Smart Contract Management Solution: How it works & why you need it
Kaleido provides enterprise-grade smart contract management as a native component on the Kaleido platform, an industry-first capability to empower organizations to grow their business network without needing to worry about common challenges associated with shared IT. Kaleido customers can manage how smart contracts are deployed and by whom. (Read the announcement here)
In an enterprise blockchain project, the beating heart of the solution is the shared business logic agreed upon among all parties, codified in smart contracts on the chain (click here to learn about smart contracts). The management, versioning and lifecycle of this shared business logic is an important governance activity for the business network. Equally important are the practical considerations of debugging transactions running through this business logic in production.
As organizations add new members to their consortium and reach mature stages of their blockchain implementation, they can now manage smart contracts across environments and control who can deploy to their business network directly from the Kaleido user interface, rather than learning and using Ethereum’s APIs. And for the first time ever on an Ethereum-based network, users can verify and audit which lines of code were executed for every transaction.
Kaleido provides end-to-end visibility and control
Our experience of so many projects making their way from PoC, into pilots and production has shown the importance of getting the lifecycle right for the Solidity source code of your smart contracts. The Ethereum model that the business logic is stored on-chain in complied form is beautifully simple and effective in its architecture. However, this compiled “EVM bytecode” is not itself readable. To govern, manage, install and debug this business logic, you need to have verified on-chain versions of your smart contracts tied back to exact lines of source code in your source code management system.
We are proud to be the only enterprise Ethereum platform that provides an architecture and out-of-the-box solution for enterprise smart contract management. Our unique end-to-end infrastructure brings together your existing system of record for source code management and reviews, with managed deployment of smart contracts to the chain, simple REST APIs to allow all participants to access those contracts, and traceability of the transactions on-chain back to the exact source code executed.
How smart contract management works
We bring together an end-to-end chain of components that work all the way from consortia governance/review, to deployment and promotion into your development, user acceptance testing, and production blockchains.
The smart contract management functionality can be compartmentalized into three main layers: projects, gateways and instances. The broader feature set leans heavily on the platform’s native REST API Gateway for simplified Ethereum application development and the Kafka backbone for reliable at least once transaction delivery. Let’s examine some of the critical components of this solution:
1. Source Code Management
We know you already have great solutions for source code management (SCM). For securing access to your source code, collecting reviews on versions, and cutting releases. So we’re integrating Kaleido with your existing SCM solutions, starting with Github. We support both public and private repositories and can pull from branches, tags or particular commits. Then we capture the exact version (commit hash) of the source code used in any compilation so that you can go directly back to the exact lines of code that were part of the compile.
2. Smart contract compiler
The only way to be sure what source code is associated with a piece of on-chain binary bytecode, is to perform a verified compilation of that source code. Previously in Kaleido (as with other tools on the main-net) we’ve allowed a post-verification compilation to be performed of source code. However, that form of post-verification compilation is complex, as you have to recreate exactly the same conditions as the original compiler, down to the exact version of the compiler and the optimization settings.
We’ve revamped this capability significantly, with a comprehensive new compiler service. This compiler is designed to be used before you deploy the contract on-chain, so you have a verified binary that can be promoted to your environments. This form of binary promotion of artifacts has been standard practice in enterprise applications and middleware for decades. Now we bring that approach to the enterprise blockchain.
The compiler runs directly against your Github repo; simply copy over the URL of the Solidity file you want to compile and we extract the source from the chosen branch/tag/commit, import the dependencies (including via NPM as is common in Truffle projects), auto-detect the right Solildity version to compile with, and perform the compilation. Then we store the bytecode ready for promotion to one or more environments, with a pointer back to the exact source code used in the compile.
3. Smart contract registry
When you promote a verified compiled contract version to an environment, you install it into the smart contract registry that is shared between all participants in the environment. This registry contains critical information, including the bytecode, application binary interface (ABI), and developer docs that are needed to install instances of that contract. As the registry is accessible at runtime to all participants in the Kaleido environment, it means that the verified version can be deployed through any Ethereum node in the environment.
4. Gateway APIs
As you might already be aware, every node in Kaleido has a built-in REST API Gateway. This gateway provides rich and easy to consume REST APIs for smart contracts:
- As a “factory” for deploying instances
- Providing simple REST access to data from the chain, with developer-friendly JSON types
- To submit transactions reliably onto the chain over a robust Kafka backbone
- Registering event streams, for reliable delivery of on-chain events to your off-chain business logic
We’ve coupled this REST API Gateway to the Smart Contract Registry, and as a result, contract versions that are promoted to the environment from the contract management dashboard are available from any node in the environment.
A friendly pathname can be associated with the contract version when you promote it, and the application code can use the same path to access the smart contract logic as it is promoted from development through intermediate environments into production. You can also associate path names with individual deployed instances of the smart contract so the application code can use the same API path against multiple different chains in your pipeline from development to production. Even though the Ethereum address of the contract will be different in each environment.
5. Transaction Analyzer
In order to discover instances of contracts and transactions that match verified promoted versions of your source code, we automatically analyze every transaction that runs through the chain. We generate a signature for the bytecode of each verified contract version you complied and promoted to the environment. Then we detect transactions that deployed bytecode exactly matching that signature, regardless of any extra parameters used to initialize the contract instance.
This gives you complete flexibility on how you deploy and invoke your contracts. It allows you to deploy smart contracts instances and transactions via any node. It allows you to either use our Gateway API to submit the transactions or to submit transactions via embedded web3 thick client libraries in your applications (over JSON/RPC). Whichever route you choose, Kaleido’s indexer will detect.
6. Address Book
Kaleido has a built-in address book in our APIs and UI that gives insight into what is behind those mystical Ethereum strings of Hex. We can tell you if an address is a managed Kaleido wallet, a particular token, or if it is a verified instance of a contract. Whenever our transaction analyzer detects a new instance of a contract, it’s added to the address book with a link back to the verified contract. So we can list all the instances of that contract deployed in an environment, and auto-generate a REST API for each of those contract instances. You can then use that REST API from any node.
Watch the demo video to see Kaleido’s smart contracts solution in action and try it out for yourself:
7. Vulnerability Scanning and Issue Detection Powered by MythX
MythX, available in the Kaleido Marketplace, can used in combination with Kaleido’s smart contract management solution to scan smart contracts for deeper security vulnerabilities and detect issues before deploying. This powerful capability will greatly reduce expensive errors and create trust for transactions in the overall Ethereum ecosystem.
MythX runs as a SaaS service in the cloud bringing heavy compute power to the dynamic analysis and fuzzing capabilities, and is integrated with popular development tools like Truffle, Remix and VS Code so teams can easily include security scanning into their daily work flows right from their favorite client tools.
MythX scans for security vulnerabilities in Ethereum and other EVM-based blockchain smart contracts. It provides a comprehensive range of analysis techniques accessible through tools developers already use and directly through a powerful API. The MythX suite of industry-leading analysis techniques—including static analysis, dynamic analysis and symbolic execution—accurately detect security vulnerabilities and provides an in-depth analysis reports and remediations. With a vibrant ecosystem of world-class integration partners that amplify developer productivity, MythX can be utilized in all phases of the smart contract development lifecycle. You can find more information about the MythX integration in the Kaleido Marketplace.
What makes Kaleido Contract Management special?
This first of a kind end-to-end management system represents the state-of-the-art of contract management for enterprise blockchain. It allows you to perform source code governance via your existing Github private repos, compile using modern tooling like Truffle and have auto-generated modern and reliable REST APIs to integrate with your on-chain logic and events. Furthermore, you can track transactions all the way back from the chain back to the exact source code that compiled them.