How is Blue Label Labs different from its competitors?

First, we live and breathe cutting-edge/bleeding-edge technology, so your app will similarly be cutting-edge/bleeding edge with a long “shelf-life”. Second, with a perfect mix of local, domestic and international talent you are guaranteed to get the optimal mix of a high-quality product and a fair price. Third, you will be assigned a dedicated Program Manager (PM) after we’ve established a contract who will be your single point-person for all of your needs and questions. This PM will stay with you for the duration of your relationship with Blue Label Labs and is your conduit to all of the resources we have to offer, thus streamlining your communication and preventing you from having to repeat your message to multiple resources or play air traffic control. Our PMs are the best in the business and we’d be happy to introduce you to a projected PM (and project team) once we’ve got an estimate on the table to discuss. Fourth, the size of Blue Label Labs team (now 64 people strong) means you don’t have to worry about the “single point of failure” issue that exists at smaller shops of just one or two developers, nor the burden paying for the high overhead cost associated with larger shops. Fifth, we have a stronger focus on design than most other shops. We split our design team into two specific functions—Product/User Experience and User Interface. It’s a rare unicorn designer that is good at both thinking through flow and product decisions, as well as branding, colors, logos and overall User Interface. To that end, each project team has both a UX Designer and UI Designer staffed to ensure top notch design. Sixth, with over 7 years of operation and over 250 apps completed, we have both the experience and extensive re-usable code base to ensure your app is built as efficiently and as inexpensively as possible. Seventh, our QA and Testing methodology is rigorous and as important to us as the actual development—meaning your app will be as bug free as is possible. We have a dedicated QA Engineer staffed on every project. This engineer is not the original author of the code ensuring the highest quality results from the QA process. Please see the below sections for more details.

How does Blue Label Labs work with clients?

Blue Label Labs Labs begins most projects with a Discovery, Planning & Design Phase (Phase One). First, we determine the proper technologies and development schedule. Second, the Design teams inherit the User Stories that were drafted during the sales process. User Stories are simple one-liners that outline the activities your users will need to be able to accomplish within the app. These User Stories then get grouped together into meaningful features and feature sets. The Design teams work with the client to finalize the User Stories. Third, our design team sets out creating greyscale wireframes to illustrate how a user will move through the app (i.e., the user experience, UX). Fourth, we transition to full color illustrations/designs that have the final look and feel of the app (i.e., the user interface, UI). Fifth, the app designs are then uploaded into a prototyping platform called Invision that allows our team to create tappable and swipeable “hotspots” so that you can show the app on your phone or via a mocked-up phone in a web browser. At the same time, we draft a Functional Specification document that details the technical hows and whys of the project for the development team. Once that work is complete, we them move on to the Development Phase (Phase Two). The Agile development/engineering team works hand-in-hand with the Program Manager and follows the wireframes and the Functional Specifications to build the app. Our first development goal is the First Deliverable milestone—we call this D1; this is a highly functional build of the app that contains a subset of features agreed upon by Blue Label Labs and the client. We then begin an iterative process of finalizing the remaining features. At the same time, a QA Team builds a full test plan for the app. The QA Team continually performs functional and regression testing on the app, reporting issues to the Project Manager. Learn more about our process here.

How long does it take to complete the average app?

Typically, for our average 4 to 5-month project, the Phase One: Discovery & Planning and Design lasts for approximately 4 to 6 weeks, with Phase Two: Development and Testing Phase occupying the remaining 3 to 4 months. At the end of the Phase Two, the final app is prepared for Deployment. Deployment involves moving any web services and server side components to a production environment and submitting the app to the relevant app store(s).

How much does the average app cost?

If we were in full-swing on a new project, a client can estimate a cost of between $10,000 and $30,000 per two-week sprint ($20,000 to $60,000 per month) for the effort—typically billed bi-weekly. If Blue Label Labs is handling everything from Discovery, Planning & Design through to Deployment in an app store, total app costs average about $120,000 for one “platform”–iOS, Android, Web, etc. That said, it very much depends on the complexity of the design and development required for each individual app, we’ve completed full apps at costs of between $50,000 (a bare-bones, simple MVP/prototype) and $2,000,000 (a full featured, enterprise apps). We provide free, no commitment estimates to clients. After the app is submitted to an app store(s) or pushed live on the web, the Blue Label Labs team monitors the app store and customer reviews and deals with any issues, questions, delays or approvals that arise. We have a great track record with app submissions and make sure that the app submitted is highly likely to be approved without issue. Post approval, a maintenance agreement can be put into place to cover and small issues, minor app edits (e.g., color, image or text changes) and any bugs that might linger. At the end of the project, we will transfer all source code and project files to you and you will remain the sole owner of all IP in the app. After that time, we provide our services at an hourly rate of $120/hour for ad-hoc updates or at an hourly rate of $100/hour for a mutually agreed upon set number of hours in a 6-month retainer. The monthly maintenance cost for the average app is $2,000/month: in other words, a retainer of 20 hours per month at $100 per hour equals $2,000/month and guarantees expedited service vs. ad-hoc requests.

What is the difference between a Native App, a Hybrid App and an HTML5 App?

Native App: A Native App is an app written for a specific platform like iOS or Android—in other words, the app is written in the coding language used for development on that specific platform (Objective-C or Swift for iOS and Java for Android). When you build a Native App, you get access to all the hardware features exposed by the native code APIs and SDKs. For example, Apple iOS Push Notifications are one example of a feature that cannot be supported by an HTML5 App. The graphics and user interface of a Native App are far superior to any Hybrid or HTML5 app. You would choose this option, if you want to use the user interface components from Apple’s proprietary user interface libraries (i.e., the usability is better); you want full device hardware access—cameras, microphone, and geo-location; you want peak performance with no lag; you want users to be able to access the app off-line (i.e., without Internet access); you want access to push notifications and in-app purchase; and you want your app to de discoverable in the app store. On the downside, your code is less portable across operating systems and it is often the most expensive development option. It is our recommendation that if you plan to start a true, revenue generating, app-based business, this is the only viable option. Hybrid App: A Hybrid App is a form of web app that is deployed to a native platform like an iPhone or Android phone inside a native shell. This shell is usually little more than a web browser view (to display the HTML5 content) and some other hooks to allow your web app to potentially access some more hardware features that are not available inside a typical mobile web browser—e.g., push notification and in-app purchases. It improves code portability because if you want to port your app to another platform, you only need a native shell on that other platform to run it, the HTML5 content of the app is directly portable. These shells can be hand written, but can also be generated automatically by tools in the marketplace like React Native, PhoneGap, Cordova or Xamarin. These tools allow a developer to push the app out to multiple platforms (e.g., iOS, Android, Windows Mobile) quickly by generating the shell and packages required to do so automatically. This sounds powerful, and it is, but clearly creators of these third-party platforms have a lot of configurations and hardware to support, and thus, the solutions do not always work the same across all devices, and in practice, testing and hacking of special cases will be required by the developer to get proper functionality. You would choose this option if you want a balance between cost and usability; you want access to some (but not all) of the phone’s native APIs/SDKs and hardware; you want to be able to quickly deploy across multiple device types; and you’re not worried about high-end graphics. On the downside, because these third-party hybrid platforms (e.g., React Native, PhoneGap and Xamarin) need to support so many device types there are always implementation and usability issues to workout. In addition, you will only have access to the features of a new operating system 6+ months AFTER it is released by Apple, Google or Microsoft. In this way, your app will never be able to cutting-edge technology. While we are fully capable of building Hybrid Apps, it is our recommendation that this option is only viable for simple, lo-fi apps that are heavy on text and images, but don’t need much in the way of functionality or user interface. An HTML5 Web App: An HTML5 app is essentially a website with JavaScript code written to allow the app to perform dynamically, as opposed to a static website that you need to refresh to see the changes. It works interactively to make it feel like an app, but it is actually running in a web browser. It is essentially a website, which will support multiple viewports or screen sizes so that it works well on mobile. Because it is running in a browser, it is confined to what is possible within a mobile web browser. You would choose this option if you want to support multiple platforms with the same app/codebase; you want to deploy it on the web; you want the widest possible support across multiple device operating systems and manufacturers; and you want to be able to update your source files on your server and have them immediately deployed to all devices (i.e., removing the need for the app approval process). On the downside, your app is not discoverable in the app stores; it will never look and feel like a true mobile app; and you will have limited access to some of the software and hardware functionality of the phone (e.g., push notifications and cameras). It is our recommendation, that this option is only viable for view-only content where users are not expected to interact in any meaningful way.

Has Blue Label Labs ever transitioned an app the firm has built to a client’s internal development team? What is the typical process and how long does it usually take? Is there a fee for this?

Quite often Blue Label Labs transitions an app to a client’s in-house development team. As part of our regular transition for any client, we transfer all functional specs, wireframes, UI design resources, screen flow maps, passwords/certificates/credentials and source code to the client. We also have extensive experience working in tandem with a client’s existing engineering team. For example, Blue Label Labs will build the front-end experience of an app on top of a client’s existing backend web service and databases. These transitions are the quickest, averaging only a few days, since the Blue Label Labs team and the client team have already been working hand-in-hand for months. If we are handing over a complete project with no prior engagement with the client’s development team, then the transition can take a little longer depending on the support needed. This can range from a few days to a couple weeks. The transition is typically free of charge unless engineering resources are needed to facilitate the transition or the Program Manager is required to spend more than a week on the transition and training. We’ve even helped companies to interview potential new technical team members—e.g., developers and CTOs.

How does Blue Label Labs provide training to a client’s development team so that they could make app enhancements and how much would that training cost?

Along with all the project documentation and support outlined in the answer to the question above, we are happy to provide hands-on training to in-house developers/team members as part of the transition. There is typically no extra charge for this if only a few hours are required. If ongoing training is necessary, for example an in-house developer is not familiar with app development and requires a crash course, then we can offer our services at our hourly rate of $120/hour for training. We’ve even aided our partners in their hiring of their own technical/development team if/when the time is right.

How many designers and developers does Blue Label Labs have on staff? How many work on each client project? Where is the team located? Can the client talk directly to whomever will work on the app?

The Blue Label Labs team is comprised of 64 individuals across its UX Design/Product, UI Design, Development, Program Management, Quality Assurance, Sales, Marketing and Leadership teams. We have 6 Designers, 10 Program Managers, 35 Developers, 3 App Marketers—the remainder of the team is comprised of the Sales, Marketing, Operations & Leadership Teams. Depending on the size of the project, a team of at least 7 Blue Label Labs staffers will work on your project: 1 Program Manager, 1 UX Designer, 1 UI Designer, 1 Technical Architect, 1 Front-End Developer, 1 Back-End Developer, and 1 Quality Assurance Engineer—in addition to the technical and strategic oversight provided by Blue Label Labs leadership. The majority of our Design and Program Manager teams is based in New York City, Seattle and San Francisco areas. The Developers and Quality Assurance Testers are also based in the aforementioned cities, in addition to India-based team members. The Development, Design and QA Teams are managed directly by the Program Manager. The Program Manager is your primary point of contact and the liaison across all other Blue Label Labs team members associated with your project. That said, clients are welcome to speak directly with any individual team member as is needed.

Are projects priced based on “time-and-material” (i.e., hourly) estimate or a “fixed-price” quote?

Projects are priced on a “time-and-material” basis. With 7 years and 250+ apps of experience to our credit, we are able to produce very accurate estimates. We do our best to stay within budget or provide you ample warning if we think we may exceed our initial estimate so we can coordinate how to move forward together with you. Prior client references can vouch for the accuracy of our estimates and can be provided to you upon request.

Is Blue Label Labs able to guarantee that our app will be published in an app store?

Unfortunately, no application can be guaranteed for app store approval. However, Blue Label Labs has successfully built and deployed over 250 apps for the Google Play and Apple iTunes stores. We have a solid understanding and insight into what these stores will typically approve or disapprove of. We will warn you well in advance if any particular aspect of you project poses an approval risk. We have had a handful of instances where an app store has rejected an app for publication; not due to technical issues, but due to legal/business/terms of use issues; however, we successfully appealed ALL of these rejections and these very same apps are now in the app store for download today. We led these appeals on behalf of our clients at no extra charge. If your app is rejected due to technical reasons, we will make all necessary corrections needed to get approval at no extra charge. We are happy to connect you with some of our clients who did face some app store pushback to tell you about the rejection and our successful appeal.

What is Blue Label Labs’ policy regarding correcting defects and publishing an update in the app store?

We provide our services at a blended hourly rate of $120/hour for ad-hoc updates or at blended hourly rate of $100/hour at a mutually agreed upon set number of hours over a 6-month retainer. For example, a retainer of 20 hours a month for $2,000/month guarantees expedited service vs. ad-hoc requests. Ad-hoc requests are handled on a first come, first serve basis across all of our clients and development is based on our team’s earliest availability. The monthly retainer of hours functions much like an extension of the warranty period; issues are addressed within 24-48 hours and development will start as soon as the scope of the issue is defined. For those clients wanting a guaranteed 24 to 48-hour turnaround time on maintenance issues, a 6-month retainer is suggested.

What level of Quality Assurance is included and provided by you in your proposal?

A Quality Assurance (QA) Engineer is assigned to every project and builds a custom test plan for every project during the Discovery, Planning & Design Phase. During the Development & Testing Phase the QA Engineer continually tests the app using functional and regression testing. We test on a wide array of physical devices as needed for a given project. If we are building a backend web service and databases as part of the project, we will also have a set of automated unit tests that are run regularly to verify functionality.

What is Blue Label Labs’ quality assurance (QA) and testing methodology?

We believe that Blue Label Labs’ QA and testing methodology is part of our competitive differentiation. The fact that we dedicate resources to solely this function is something that sets us apart from other development shops for whom testing is simply an afterthought. At Blue Label Labs, QA is handled at all levels of development. There are generally 3 layers of QA/testing that happens for every project: 1.) Internal Development Team Testing Each Development Team has an internal QA Tester along with the Developer Lead who perform basic validation on bug fixes prior to builds being released to the broader Project Manager and QA team. Their validation is to ensure that items within JIRA, which we use alongside Trello, to coordinate team efforts and communicate with clients—are properly remedied according to their descriptions prior to “checking-in” or committing code. When items are resolved by the Development Team they are pulled into the “Testing Done by Dev Team” stack of Trello cards and/or within JIRA. When developing new projects, the Blue Label Labs Development Team will also be responsible for creating “unit tests” for our code so that we can quickly run a basic set of verifications. The dev team does the majority of their testing using iOS and Android app simulators. 2.) Dedicated QA Engineer Each project has a dedicated QA Engineer who sits independently from the Development Team who is responsible for: a.) Drafting a milestone based test plan which outlines a list of black box scenarios to verify and the expected results; b.) Performing smoke and full test pass runs against weekly and milestone builds; c.) Verifying and closing bugs that the Development Team has marked as complete; d.) Working with the Development Team to report issues and regressions; and d.) The QA Engineer takes items from the “Testing Done by Dev Team” Trello stack and verifies whether it is actually fixed. If it is, the Trello card is moved to the “Done (Verified)” pile, or sent back to the “Weekly Priorities” or “Product Backlog” stacks, as appropriate. The QA Engineer will generally perform their tests on 2-3 devices, depending on project requirements. 3.) Project Manager (PM) Testing The final QA gate is the PM who is responsible for quality of the entire product. They will also work with the QA Engineer to verify items have been fixed properly in addition to triaging new issues coming in from the client and the QA Engineer. The PM will appropriately schedule issues to be resolved based on their severity and importance. The PM’s testing is done on actual devices.

Can Blue Label Labs help me with Marketing and PR?

Absolutely. We aim to be your full-service app partner. Our Marketing & PR Offering is designed to help you launch your app and gain marketing exposure. Learn more about our Marketing & PR Offering here.

Blockchain

How the Wrong Visibility Modifiers Can Lead to Security Breaches in a Solidity Smart Contract

Smart Contracts refer to immutable pieces of code that live on the Ethereum blockchain.

Once you deploy a contract, you cannot update it to fix a security breach – so knowing how to examine and identify security breaches in your contract source code prior to deploying it to the blockchain is the first step to securing your smart contract.

In particular, one of the easiest ways to introduce a security vulnerability into your contract is through the improper use of visibility modifiers.

In this article, instead of just talking about abstract concepts, I will walk you through the process of building a Content Access Contract, testing it, and examining security vulnerabilities introduced by using the wrong visibility modifiers so as to provide you with hands-on experience.

The Content Access Contract is a smart contract aimed at giving a hackathon platform learners access to course materials.

To understand the concepts discussed in this article, you will need an intermediate knowledge of Solidity, Remix IDE, and Ganache.

Building a Content Access Contract

In this tutorial, we will use Remix IDE to build a smart contract to give students access to hackathon course materials once they pay a certain fee to a smart contract.

Suppose that we’d like to build a Web3 hackathon platform that requires learners to use crypto wallets for account creation and payment.

In a nutshell, our platform will enable learners to create a profile using their crypto wallets, but they will need to pay a certain fee to generate a random 9-digits authorization code, which will be the ticket for accessing the hackathon course content. The course materials are stored off-chain, so our platform communicates with the Ethereum mainnet just to verify payments.

Our contract will maintain a database of all the authorization codes and their associated public addresses so as to grant subscribers access to the course materials. When a learner tries to access our platform course content, the platform uses the learner’s public Ethereum wallet address and checks if it has an authorization code in our blockchain-based backend. If the platform sees a corresponding authorization code, it then gives the learner access to the course materials.

To build the content access contract using Remix IDE:

Visit https://remix.ethereum.org/
Go to the Icon Bar located on the far left-hand side.
Click on the File explorers icon.
Right-click on the contracts folder.
Click on New File.
Name your file contentaccess.sol. An empty code editor will live-update the Main Panel and a tab with your new file’s name.

Copy and paste the following code into your remix’s code editor:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

/***
*@title A Contract for Giving Learners Authorization Code
*@author Said Habou Adi
*@notice You can use this contract to take advantages of Ethereum Blockchain to give access to course content.
*@dev This contract's main public function takes an input as an argument and generate authorization code.
*/

contract ContentAccess {

    uint[] collectionOfAuthCodes;

    ///@dev Public Keyword helps the compiler generate a function that returns mappings' values.
    mapping(uint => address) public authCodeOwner;
    mapping(address => uint) public authCodeOfLearner;
    mapping(address => uint) authCodeCount;

    uint authCodePrice = 2 * (10 ** 18);

    event NewAuthCodeIsAdded(uint cryptoCode);

    
        ///@notice Changes the price of authorization codes creation.
        ///@dev Takes a wei unit as argument to change the price for generating authorization codes.
    function setauthCodePrice(uint _price) external {
        authCodePrice = _price;
    }

        ///@param inputKeccak The input to be used to generate authorizationcodes
        ///@return Random 9-digits numbers.
    function generateAuthCode(string memory inputKeccak) public view returns (uint) {
        uint hash = uint(keccak256(abi.encodePacked(inputKeccak, msg.sender, block.timestamp)));
        return hash % (10 ** 9);
    }

        ///@notice Takes random numbers and add it to the array.
    function addAuthCode(uint _hashmodulus) public {
        collectionOfAuthCodes.push(_hashmodulus);
        authCodeOwner[_hashmodulus] = msg.sender;
        authCodeOfLearner[msg.sender] = _hashmodulus;
        authCodeCount[msg.sender]++;
        emit NewAuthCodeIsAdded(_hashmodulus);
    }

        ///@notice Creates an authorization code
        ///@dev Takes an input, generate 9-digits number and add it to the array
        ///@param input to be used as an argument by invoked functions
    function createAuthCode(string memory input) external payable {
        require(authCodeCount[msg.sender] == 0);
        require(msg.value == authCodePrice);
       uint randNumber = generateAuthCode(input);
       addAuthCode(randNumber);
    }
                
        ///@notice Returns the number of enrolled learners
        ///@dev Returns a number.
        ///@return Number of student with authorization code.    
    function getNumberOflearners() external view returns (uint) {
        return collectionOfAuthCodes.length;
    }

        ///@notice Function caller receives the money stored in the contract.
    function withdraw() external {
         address payable moneyReceiver = payable(msg.sender); 
        moneyReceiver.transfer(address(this).balance);
    }

        ///@notice Returns all authorization codes.
        ///@dev Returns authorization code stored in the collectionOfAuthCodes array.
        ///@return Authorization codes.
    function getCollectionOfAuthCodes() external view returns(uint[] memory) {
        return collectionOfAuthCodes;
    }   
}

The first line of our code specifies that the source code is licensed under MIT. Machine-readable license specifiers are important for open-source project development.

The next line shows the Solidity version the source code is written for and tells the compiler how to treat the source code.

The next lines show special comments that provide brief and concise explanations about the contract, its functions, and return variables. This special comment is named NatSpec, which stands for Ethereum Natural Language Specification Format.

The contract statement marks the beginning of our Solidity code.

Following the contract statement is an array of type uint named collectionOfAuthCodes, which stores all the authorization codes in our contract. In programming, you use an array when you want to store a collection of a specific data type consecutively.

The next lines introduce a group of state variables of type mapping.

Mapping variables are complex data types with a key-value pair for storing and checking data. The public modifiers attached to our first two mapping variables (authCodeOwner and authCodeOfLearner) will generate functions that give access to their current values. Without this keyword, you will need to define your own getters to have access to their values.

The authCodeOwner mapping variable is used for setting ownership of an authorization code created. The authCodeOfLearner mapping is used to know the authorization code of a specific Ethereum wallet connected to our platform.

As for the authCodeCount mapping, it will be used to determine how many times a specific Ethereum wallet calls our createAuthCode function. It is useful for limiting function calls.

The authCodePrice state variable of type uint stores the wei fee of creating an authorization code. In addition to ether, Ethereum features gwei and wei denominations. I opted for wei denomination as it helps us update authCodePrice’s value with setAuthCodePrice() function. The 2^18 wei in our code corresponds to 2 ETH, which is a hard pill to swallow, but for testing sake, it’s acceptable as it helps us know much money has been debited from a caller’s account.

A realistic fee would be 0.1 to 0.2 ETH, but Ethereum does not recognize decimal numbers. So it makes sense for us that the best workaround solution is to use wei denomination for decimal numbers’ properties. In order to get 0.2 ETH in terms of wei, we just need to divide the wei denomination by 10, which means to remove one zero. Thus, the 0.2 ETH in terms of wei is 2^17 wei.

The next line is an event statement that will be called in the last line of addAuthCode() function. In Solidity, event statements notify the frontend about state changes on the blockchain. You declare a solidity event as follows:

event EventName(parameter1...)

Following the event statement is a list of function declarations. You declare functions as follows:

function nameOfFunction(<parameter types>)  [internal|external]  [pure|view|payable]  [returns (<return types>)]  {/* ... */}

The first public function named setAuthCodePrice() takes a uint variable and enables you to update the authCodePrice variable that represents the fee of creating an authorization code.

The next three functions are used together to generate authorization codes:

The generateAuthCode() generates an authorization code of 9-digits integers by using the Ethereum hash function called keccak256 and type casting the hash as uint. A hash function takes an input and then generates a random 256-bit hexadecimal number. Any change in the input will also change the hash in turn. This is why you need to pack the parameter before invoking keccak256, which requires a single parameter of type bytes. For example

keccak256(abi.encodePacked(parameters))

Given the fact that a hash function always generates the same hash for the same input, two different callers will get the same authorization code if they enter the same input. To fix this, we pass Solidity special variables as additional arguments to the hash function.

In our code, we passed the single parameter of generateAuthCode() as an argument to the keccak256 function in addition to msg.sender, and block.timestamp. In Solidity, msg.sender, is a special variable that refers to the address of the person (or smart contract) that calls a specific function, and block.timestamp provides updated information about the blockchain.

The addAuthCode() function takes the authorization code generated by the previous function, adds it to our array, and sets the authorization code owner to msg.sender, the caller.

The createAuthCode() payable function charges users and contracts for generating authorization codes. Its first required statement ensures this function is executed one time per account. Its second required statement debits the account of the caller and credits our contract. It then invokes the previous functions as follows: generateAuthCode() and addAuthCode().

The getNumberOflearners() function returns the number of learners with an authorization code.

The withdraw() public function transfers the money stored in the contract to the caller.

The getCollectionOfAuthCodes() returns all authorization codes.

Compiling and Deploying a Smart Contract

An EVM (Ethereum Virtual Machine) only reads EVM bytecodes – after completing the previous tutorial, you must compile the contract to generate bytecodes to be sent to the Ethereum network as a deployment transaction to be interpreted by the EVM.

A transaction is a request for code execution and the blockchain contracts’ codes are only executed when an external account calls their functions.

The following sections will cover compiling and deploying a smart contract.

Compiling a smart contract using Remix IDE

To compile a contract:

Go to the Icon Bar.
Click on the Solidity compiler icon. The Side-panel will update with functionalities that you can configure.
Click the below large blue Compile button with your contact’s name.

Deploying a smart contract using Remix IDE

Before deploying your contract, make sure you’ve installed the blockchain simulator Ganache which will allow you to test your smart contracts.

To deploy a contract:

Launch Ganache.
Click on Deploy & Run transactions Icon located in the Icon Bar.
Set your deployment configurations. This will enable you to select Ganache as a blockchain under Environment and switch Ethereum accounts.
Click on Deploy. The terminal will display the transaction details. The amount of ether you own in your selected account will be debited.
Scroll down and click on the angle-bracket under deployed so it expands to show auto-generated buttons representing our contract functions as shown in this image:

Finding the Vulnerability in our Content Access Contract

Once you build a smart contract, the best way of auditing your contract is to test and examine its public and external functions.

This is critical because any other contract or user on the blockchain can interact with yours by using an interface or by calling your exposed functions. The scenario for our test focuses on checking the security of our smart contract.

Here are the test cases:

ID: TC_01

Title: Check authorization code creation by passing an argument to createAuthCode().

Test Steps:

Scroll up to select ether unit under the value field.
Enter the code creation fee, which is 2 ethers.
Scroll down and pass an input as an argument to the createAuthCode() payable function.

The result: The transaction creates an authorization code for the caller, the caller’s account is debited and the contract account is credited.

ID: TC_02

Title: Check authorization code creation by passing an argument to addAuthCode().

Test Steps:

Pass desired digits integers to addAuthCode() and then call it.
Click on the getCollectionOfAuthCodes button.

The result: The transaction creates an additional authorization code for the caller, but the caller’s account is not debited and neither is the contract account credited.

After running these tests, you would see two authorization codes for one account. To verify this, call the authCodeOwner() and authCodeOfLearner() functions generated by the compiler due to the public keywords attached to the mapping variables named authCodeOwner and authCodeOfLearner.

What you’ll notice is that the behavior of our contract is not normal given the fact that our contract should enable only one authorization code per public address. In addition, it should debit accounts creating authorization codes while crediting our contract’s account.

So why do we have this result?

Well, our contract has three functions that work together to generate authorization codes where two of them act as helper functions. We can’t expose them because people may bypass the condition statements implemented in the main function named createAuthCode() that verifies a caller both has the money to generate authorization code and doesn’t have an existing one.

Given the fact that the addAuthCode() is public, a hacker could type random numbers as if it was generated by the generateAuthCode function. They could then set the ownership of the fake authorization code to msg.sender and then slip it into our array.

Thus, the address would have two codes which mean our contract will not act as expected.

To fix these kinds of breaches, we only need to use private visibility modifiers.

As for the following functions, we can’t change their visibility modifiers because we interact with functions that are either public or external. Since we can’t change their visibility, we need to restrict access for the following reasons:

The withdraw() function withdraws the money stored in the contract. Allowing someone else to call it would make it simple for someone to steal from the platform.

The setauthCodePrice() is also an important function – our platform would cease to work if a wrecker replaced the current price with a higher price.

Both getNumberOflearners() and getCollectionOfAuthCodes() are functions that provide information on statistics and as such, should be only called by the real owner.

Though using appropriate visibility modifiers can help you secure smart contracts, they have some limits. In the next article, I will provide you with more details on modifiers and restrictions to use so as to fix the vulnerabilities of our contract.

Conclusion

Visibility modifiers play an important role in smart contract security. Using the wrong visibility modifiers can introduce vulnerabilities that could end up costing you a lot of money. As you’ve seen in this article, understanding how visibility modifiers work and applying the right one to your smart contract’s variables and methods is crticial to building secure dApps. To learn more about how Solidity visibility modifiers work please check out our detailed breakdown.

Bobby Gill

Co-Founder & Chief Architect at BlueLabel | + posts

Bobby Gill is the co-founder and Chief Architect of BlueLabel, an award winning digital product agency headquartered in New York. With over two decades of experience in software development, he is a seasoned full-stack engineer, software architect, and AI practitioner. Bobby currently leads the BlueLabel AI/ML practice, where he is leading a team of engineers operationalizing the transformational capabilities of generative AI within BlueLabel and for a number of enterprise clients.

Are You Using AI In Your Job?