Exploring Sui: The Technology Behind High Performance and Contract Security

SlowMist
7 min readSep 3, 2024

--

Background

Recently, we discussed the features and security issues of TON in our article “Introduction to TON: Account, Token, Transactions, and Asset Security.” Today, we delve into another emerging high-performance blockchain — Sui. Sui has garnered attention from developers and researchers alike due to its innovative technologies and unique features. It focuses on providing a fast and secure transaction experience suitable for various application scenarios. This article will cover Sui’s account model, token management, transaction mechanisms, and asset security to help readers better understand the blockchain.

Key Features of SUI:

  • High Throughput and Low Latency: Achieved through parallel transaction processing and an efficient consensus mechanism.
  • Move Programming Language: Utilizes the Move language for writing smart contracts, ensuring security and flexibility.
  • Scalability: Designed to support large-scale decentralized applications.
  • Innovative Data Model: Adopts an object storage model to enhance data management efficiency.

Account Model

Address

Sui adheres to widely accepted wallet standards in the cryptocurrency industry, including BIP-32 (and its variant SLIP-0010), BIP-44, and BIP-39, to provide users with secure key management.

To derive a 32-byte Sui address, Sui uses the BLAKE2b (256-bit output) hashing function to combine the signature scheme identifier (1 byte) with the public key bytes. Currently, Sui addresses support pure Ed25519, Secp256k1, Secp256r1, and MultiSig, with corresponding identifier bytes of 0x00, 0x01, 0x02, and 0x03, respectively.

Balance

In Sui, everything is treated as an object, including the user’s balance. During a transfer, if the balance within an object does not match the required amount, the object needs to be split or merged. For example, if you have an object containing 100 SUI but only want to transfer 30 SUI, the system will split the object into two: one containing 30 SUI and the other 70 SUI. You can then transfer the 30 SUI object while retaining the remaining one. Conversely, if a larger amount is required, multiple balance objects can be merged to create a single larger balance object.

Token Management

Sui provides a standard implementation for Coin. When developers issue a Coin, they can simply call `use sui::coin;` in their contract to utilize all the functionalities of this standard library.

Since Sui uses the Move language, which differs from commonly used programming languages in other blockchains (such as Solidity), developers need to understand and pay attention to some unique features and functionalities. Let’s look at a sample code snippet:

module regulated_coin_example::regulated_coin {
use std::option;

use sui::coin;
use sui::coin::{TreasuryCap};
use sui::transfer;
use sui::tx_context::{Self, TxContext};

struct REGULATED_COIN has drop {}

fun init(otw: REGULATED_COIN, ctx: &mut TxContext) {
let (treasury_cap, deny_cap, meta_data) = coin::create_regulated_currency(
otw,
5,
b"tUSD",
b"Test USD",
b"Example Regulated Coin",
option::none(),
ctx
);

let sender = tx_context::sender(ctx);
transfer::public_transfer(treasury_cap, sender);
transfer::public_transfer(deny_cap, sender);
transfer::public_transfer(meta_data, sender);
}

public fun mint(
treasury_cap: &mut TreasuryCap<REGULATED_COIN>,
amount: u64,
recipient: address,
ctx: &mut TxContext,
) {
let coin = coin::mint(treasury_cap, amount, ctx);
transfer::public_transfer(coin, recipient)
}
}

This is a complete Coin issuance contract. The smart contract design on Sui differs from other blockchain platforms like Ethereum or Solana, where we don’t see explicit permission management in the source code. When using the function `coin::create_regulated_currency` to create a Coin, the contract creator receives a `TreasuryCap` object, which is essential for minting new Coins or burning existing ones. Only addresses with access to this object can maintain Coin issuance.

For users receiving Coins, their accounts control the ownership of these tokens. When invoking smart contracts to use these tokens, these objects must be passed in, and the transaction must be signed.

Transaction Mechanism

Transactions are a fundamental concept in the blockchain world and serve as a way to interact with the blockchain. Transactions are used to alter the state of the blockchain and are the only method for doing so. In the Move programming language used by Sui, transactions are employed to call functions in packages, deploy new packages, and upgrade existing ones.

When constructing transactions, it’s crucial to explicitly specify the objects they operate on! This is somewhat similar to how transactions in Solana require account inputs.

A transaction includes:

- Sender: The account that signs the transaction.

- List of Commands (or Command Chain): The actions to be executed.

- Command Inputs: Parameters for the commands, which can be simple values (like numbers or strings) or objects that the transaction will access.

- Gas Object: A Coin object used to pay for the transaction.

- Gas Price and Budget: The cost of the transaction.

Contract Security

Sui uses Move as its smart contract programming language, which can mitigate some common vulnerabilities seen in Solidity, such as reentrancy attacks, integer overflows, double-spending, DoS attacks, and compiler issues. However, it doesn’t completely eliminate the risk of developers introducing errors in their code, making security audits still necessary. Here are some points developers should pay attention to during development:

1. Permission Checks: Analyze the object types received by external functions. For privileged functions involving sensitive operations, ensure the passed objects are authorized. If a function receives and uses a privileged object, the function caller must be the legitimate owner of that object.

2. External Function Exposure: Some functions should not be directly callable from outside. If there are functions that should not be publicly exposed, developers should note that these should not be made public.

3. Object Analysis: Since objects in Sui can be converted into shared objects, developers need to list all types of objects used to confirm whether they are static or shared and identify any errors. Converting an object that should be private into a shared object poses a security risk, as anyone could use it.

4. Coin Consumption Checks: Sui’s token model differs from other chains in that it allows token objects to be held by or contained within other objects, and they can be split. This gives rise to several token consumption patterns:

- Directly transferring a token object to another object.

- Restructuring a token object to create a new object before transferring it to the target object.

- Splitting a token object and transferring the split parts to a new object.

Developers need to check the following during token consumption:

- Whether the amount consumed is correct.

- Whether the objects have been transferred.

- If there is splitting involved, whether the split amounts are correct.

5. Oracle Price Manipulation Attacks: If a contract on Sui uses an oracle to fetch prices, be aware of the potential for price manipulation. Developers can mitigate this risk by incorporating multiple data sources and consensus mechanisms to prevent single-source manipulation. Additionally, using time-weighted average prices can further protect against oracle manipulation.

6. Governance Attacks: Contracts on Sui are also vulnerable to governance attacks if the voting rights for governance tokens are not properly designed. Developers can refer to the governance logic of well-established decentralized organizations.

7. Arbitrage Attacks: If the logic is not well-designed, DeFi contracts on Sui may be susceptible to arbitrage attacks. Developers should carefully review the contract logic to avoid exploitation by attackers.

8. Fake Deposit Attacks: When exchanges or developers handle Sui token deposits, they must check the transaction status to ensure it was successful and verify the token’s Package ID to prevent fake deposit attacks.

Conclusion

In this article, we’ve explored the design features of Sui, including its account model, token management, transaction mechanisms, and contract security. Utilizing the Move programming language, Sui achieves high performance and low latency while introducing innovative data models and object storage methods, significantly enhancing security and flexibility. Compared to other blockchain platforms, the Move language excels at preventing common smart contract vulnerabilities (like overflows and reentrancy attacks), making Sui more robust and reliable from a technical standpoint. However, developers must still pay attention to business logic security, particularly in areas such as permission management, object type usage, and token consumption, to avoid asset loss due to coding errors or improper design.

Reference Links:

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet