A smart contract security audit provides a detailed analysis of a project’s smart contracts. These are important to safeguard the funds invested through them. As all transactions on the blockchain are final, funds cannot be recovered in the event of theft. Typically, auditors will examine the smart contract code, produce a report, and provide it to the project to work with. A final report is then published, detailing any outstanding bugs and work already done to address performance or security issues.
Smart contract security audits are very common in the decentralized finance (DeFi) ecosystem. If you have invested in a blockchain project, your decision may have been based in part on the results of a smart contract code review.
While most people understand the importance of auditing for cybersecurity, not many dive into lines of code. Let’s take a look at the methods, tools, and results typically seen in smart contract security audits so you can make more informed decisions.
What is a smart contract audit?
A smart contract security audit examines and comments on a project’s smart contract code. These contracts are typically written in the Solidity programming language and are provided through GitHub. Security audits are particularly valuable for DeFi projects that hope to handle millions of dollars worth of blockchain transactions or a large number of players. Audits typically follow a four-step process:
- Smart contracts are provided to the audit team for initial analysis.
- The audit team presents its findings to the project for action.
- The project team makes changes based on the problems found.
- The audit team publishes its final report, considering any new changes or pending errors.
For many cryptocurrency users, smart contract audits are essential when investing in new DeFi projects. It has become a standard for projects that want to be taken seriously. Certain audit providers are also seen as industry leaders, making their audits more valuable in the eyes of investors.
Why do we need smart contract audits?
With large amounts of value traded or locked in smart contracts, they become attractive targets for malicious attacks by hackers. Minor coding errors can lead to the theft of large sums of money. For example, the DAO hack on the Ethereum blockchain took approximately $60 million worth of ETH and even led to a hard fork of the Ethereum network.
Since blockchain transactions are irreversible, it is essential to ensure that a project’s code is secure. The highly secure nature of Blockchain technology makes it difficult to recover funds and troubleshoot after the fact, so it’s best to prevent vulnerabilities at all costs.
How do smart contract audits work?
The process of auditing a smart contract is pretty standard among audit providers. While each auditor’s approach may differ slightly, the typical process is as follows:
Determine the scope of the audit. The smart contract and project specifications are defined by the project (its intended purpose) and the overall architecture. A specification helps the audit team understand the goals of the project when writing and using the code.
Please provide an initial quote based on the amount of work required.
Run tests. Its exact nature will change depending on the audit team, its analysis tools, and its methods. Both manual and automated tests are usually carried out.
Create a first draft of the report with any bugs found and give it to the project team for follow-up feedback and corrections.
Publish the final report, considering any actions taken by the team to address the issues raised.
Smart contract audits are not just focused on blockchain security. They also look at efficiency and optimization. Some contracts make a complicated series of transactions to complete their intended function. Since gas fees on networks like Ethereum are relatively expensive, efficient contracts can save a lot on transaction costs.
Optimizing its performance is also an indicator of developer skill. Inefficient steps provide more points to fail and should be avoided. When gasoline costs are high, smart contracts may not execute, even more so when using a low gasoline limit.
Most audit work involves checking contracts for security vulnerabilities. While some problems may be easy to see, many exploits involve advanced techniques and strategies to drain funds. For example, market manipulation can be used with weak smart contracts to perform quick lending attacks. To find these issues, the auditors initiate the crack test process and simulate malicious attacks on the smart contract. Common vulnerabilities include:
Re-entry issues: When a smart contract makes an external call to another external contract before the effects are resolved. The external contract can then recursively call the original smart contract and interact with it in ways it shouldn’t, since the balance of the original contract hasn’t been updated yet.
Integer overflows and underflows: When a smart contract performs an arithmetic operation, but the output exceeds the storage capacity (usually 18 decimal places). This can lead to incorrect amounts being calculated.
Early Execution Opportunities: Poorly structured code can provide early warning of market buys or sells. This, in turn, may allow others to use the information and trade it for their own benefit.
Platform security flaws
Most audits include looking at the network hosting the contracts and even the API used to interact with the DApp. A project may be vulnerable to a DDoS attack or have its website UI compromised, meaning users will actually connect their wallets to malicious blockchain applications.
What is an audit report?
The audit report is provided at the end of the audit process. For greater transparency, projects are expected to share their findings with the community. Most reports classify issues by severity, such as critical, major, minor, and so on. The report will also list the status of the issue, as projects have time to resolve issues before the final report is released.
Along with an executive summary, a standard report will contain recommendations, redundant code examples, and a full breakdown of where coding errors exist. The project is given time to act on the report’s findings before the final version is published.
Where can I get a smart contract audit?
Various smart contract auditing services have become known for their service. Two are particularly popular, and getting an audit of them will require an initial quote and submission of information.
CertiK is an industry leader when it comes to smart contract audits. Hundreds of projects have audited their smart contracts with them. PancakeSwap, BSC’s largest Automated Market Maker (AMM), is one example. Below is a section of Certik’s audit on PancakeSwap.
Additionally, the vast majority of projects supported by Binance Labs have had their contracts audited by CertiK. CertiK publishes a leaderboard of audited projects that allows you to compare each one, along with a security score. Please note that in addition to Ethereum, CertiK also covers BSC and Polygon projects.
Led by Joseph Lubin, co-founder of Ethereum, ConsenSys is one of the cryptocurrency industry’s biggest names in blockchain development. Under ConsenSys Diligence, the company offers Ethereum smart contract audits. They also provide an automated service that checks Ethereum Virtual Machine (EVM) contracts for common errors.
How much does a smart contract audit cost?
The exact cost of an audit depends on the number of smart contracts to verify. Typically, an audit will cost thousands of dollars. A particular large project can easily cost more than $10,000. The auditing company that performs your audit and its reputation will also affect how much you pay.
Fortunately for investors and users, smart contract audits have become a gold standard. However, when every project has one, it is no longer an easy indicator of value. That’s why it’s incredibly important to read the audit yourself. Even if you don’t have the technical knowledge, it’s helpful to take a look at the feedback and the severity of potential issues.
When you come across an audit, you should now at least have an easier time understanding its content. As always, make sure any investment decision considers the big picture and takes all information into account.