What is OpenZeppelin? Developer's Guide

Written by Alchemy

Reviewed by Brady Werkheiser

Published on April 25, 20225 min read

---

What is OpenZeppelin?

OpenZeppelin is a crypto cybersecurity technology and services company. They provide an open-source framework for building secure smart contracts as well as comprehensive security audits for some of the largest DeFi and NFT projects. Their clients include notable projects such as the Ethereum Foundation, Coinbase, and Brave. 

Beyond audits, OpenZeppelin aims to bring greater security to the DeFi ecosystem by providing smart contract developers with a library of security tools. These products allow smart contract developers to focus more on deployment and less on security, allowing for faster launches and greater reliability. 

Today, OpenZeppelin powers over 3,000 public projects with its products. 

What are smart contracts?

Smart contracts are programs that are stored and run on the blockchain. Like real-world contracts, they describe agreements and set rules. However, they can also automatically enforce them. 

This “smart” behavior is possible because the terms of these agreements are written and executed as code on the blockchain. On Ethereum, the most popular smart contract platform, smart contracts are just like any account in that they have their own balance and can create transactions. 

Other users can send and receive funds from these smart contracts as well. Unlike normal contracts, these smart contracts are generally irreversible and cannot be deleted once deployed. 

Smart contracts are what enable developers to create decentralized applications and tokens. Much of the infrastructure required of decentralized finance is based on smart-contracts, making complex financial processes such as insurance or lending possible. 

Why do we need OpenZeppelin?

It goes without saying that security is key to any decentralized application. 

Previously, project teams often had to write their own security infrastructure, leading to developers often “reinventing the wheel.” 

While writing smart contracts from scratch can be a nice learning exercise, it can be a dangerous practice in production. For smart contracts to be secure, they must be robust and that cannot be achieved in vacuum. It takes time and usage to ensure reliability; something not achievable from the get go especially for smaller projects.

With no clear standard for DeFi security, it becomes difficult to recognize a secure project. With each protocol coming with its own contract implementation, it becomes difficult to verify or recognize whether a protocol is even safe. 

Additionally, given how lucrative DeFi projects can be, it's not unheard of for developers to pass on security in favor of a quick launch. 

A classic example is YAM Finance, the now notorious yield farm sensation, that decided to forgo an expensive security audit. The YAM Finance protocol was created in just 10 days, and after just 48 hours after its launch it had already  accumulated $600M in assets.

However, due to a security liability found in its smart contract protocol, it had to be shut down. Given that user’s funds are at stake, a lack of security adherence can become disastrous.

While security audits are key to minimizing potential security vulnerabilities, they aren’t enough, especially in the case of YAM Finance. Quickly made projects like YAM are rarely going to undergo security audits given the cost, making it important for developers to have the right security tools from the start. 

What functionality does OpenZeppelin offer?

OpenZeppelin mitigates events like these by providing developers with out-of-box security tools and infrastructure. These products allow smart contract developers to continue focusing on deployment, rather than reinventing the wheel with their security infrastructure. 

The OpenZepplin team likes to say a sound security foundation can now “take minutes instead of months.”

OpenZeppelin has two main products, Contracts and Defender.

OpenZeppelin’s Contracts is a library of secure smart contracts for Ethereum and other blockchains that developers are free to use. 

These open source templates are community reviewed and use the most up to date security practices. One way OpenZeppelin achieves this is through their bug bounty hunter program where the community can be rewarded for finding security vulnerabilities in OpenZeppelin’s contracts

By reusing audited OpenZeppelin contracts, projects can greatly reduce their attack surface area. Attack surface area being the number of different points where an unauthorized party could theoretically attack. Further, given their modularity and standardization, collaboration and audits are significantly easier.

OpenZeppelin also provides an interactive contract generator with their Contracts Wizard. Developers can use the Wizard to create contracts using components from OpenZeppelin. Additionally, the Wizard lets you specify the type of contract (ex. ERC20), parameters and features. 

Once finished, the Wizard will generate the corresponding code ready to be deployed.

Here are a few examples of some of OpenZeppelin’s many built-in functionalities:

• Access Control: OpenZeppelin’s access control allows developers to easily configure essentially who is allowed to what in their system. This infrastructure is critical to the security of any project as a failure could lead to a system effectively being stolen. 

OpenZepplin Contracts provides both simple single administrator ownership and flexible Role-Based Access Control functionality. Using these features, developers can safely assign who can mint tokens, vote on proposals, freeze transfers, and other protected functions.

• Governance: OpenZeppelin’s Governor contract provides an out of box governance protocol. On-chain governance is necessary for truly decentralized protocols and has become a central component to many. Community governance can decide important decisions, such as parameter tweaking, smart contract upgrades, integrations with other protocols, treasury management, grants, etc. Since OpenZeeplin’s Contracts are highly modular, changes can often be introduced by creating new modules using Solidity inheritance, removing the need for a hard fork. 

• Tokens: OpenZeppelin has token contracts for many of the most common Ethereum standards, such as ERC20 and ERC721. Using this infrastructure, developers can deploy their own tokens along with many other capabilities like price monitoring, specified token transfer methods, purchase authentication, etc.

‍

Defender is OpenZeppelin’s web-based security operations (SecOps) platform. Defender simplifies deployment and administration of smart contracts, by helping developers automate much of the operations associated with running Ethereum decentralized applications.

The platform comes with many features such as web-based back end integrations, automated tasks, and manual contract interaction. Developers can build right on the Defender platform which gives them a sound security foundation from the get-go.

“Multiple exploits we’ve seen in DeFi this year, such as those in YAM, Uniswap, dForce, and Hegic, could have been avoided or reduced by following a careful security process, but teams lack a comprehensive system that fully informs them on security best practices and how to assess risk.” -OpenZeppelin’s Chief Technology Officer, Jonathan Alexander

According to OpenZeppelin, the user funds lost major exploits like the bZx and Opyn hacks, could have been reduced with the type of quick response tool possible with Defender.

What does OpenZeppelin achieve for DeFi? 

OpenZeppelin is laying the groundwork for more secure decentralized applications, as they remove the need for developers to handle their own security. With baked-in security functionality, developers will be able to continue building fast, at no cost to security. This is incredibly important as attacks and DeFi systems become more complex.

As OpenZepplin emerges as a security standard for smart contracts, it helps to minimize trust across DeFi. People often talk about 0% trust, whereas no trust is required between parties. In the case of DeFi protocols, this is unrealistic.

You’re always trusting some party whether it's a team, a DAO, or an auditor. While this may sound problematic, compared to traditional banking, this is a far more transparent process, as you can still always read the code in DeFi. 

Damian Bermer, CEO of OpenZeppelin, argues that we should aim towards a goal of trust minimization rather than 0%. 

Trust minimization narrows down the pieces that we are trusting and can’t see. We can see the code executed on-chain. But even with the most trust minimized DeFi platforms, what things do we still have to trust? The best way to scale DeFi is to get to a place of massive trust minimization. -Damian Bermer

By providing open source security resources, OpenZeppelin is able to minimize trust for the ecosystem as less new code is created for each protocol. With security infrastructure becoming more trusted, far less certainty will remain regarding Defi projects’ security, allowing for greater adoption and scale.

Deploy your own smart contract with Alchemy

OpenZeppelin smart contracts are secure, community-vetted, and battle-tested. Sign up for Alchemy and get started deploying your first smart contract today!