A smart contract audit is a line-by-line inspection of a contract’s code. Smart contract code review aims to find security vulnerabilities and code inefficiencies. Auditors propose solutions to the issues encountered during the audit and recommend ways for clients to remediate vulnerabilities.
Why are smart contract audits important?
Smart contracts are self-executing, which means the terms of the agreement are written directly into code. Because they run on blockchain networks, they are also immutable and cannot be altered once deployed. This makes them highly secure, but also means that errors in the code can have serious consequences. By undergoing pre-deployment audits, developers can ensure that their smart contracts are secure and reliable, and function as intended.
Decentralized finance (DeFi) applications powered by smart contracts secure billions of dollars of value. However, they’re mostly unintelligible to anyone who hasn’t learned one of the programming languages they’re written in. And these languages are brand new: Solidity — the first fully-featured smart contract programming language — is less than a decade old.
As most people who interact with smart contracts are unable to read them, there is a strong and growing need for smart contract auditing services.
Smart contract audits cannot be treated as an afterthought. Security should be integrated into all steps of the development process from the very beginning. This ensures that there is sufficient time for a maximally thorough audit, and time for any issues to be resolved before a project launches. As the saying goes, prevention is better than a cure, and smart contract audits help Web3 teams avoid costly errors that can run into the millions of dollars.
How does a smart contract audit work?
The smart contract auditing process is a collaborative one, and utilizes a number of different inspection techniques. First, we receive the contracts to be audited from the client. Next, we begin our vulnerability inspection. Depending on the needs of the client, this can include up to three parts: manual review, AI review, and formal verification.
Our formal verification engine is an automated process that checks every variable of a smart contract against each possible value it may have. It calculates every possible state of a smart contract. Imagine visualizing thousands of parallel universes simultaneously, each with one specific thing changed. The formal verification engine raises the alarm about issues that may affect the logical integrity of the contract.
Manual review is exactly what it sounds like: our team of smart contract auditors go through each line of code. They meticulously inspect it for known vulnerabilities and code errors. You’ll find a list of some of the most common security flaws we encounter in the course of our smart contract audits below.
After preparing a vulnerability summary, our auditors send their report to the project team, along with their recommendations for alleviating any issues found. If the client resolves these issues, we mark them as such. If not, we highlight all outstanding risks in our final report.
These reports are publicly-available, which allows projects to demonstrate their commitment to security. Users can read these reports to understand the risks they may be taking on by getting involved with a project.
What is a security vulnerability?
A security vulnerability is anything that has the potential to affect the smooth and safe functioning of a smart contract. This could be an error in the calculation of a variable, unnecessary privileges granted to a centralized address, and much more.
Our smart contract audit reports classify smart contract vulnerabilities into five categories:
- Critical
- Major
- Medium
- Minor
- Informational
Critical risks are those that impact the safe functioning of a platform and must be addressed before launch. Users should not invest in any project with outstanding critical risks.
Major risks can include centralization issues and logical errors. Under specific circumstances, these major risks can lead to loss of funds and/or control of the project.
Medium risks may not pose a direct risk to users’ funds, but they can affect the overall functioning of a platform.
Minor risks can be any of the above, but on a smaller scale. They generally do not compromise the overall integrity of the project, but they may be less efficient than other solutions.
Informational errors are often recommendations to improve the style of the code or certain operations to fall within industry best practices. They usually do not affect the overall functioning of the code.
What types of vulnerabilities are found in a smart contract audit?
Our audit team find vulnerabilities of all severities during their inspections. The top five most common vulnerabilities found during a smart contract security audit are:
Centralization risks
Centralization is a risk both to project owners and users. If a single address is granted executive privileges and later has its private key compromised, developers are at risk of losing control of their project and users are at risk of losing control of their money.
Projects that exit scam with their investors’ funds often take advantage of centralized privileges. Avoiding unnecessary centralization is one way that newly-launched projects can begin building trust with their community.
Giving executive privilege to a decentralized autonomous organization (DAO) is one way to allow a project’s tokenholders to control its future.
Timelocks are another option, though they do not necessarily reduce centralization. Instead, they set a minimum amount of time (e.g. 24 hours) before any changes to the protocol can be enacted. This gives users time to review the changes and, if needed, safeguard their liquidity.
Missing event emissions
Certain smart contract functions should emit events after they are called. These emissions change the status of sensitive variables or call important processes. They are not necessarily required for a function to execute properly the first time, but they are needed for it to execute every other time.
Unlocked compiler version
A compiler converts high level source code to a lower level language so that it may run as an executable. Solidity — the language in which Ethereum smart contracts are written — utilizes a compiler. There are a number of versions of the Solidity compiler, and new versions are frequently released with new features.
Smart contracts should specify and lock the version of the compiler they use. An unlocked compiler version in the source code of a contract permits a user to compile it at or above a particular version. This leads to differences in the generated bytecode between compilations due to differing compiler version numbers.
Lack of proper input validation
Validating inputs (i.e. ensuring that a certain variable in a function is greater than zero) limits the functionality of an executable to a set of known possibilities. Since smart contracts are deployed in their entirety and users can view and interact with every variable, limiting their ability to create unknown, potentially malicious events is an essential process.
Reliance on third-party dependencies
Reliance on third-party dependencies should be avoided as much as possible. A developer can only control the security of their own code, not that of the external contracts with which theirs interact. Interoperability magnifies the power and potential of smart contracts, but it also requires that they all meet a certain standard of security and decentralization.
What is security risk scoring?
You might have noticed that projects on the Security Leaderboard are ranked according to their security score. A project that resolves any vulnerabilities found during its smart contract audit prior to launch will score higher than one that goes live with unaddressed risks.
Enabling real-time analysis tools such as Skynet will also boost a project’s ranking. These blockchain security tools allow for a wealth of up to the minute data to be taken into account. You can check out the factors that influence a project’s security score on its page on the Security Leaderboard.
How long does a smart contract audit take?
The time it takes to complete a smart contract security audit depends on the length and complexity of the code. Our audit team works closely with clients to understand their needs and provide a comprehensive audit in as short a timeframe as possible.