Getting data from the internet with Oraclize

Smart contracts can interact with data living in the blockchain but it is impossible to get informations from the web. Using Oraclize, we’ll see how your smart contracts can get data from outside the blockchain and execute any API call. Some use cases can be:

  • As seen in our article about the lottery, it’s hard to generating completely random data on the blockchain can be a problem, you could use Oraclize to get a random number from outside the blockchain.
  • In crowd sales, it could be interesting to know the current $ price of Ethereum or other tokens.
  • In a betting case, it could be interesting to get the result of a sport event from an external website.

First of all, you need to understand that reading data from the internet and manipulating money depending on the result requires to thrust an external source. Always keep in mind that you should have a way to pause and retrieve the funds in the smart contract in case of problems or change to the API you are reading from.

To try and test how Oraclize works, we’ll use the Remix interface they provide here. This interface let’s you discover some samples and test your own code for free on a simulated blockchain. The service is not free and require you to send funds to make queries, the costs inside described on their documentation.

The service works in 3 steps:

  1. You send a query to the Oraclize smart contract.
  2. Oraclize receive your query and make the corresponding request.
  3. Once they receive the data, they call a callback function of your smart contract where you’ll be able to access the requested data.

 

For this example we will write a simple smart contract that will fetch the current price of Ethereum in US dollars from the cryptocompare.com public API.

First of all, you need inherit form the usingOraclize  contract. If you don’t know about inheritance you should read our article. To import it’s source you can read and copy the content of the file on Github. Or import it directly from the repository putting the import at the beginning of your code file:

Once you imported the Oraclize API smart contract, you need to inherit from the usingOraclize .

This contract won’t do much, we now need to add the code to retrieve the price. using Oraclize is done in two step. The first is to inform the Oraclize about what we want by calling the oraclize_query  function. Once called with the parameters describing our query, the Oraclize smart contract will transfer the result to us by calling a function named __callback  we need to implement in our code.

We’ll first write our update function that will tell Oraclize about what we want. In our case:

You can note our update function has the payable  modifier as we should accept Ethereum to be sent as the oraclize_query  function require to send funds to the contract. Also note that first query made by a contract is free, so you can include call the update  function from your smart contract constructor without sending funds.

The query is specifying to retrieve a JSON content and directly retrieve one property of the object: the USD price.

The oraclize_query  accept two string parameters, the first string define the type of request and today we’ll use an URL  but you can also query the result of a WolframAlpha  formula or a IPFS  multi hash. It is also possible to add a third parameter in order to make the query delayed.

We now have to write our callback to receive the price:

The callback must be named __callback , the first parameter is the id of the request that can be saved when you make the request so you could handle different requests in the same callback. The second parameter is the result of your request. We use the parseInt  function that is inherited from the API file.

Here is our final smart contract:

From the Remix interface you first need to press the Compile  button to compile the contract to bytecode:

Then hit Create  button to publish your smart contract to the blockchain:

 

Once the contract is published, you will see the Log event appear:

If you click on the getPrice  button, you’ll see the price value appear in cents:

 

SafeMath to protect from overflows

Considering security is a big part of writing good Ethereum smart contracts. A common problem when dealing with numeric operations is the risk of overflow. In this article we will introduce to the SafeMath library available in the open zeppelin smart contracts collection.

What is an overflow?

An overflow/underflow happens when an arithmetic operation reach the maximum or minimum size of the type. For example if you store your number in the uint256  type, it means your number will be stored in a 256 bits unsigned number ranging from 0 to 2^256. In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bits – either larger than the maximum or lower than the minimum representable value.

The most common result of an overflow is that the least significant representable bits of the result are stored; the result is said to wrap around the maximum (i.e. modulo power of two).

An overflow condition gives incorrect results and, particularly if the possibility has not been anticipated, can compromise a program’s reliability and security.

 

Let’s protect!

This could happen whenever you are doing arithmetic operations such as + , - ,  * . When using the SafeMath library, the results of this operations will be checked and an error will be thrown stopping the execution of your smart contract.

Here is the code:

To use a Solidity library, just type inside of your contrat and you can then call the public functions defined by your library:

For example this little smart contracts that does nothing but just storing safely the result of an addition:

Don’t hesitate to use the SafeMath library to protect from inputs that could make your contract do unexpected things after overflow or underflow leading arithmetic operations.

 

 

 

Testing your Solidity smart contracts

A good practice in the software industry is writing tests for code. The tests needs to cover the features of your code and assert that everything is working as predicted. As we are writing smart contracts that can deal with money, writing tests is a really important task for us. The Embark Framework offers a pretty rich environment for testing our smart contracts.

We will write our tests in Javascript using the Mocha. To install it just type npm install -g mocha  in your terminal.

Let’s start writing test for our MDBService  contract that we deployed in our previous tutorial. We want to test the functionalities of our contract:

  • It’s empty when initialized
  • When a user registers, it creates a contract
  • We can retrieve a contract made by a user
  • A user can’t register more than one time

We will create a new file in the test directory  test/MDBService_spec.js .  We will import the libraries and tools we need to test our code:

Following the Mocha syntax we will describe our tests and deploy all of the contracts in our project:

Our first test will check if when the MDBService , it is really empty:

Then we will check if an account is really created after we call the register function:

Then we test if the contract has a correct address and our method to access the contracts works:

And finally we’ll unsure one user can’t create multiple accounts:

Even if smart contracts code are by nature pretty short, writing tests is really important to help you identify errors while building an application. It is also important as in smart contracts development, we often re use existing contracts code and it is important to know that your bricks are sane and safe.

To run your tests using Embark Framework, in a terminal type:

With our current test we should see this:

Here is our complete test file:

 

Security and smart contracts

As you may know, the Ethereum and more widely blockchain community suffered from a lot of hacks. These major hacks involved million of dollars stolen by exploiting security vulnerability in smart contracts developed by companies. Even the most talented programmers can easily make a mistake with code and when something involves money: a lot of people are here to exploit any vulnerabilities.

Here are two smart contract hacking that happened:

 

Always remember that it happens and you should always think about security when writing smart contracts or any code that involves manipulating money, or sensitive data.

Here are few advices:

  • Always check the input data.
  • Keep your contracts as simple and small as possible.
  • Keep control and always have a simple and secure way to stop your contract and recover it’s holdings.
  • Use as much as possible modules to keep codebase tiny and built around simple modules as we covered with our inheritance tutorial.
  • Be extremely careful about external contract calls, which may execute malicious code and change control flow.
  • Understand that your public functions are public, and may be called maliciously. Your private data is also viewable by anyone.

They are many possible flows in a smart contract such as integers overflow and underflow. Always keep up to date and learn about how your code could be exploited.

Please go and read the smart contracts best practices guide on Github. Also, always stay updated by reading news and following suggested peoples on Twitter.

 

Types in Solidity

Booleans

A boolean is declared with the keyword bool as two possible values true and false.

 

Integers

An integer is declared with the keyword int or uint for unsigned integers. Keywords uint8 to uint256 in steps of 8 (unsigned of 8 up to 256 bits) and int8 to int256uint and int are aliases for uint256 and int256, respectively.

The operators that you can use are similar to traditional programing languages:

  • Comparisons: <=<, ==, !=, >=, > (evaluate to bool)
  • Bit operators: &, |, ^ (bitwise exclusive or), ~ (bitwise negation)
  • Arithmetic operators: +, -, unary -, unary +, *, /, % (remainder), ** (exponentiation), << (left shift), >> (right shift)

Remember that arithmetic operations can lead to integer overflow or underflow, therefore we suggest you use the SafeMath library.

Addresses

An address is declared with the keyword address. An address define where you can find a contract or an account on the blockchain.

When you interact with a contract, you can know who interacts with the contracts by accessing msg.sender.

See how we use an address to add basic right privileges to a contract.

Enums

An enum is declared with the keyword enum. It’s a way to create a user-defined type in Solidity. They are explicitly convertible to and from all integer types but implicit conversion is not allowed. The explicit conversions check the value ranges at runtime and a failure causes an exception.