Doubling down on security

Throughout 2019, one of our main focuses was our work on the first version of the Gas Station Network. Our contributions included auditing and collaborating on the contracts first built by the GSN team at TabooKey, supporting GSN from our contracts library, shipping a fork of the provider library, implementing development helpers, compiling a set of learning resources, and working with DeltaCamp in building the main GSN site. We learned much about meta transactions during this time, and we also learned much from the feedback of the community.


@jcarpanelli giving a talk on the GSN in Devcon 5 last year

When TabooKey ran out of gas last year, the GSN team at TabooKey left to form OpenGSN with funding & support by key stakeholders in the Ethereum community. Since then, we’ve been happy to see the original creators of the GSN working hard on a new GSNv2 which implements many of the features and improvements requested in the first release. We have been following their great work, and we are happy to see that a beta of GSNv2 will be ready soon.

With that in mind, we wanted to consolidate all efforts on the Gas Station Network around the OpenGSN organization. That means that we will be redirecting the gasstation.network domain managed by us to opengsn.org, to be the new canonical site for all-things-GSN. We will also be redirecting discussions and queries to the OpenGSN Telegram channel and an upcoming OpenGSN forum, in order to concentrate all knowledge in a single place. Last but not least, the learning resources we compiled on the GSN will be moved to the OpenGSN documentation site.

We are confident that the gas station network, its tools, and its community, will continue to grow and thrive, under the OpenGSN umbrella. The decision to unify GSN efforts with OpenGSN is also motivated by our intention to double down on what we do best: smart contract security.

Refocusing on security in smart contract development

During these past years, the OpenZeppelin suite of open source tools has become very diverse. While the smart contracts library is our most popular open source project, we have also worked on upgradeability libraries, a CLI for fully managing smart contracts projects, libraries for testing contracts, and much more.


The entire suite of OpenZeppelin open source tools & libraries.

It is within this last much more category that there are libraries and kits for dapp development, including support for building on top of the Gas Station Network. And while we had a blast building these tools and got great feedback from the community on them, our development team is struggling to properly support and develop our entire offering of a dozen different open source tools, which range from smart contract building blocks to React-based libraries. This puts a huge burden on the team and hinders our ability to innovate in the space.

With this in mind, we have decided to refocus our efforts on security in smart contract development and testing. Along with the consolidation of all GSN efforts, this implies halting active development in our front-end libraries (network-js), starter kits (starter, tutorial, and gsn), and meta-transaction libraries (gsn-helpers, gsn-provider). While we received good feedback on them, these libraries have the lowest usage, and are the ones more disconnected from our focus on security.

If you are a user of any of these libraries, rest assured that we will keep providing support for them for the upcoming months. We will also be happy to work together with anyone who wants to take over their maintenance, and will provide guidelines on alternative libraries for each of the use cases covered by them.

On the flip side, this shift in priorities will allow us to focus on security, which has always been the bread and butter of our team, both in open source development and in our services offering. We have already started a new exploration process to find out how we can best contribute to the security of the Ethereum ecosystem, and are super excited about the possibilities, which we will be sharing during the next months.

Please read below for our plans and recommendations for each specific library, and let us know what we can do to make this process easier for you.

GSNv1 libraries

We will keep supporting our GSNv1 provider and helpers for 3 more months. We suggest for new developers to transition to the new set of tools for GSNv2 being developed by OpenGSN, which include both a client (on which our gsn-provider is based, and is also available for GSNv1) and a localgsn helper (which is equivalent to our gsn-helpers).

As for existing developers who want to keep running on the GSNv1, we will keep our meta transaction relayers running for 6 more months, to give you time to spin up your own. The great thing about GSN being a decentralized network is that it does not require us or any player to keep any infrastructure running, as it’s open for anyone to participate.

Last but not least, we will keep support for GSN in our Contracts library. And since the recipient contract interface is the same in both GSNv1 and GSNv2, users of our Contracts will be able to easily integrate both versions of the GSN.

Network js

Network-js is a very small javascript library for the browser, that simplifies the process of acquiring a web3.js provider in a dapp, either via an instance injected by Metamask or by falling back to a direct connection to a public node. It includes hooks to make it easier to integrate in a React app.


How using network-js looks like in your React app

We had originally developed network-js to power our starter kits, and to simplify the setup of a gasless GSN provider. Given that we are stopping new development on both of them, it makes sense to make the same call for network-js.

The full code of network-js is not very long and it’s easy to follow, making it easy to replicate the logic in your own app if needed. As an alternative, we recommend looking into web3-react, which already ships with a large number of connectors for different setups and wallets, and has had 5x more downloads than network-js. Nonetheless, we will keep providing support for the library by fixing any critical bugs for 3 more months.

Starter Kits

We built the first version of the starter kits for EthDenver 2019, to provide hackers with a way to kickstart the development of their dapps, and avoid wasting time in configuration. Since then, we have added kits for learning how to build a dapp and for building gasless applications, and the awesome Provable team also contributed with a kit of their own.


The starting page of the vanilla starter kit

However, starter kits require an inordinate amount of time to keep up to date, especially given how fast front-end development evolves. Every release of one of our tools also required updating all the starter kit flavors to use their latest version - a process that we failed to automate in time.

Given that starter kits are not a living component of an application, but a one-time unpackable, maintenance is less critical for existing users. Nevertheless, we will be fixing critical issues for the next 3 months, as well as providing support via our forum to apps that already unpacked the kits.

For those looking for an alternative, we strongly recommend Paul Berg’s create-eth-app. It ships with a subset of common smart contracts, works in all platforms, and even includes a subgraph out of the box. Check it out if you are intending to build a new dapp!

What’s next at OpenZeppelin

Besides exploring new ways we can contribute to the security of the Ethereum ecosystem, we will keep working on Contracts, on our upgradeability SDK, and on our testing libraries. Check out each of the linked roadmaps to know what’s next for our open source tools, and don’t hesitate to reach out to us if you have any comments or questions!

Happy coding!


Thanks to Liraz Siri from the OpenGSN team for his help in writing this article, and to @abcoathup as always for his feedback.

8 Likes

A post was split to a new topic: Are Starter kits still under maintenance?