% coverage of the real functions in ygot, we need 62% of the codebase to be test code. In this testing, we’re not specifically looking for security issues, but just edge cases - and normal operation of the code. Checking the functionality rather than the security.

Looking at the repo that Tether links in their above example, they have 111,376 LOC at the time that I looked at the repo. The tests seem to be constrained to the test directory. and make up 13,430 LOC. This means that they’re writing 12% of their code to be test code.

Now, since the two projects don’t do anything close to the same thing, it’s probably unreasonable to make a direct comparison. To me, however, I just can’t see how one would trust financials to projects that have open code that definitely has fewer maintainers that people looking to exploit it, where the test coverage is unlikely to test all edge cases, let alone security cases.

One central entity might not be trustworthy, but it’s likely to be called upon to be reliable. Even regulated. Distributed trust means you really must trust the distributed entities not to have flaws that devalue your investments. Whether you do or not is your choice, but I’m certainly skeptical about giving money over to decentralised entities that don’t really seem to understand software testing and quality.