A smart contract security audit provides a detailed analysis of a project's smart contracts. These are important to safeguard funds invested through them. As all transactions on the blockchain are final, funds cannot be retrieved should they be stolen. Typically, auditors will examine the code of smart contracts, produce a report, and provide it to the project for them to work with. A final report is then released, detailing any outstanding errors and the work already done to address performance or security issues.
Smart contract security audits are very common in the Decentralized Finance (DeFi) ecosystem. If you've invested in a blockchain project, your decision might have been partly based on the results of a smart contract code review.
While most people understand the importance of audits for cybersecurity, not many dive into the lines of code. Let's take a look at the methods, tools, and results typically seen in smart contract security audits so that you can make more informed decisions.
What Is a Smart Contract Audit?
A smart contract security audit examines and comments on a project's smart contract code. Typically, these contracts are written in Solidity programming language and provided via GitHub. Security audits are particularly valuable for DeFi projects that expect to handle blockchain transactions worth millions of dollars or a huge amount of players. The audits usually follow a four-step process:
1. Smart contracts are provided to the audit team for initial analysis.
2. The audit team presents their findings to the project for them to act upon.
3. The project team makes changes based on the issues found.
4. The audit team releases their final report, considering any new changes or outstanding errors.
For many crypto users, smart contract audits are essential when investing in new DeFi projects. It's become a standard for projects that want to be taken seriously. Certain audit providers are also seen as industry leaders, making their audits more valuable in investors' eyes.
Why Do We Need Smart Contract Audits?
With vast amounts of value transacted through or locked in smart contracts, they become attractive targets for malicious attacks from hackers. Minor coding errors can lead to huge sums of money being stolen. For example, the DAO hack on the Ethereum blockchain took roughly 60 million dollars worth of ETH and even led to a hard fork of the Ethereum network.
Since blockchain transactions are irreversible, making sure that a project's code is secure is essential. Blockchain technology's highly secure nature makes it difficult to retrieve funds and resolve issues after the fact, so it’s better to prevent vulnerabilities at all costs.
How to Audit a Smart Contract?
The process of a smart contract audit is fairly standard among audit providers. While each auditor's approach may differ slightly, the typical process is as follows:
1. Determine the scope of the audit. The smart contract and project specifications are defined by the project (their intended purpose) and the overall architecture. A specification helps the audit team understand the project's goals when writing and using the code.
2. Provide an initial quote based on the amount of work needed.
3. Run tests. Their exact nature will change depending on the auditing team, their analysis tools, and their methods. Usually, both manual and automated tests are carried out.
4. Create a first draft of the report with errors found and provide it to the project team for feedback and follow-up fixes.
5. Publish the final report, considering any action taken by the team to address raised issues.
Smart contract audit methods
Smart contract audits don't focus only on blockchain security. They also look at efficiency and optimization. Some contracts make a complicated series of transactions to complete their intended function. With gas fees on networks like Ethereum being relatively costly, efficient contracts can save a lot on transaction costs.
Optimizing their performance is also an indicator of the developer's skill. Inefficient steps provide more points for failure and should be avoided. When gas costs are high, smart contracts may fail to execute, even more so when a low gas limit is used.
Most of the work in audits involves checking contracts for security vulnerabilities. While some issues can be easy to see, many exploits involve advanced techniques and strategies to drain funds. For example, market manipulation can be used with weak smart contracts to conduct flash loan attacks. To find these issues, auditors start the break testing process and simulate malicious attacks on the smart contract. Common vulnerabilities include:
1. Reentrancy issues: When a smart contract makes an external call to another external contract before any effects are resolved. The external contract can then recursively call the original smart contract and interact with it in ways it shouldn't be able to, as the original contract’s balance hasn't yet been updated.
2. Integer overflows and underflows: When a smart contract carries out an arithmetic operation, but the output exceeds the storage capacity (usually 18 decimal places). This can lead to incorrect amounts being calculated.
3. Front running opportunities: Badly structured code can provide forewarning of market purchases or sales. This, in turn, can allow others to use the information and trade on it for their own benefit.
Platform security flaws
Most audits include looking at the network hosting the contracts and even the API used to interact with the DApp. A project may be vulnerable to a DDoS attack or have its website UI compromised, meaning users will actually connect their wallets to malicious blockchain applications.
What Is an Audit Report?
The audit report is provided at the end of the audit process. For transparency, projects are expected to share their findings with the community. Most reports categorize issues by severity, such as critical, major, minor, etc. The report will also list the issue's status, as projects are given time to resolve them before the final report's release.
Along with an executive summary, a standard report will contain recommendations, examples of redundant code, and a full breakdown of where coding errors exist. Time is given to the project to act on the report's findings before the final version is released.
Where Can I Get a Smart Contract Audit?
A number of smart contract audit services have become well-known for their service. Two are particularly popular, and getting an audit from them will require an initial quote and handover of information.
CertiK is one of the industry leaders when in smart contract auditing. Hundreds of projects have audited their smart contracts with them. PancakeSwap, BSC's largest Automated Market Maker (AMM) is one example. Below is a section of Certik’s audit on PancakeSwap.
Also, the vast majority of projects supported by Binance Labs have audited their contracts with CertiK. CertiK releases a leaderboard of audited projects that allows you to compare each one, along with a safety score. Note that, apart from Ethereum, CertiK also covers BSC and Polygon projects.
Run by Joseph Lubin, a co-founder of Ethereum, ConsenSys is one of the cryptocurrency industry's biggest names in blockchain development. Under ConsenSys Diligence, the company offers Ethereum smart contract audits. They also provide an automated service that checks Ethereum Virtual Machine (EVM) contracts for commonly found mistakes.
How Much Does a Smart Contract Audit Cost?
The exact cost of an audit depends on the number of smart contracts to be checked. Typically, an audit will run into thousands of dollars. A particular large project can easily cost over $10,000. The audit company running your audit and its reputation will also affect how much you pay.
Fortunately for investors and users, smart contract audits have become a golden standard. However, when every project has one, it’s no longer an easy indicator of value. This is why it’s incredibly important to read the audit yourself. Even if you don’t have the technical knowledge, it’s helpful to take a look at the comments and severity of potential issues.
When you do come across an audit, you should now at least have an easier time understanding its contents. As always, make sure that any investment decision looks at the whole picture and takes all information into account.