Understanding Smart Contracts: Read, Write, and Audit

AdvancedNov 26, 2023
This article covers smart contract programming techniques, including guidelines for reading, writing, and auditing. Understanding the structure and code blocks of smart contracts is the first step to writing them in Solidity or other languages. Given that smart contracts are central to Decentralized Finance (DeFi) and Decentralized Applications (DApps), ensuring their security and flawlessness is crucial, with smart contract audits playing a key role.
Understanding Smart Contracts: Read, Write, and Audit

Reading smart contracts

Smart contracts are programmable bits of code that execute only when a set of conditions are met. They are synonymous with legally binding real-world contracts; only in this case, the code is the law. As smart contracts reside on the blockchain, they are immutable — they cannot be tampered with. It is this immutability quotient that makes smart contracts special, among other things.

Understanding smart contracts: basics and purpose

Smart contracts are meant to automate blockchain-specific transactions. As they are condition-specific contracts, they do not require intermediaries. What makes smart contracts useful is their compatibility across a wide range of use cases, including financial services, supply chain management, and more. And unlike traditional chunks of code that are programmed at a clip, smart contracts require highly secure and time-intensive strategies.

How smart contracts align with blockchain technology: BeInCrypto

“The buzzword “web3” suggests the lax, security-poor programming habits of the web. When crypto or smart contracts are programmed like a web page, they are doomed. Sustainably successful blockchains and their apps are based on far more secure, careful, and slow programming methods.”

Nick Szabo, cryptographer and computer scientist: Twitter

Smart contracts can work with blockchain-specific tokens, say ERC-20 for the Ethereum blockchain, incentivizing efforts and moving transactions around. As code, conditions, and costs are involved, you should be careful about reading, writing, and auditing them.

Smart contracts and their significance

The real significance of smart contracts concerns their nature and positioning. For a given scenario — say a person A moving funds to person B when B completes a service — a copy of the smart contract is saved and executed by the blockchain nodes. Smart contracts are saved as contract codes within the chain. This multi-path validation is a blockchain-centric trait and keeps things secure.

Additionally, there exists sequential or synchronous smart contracts and asynchronous smart contracts where tasks are executed in parallel. Therefore, the type and purpose of a smart contract determines how it is written, read, or even audited.

Traditional contracts, property deeds, wills, etc. are private law, “drafted by private persons rather than politicians or government bureaucrats.” Smart contracts are a new form of such decentralized rulemaking.https://t.co/EU2Y28FznK
— Nick Szabo (@NickSzabo4) March 15, 2018

Let us consider a standard smart contract-governed liquidity pool.

Imagine that the pool of tokens can be used for trading, and every time there is a successful trade happening, 0.3% of the total trade value is sent to the liquidity provider who made that trade possible or added liquidity for that given tradable asset. All the conditions highlighting the trade scenarios, trading fees, and conditions of non-compliance and trade failures are coded as a smart contract, which is stored within the chain as a contract code.

Characteristics of smart contracts

We cannot dive deep into reading, writing, and auditing contracts if we aren’t aware of their characteristics. Here are the standard smart contract traits to be aware of:

A few traits of a standard smart contract: BeInCrypto

Programmable contracts

Smart contracts are simply pieces of code. You can write smart contracts to execute commands and scenarios based on specific conditions. This is why smart contract developers and programmers are currently in demand, as most of the DeFi space already relies on smart contracts to process complex instances like handling trading fees across liquidity pools, maintaining APY ratios, and more.

Trustless

Smart contracts residing on the blockchain eliminate human intervention. This makes them entirely trustless. For instance, if a specific DeFi protocol, governed by smart contract(s), agrees to liquidate your assets once the value falls under a threshold, no human intervention can or should stop it. The code handles payment, performance, management, and rule enforcement, making the entire space completely trustless.

Autonomous

As mentioned earlier, smart contracts are loaded with self-executing instruction sets. In terms of coding, this means having iterations and loops built within the boilerplate. This ensures that tasks like payment, withdrawals, deposits, penalizing validators via slashing, and several other tasks are autonomously handled.

Secured

And finally, as smart contracts are secured using cryptography, breaching them is insanely difficult. Without a built-in vulnerability, bypassing a smart contract would mean trying to breach it in the open, in front of the entire blockchain.

Verifiable

Transactions processed via smart contracts are self-verifiable. This means that execution is proof enough that the transaction happened in the first place, as no human element is involved. The self-verifiable mechanism gives smart contracts an edge over traditional contracts governing legacy banking setups.

So the next time you plan on reading a smart contract, ensure that the boilerplate or the documentation has all the mentioned characteristics involved.


A simplified version of smart contracts: Reddit

Reading smart contracts based on the characteristics

Here is a simple, smart contract representing an Escrow account. Users deposit their funds in the escrow, which then moves the same to the receiver after a particular time frame.

/ SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

// Basic Smart Contract Boilerplate

contract SimpleTrustlessEscrow {

// State variables

address public depositor; // Account depositing ether

address payable public beneficiary; // Account receiving ether

uint256 public releaseTime; // Timestamp to release ether

// Events for verifying contract activity

event Deposited(address indexed _from, uint256 _value);

event Released(address indexed _to, uint256 _value);

// The contract constructor initializes the smart contract

constructor(address payable _beneficiary, uint256 _releaseTime) {

    require(_releaseTime > block.timestamp, “Release time must be in the future”);

    // Secure and Trustless: Contract binds depositor and beneficiary

    depositor = msg.sender;

    beneficiary = _beneficiary;

    releaseTime = _releaseTime;

}

// Deposit function – autonomous execution (fallback function)

receive() external payable {

    emit Deposited(msg.sender, msg.value);

}

// Release the ether to the beneficiary

function release() public {

    // Programmable: Can only be executed after releaseTime

    require(block.timestamp >= releaseTime, “Too early to release”);

    // Autonomous: Automatically executes based on condition

    uint256 amount = address(this).balance;

    beneficiary.transfer(amount);

    emit Released(beneficiary, amount);

}

}

While we will get to deciphering and reading this smart contract in detail, let us first check if the same adheres to the mentioned contract characteristics.

The “programmable” part

Look at the contract closely for this piece of code:

require(block.timestamp >= releaseTime, “Too early to release”);

uint256 amount = address(this).balance;

beneficiary.transfer(amount);

The funds are to be released only when a specific releaseTime condition is met, making these programmable contracts.

The “trustless” part

Here is a quick code snippet from the above:

depositor = msg.sender;

beneficiary = _beneficiary;

releaseTime = _releaseTime;

In the contract, everybody is code-bound from the depositor to the person receiving the funds. No one needs to interact with or trust the other as the function of transferring funds is bound by releaseTime — a code-based parameter.

The “autonomous” part

Here is the “fund release” part of the code:

 function release() public {

require(block.timestamp >= releaseTime, “Too early to release”);

uint256 amount = address(this).balance;

beneficiary.transfer(amount);

emit Released(beneficiary, amount);

}

The entire process is autonomous, as funds are only released only when the releaseTime meets a certain criterion. Notice that the code isn’t partially programmable but fully autonomous.

Other elements of the smart contract code, including the deposit function, can also be made completely autonomous depending on the features you want to include. For instance, you can start a recurring deposit plan every time the user’s wallet crosses $100, with the excess amount moving to the beneficiary.

The “secured” part

Concerned as to which element lends security to the contract? Check out this part of the code:

constructor(address payable _beneficiary, uint256 _releaseTime) {

require(_releaseTime > block.timestamp, “Release time must be in the future”);

depositor = msg.sender;

beneficiary = _beneficiary;

releaseTime = _releaseTime;

}

Notice how there is a set precedence of the releaseTime function in relation to the timestamp. Nothing is random, and conditions must be met.

The “verifiable” part

Every transaction associated with the smart contract is logged within the chain, courtesy of separate log activity elements.

event Deposited(address indexed _from, uint256 _value);

event Released(address indexed _to, uint256 _value);

emit Deposited(msg.sender, msg.value);

emit Released(beneficiary, amount);

Reading other parts of a smart contract

Now that we have identified the elements that define the characteristics of a smart contract, here are the other contract elements to help you understand the drill better.

Pragma solidity ^0.8.0; – The version of the Solidity programming language needed to write this smart contract.

// SPDX-License-Identifier: MIT – Termed Software Package Data Exchange, this identifier states the license of the code release. It is advisable to include this to let people know if it’s open source and can be worked around or not.

Contract TimeLock { – Assigns name to the smart contract, like a label.

Address public depositor; – As the contract involves a depositor and a beneficiary, this is the point where public address of the depositor is mentioned. This variable is the Ethereum wallet address and is publicly viewable.

Address payable public beneficiary; – This is the public address of the beneficiary where the escrow transfers funds. It is also readable and lends a sense of transparency to blockchain-powered smart contracts.

Uint256 public releaseTime; – As it is a time-bound contract, the uint256 assigns the time-based variable to the contract. This will be the timeframe according to which the fund releases will happen.

In Solidity, uint (unsigned integer) is the way to assign integer-based values. The suffix 256 stands for large storage of numbers.

after 5 years of writing smart contracts i am only today realizing that the solidity logo is the ethereum logo unfolded 🤯 pic.twitter.com/wlM369Eff9
— kaden.eth (@0xKaden) July 8, 2023

You can consider reading Solidity documentation to get acquainted with the syntax, expressions, and other code elements.

Other elements

constructor(address payable _beneficiary, uint256 _releaseTime) { – The “Constructor” is a one-time special function that gets called when the smart contract is deployed. It sets the contract in motion. Notice how at this point, all the address variables that we previously declared are called and initialized.

Receive() external payable { – This is a special function called when funds move to the contract address from outside. External suggests from outside, and “Payable” defines the nature of the move, that is, to receive ERC-20 tokens.

Function release() public { – This is a public function that states the movement of ERC-20 tokens from the contract address to the beneficiary. This function depends on releaseTime.

All these elements are parts of the hypothetical Escrow contract that we discussed. Ensure you go through the entire Solidity documentation to learn about the language better.

Know the elements before you plan to write smart contracts: BeInCrypto

DApps and smart contracts: the relation

By now, you should have a headstart in reading and understanding an already-written smart contract. And many smart contracts like the ones we discussed make the backend of a decentralized application — a blockchain version of a standard mobile application.

Every characteristic of a smart contract, including contract security, autonomous and programmable execution, trustlessness of transactions, and more, is readily implemented while developing a decentralized application. So the next time you stumble upon a DApp, note that it is a smart contract-powered backend hosted on the blockchain — helping you initiate multiple tasks without human intervention. Smart contracts form the logic of DApps.

Blockchains for smart contracts

We know that Ethereum lets you develop smart contracts, like a massive software solution. However, it isn’t the only blockchain protocol around. If you want to dive deep into the world of smart contract development, you might want to look at other blockchains. Different blockchains have different parlances when it comes to chalking out contracts.

But first, let us discuss Ethereum — the go-to platform for most smart contract developers.

Ethereum

Smart contracts on Ethereum are written in the Solidity programming language. And the token interface for this smart contract development platform is ERC-20.

You can circle back to the Escrow-based smart contract that we discussed earlier to see how a standard Etheruem-based smart contract is written.

Even launching an ERC-20 token on the Ethereum blockchain is a smart contract-intensive feature, something we shall discuss in depth while writing a smart contract.

Here is what a basic code structure looks like, provided we plan to launch a new cryptocurrency BIC.

Consider this a hypothetical scenario. Not exactly launching a BIC cryptocurrency.

pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract BICToken is ERC20 {
    constructor(uint256 initialSupply) ERC20("BIC Token", "BIC") {
        _mint(msg.sender, initialSupply);
    }
}

We shall discuss every element of this code later when writing our smart contract.

Other blockchains

Like Ethereum, you can even create smart contracts on platforms like Solana, using Rust and Cardano, using Plutus, a subset of Haskell — a functional programming language.

“Does Cordona even have smart contracts?”
Jokes on you, pal. #CardanoADA pic.twitter.com/j8SXCu72Sd
— Willybot 🇦🇺 (@wilbot28) July 9, 2023

Here is what a code structure in Rust (Solana) looks like:

Note: It is a simple contract where a counter gets incremented.

use anchor_lang::prelude::*;

declare_id!(“Fg6PaFpoGXkYsidMpWTK6W2BeZ7FEfcYkg476zPFsLnS”);

#[program]

 pub mod hello_world {

use super::*;

pub fn initialize(ctx: Context<Initialize>) -> ProgramResult {

    let greeting_account = &mut ctx.accounts.greeting_account;

    greeting_account.counter = 0;

    Ok(())

}

pub fn increment(ctx: Context<Increment>) -> ProgramResult {

    let greeting_account = &mut ctx.accounts.greeting_account;

    greeting_account.counter += 1;

    Ok(())

}

}

Did you know? While Rust is the programming language for creating Solana-based smart contracts, Anchor is the smart contract development framework that is used. For creating smart contracts using Rust, developers need to pull modules from the Anchor framework — something the first line of our sample code (use anchor_lang::prelude::*;) stands for.

Solana documentation will help you understand the Rust-specific smart contract language.

Similarly, Cardano follows Plutus as the choice of language, followed by the Ink! language for Polkadot, TEAL for Algorand, C# for NEO, and more. Learning the chain-wise documentation in detail is advisable before proceeding with compatible smart contract writing.

Why should you learn to read smart contracts?

The ability to write smart contracts is highly recognized, but even being able to read comes with its share of benefits:

  1. The ability to learn about the automation complexities associated with DeFi apps.
  2. Analyzing the ownership standards associated with asset tokenization.
  3. Understanding how decentralized autonomous organizations (DAOs) function.
  4. Understanding and implementing use-case-driven logic related to insurance, content monetization, voting system, royalties, and other verticals.

How to write smart contracts

Now that reading smart contracts is out of the way, let us focus on writing smart contracts. Before you delve deeper, it is necessary to reiterate that different blockchains might have different standards and languages related to smart contract development. It is necessary to focus on the standards defined by any given blockchain, To start with writing and contract deployment.

For the majority of our discussion, we shall focus on Ethereum as the chain and Solidity as the language.

The role of programming

Programming a smart contract is easily the most important part of the development cycle. And to get into smart contract development on Ethereum or any other blockchain, you should have some experience with non-blockchain programming languages like Javascript.

Different blockchains and the language to write smart contracts: BeInCrypto

The ability to program a smart contract allows you to implement logic, handle the security elements of the same, optimize the code for gas fees, customize the same, and even make the same interoperable if needed.

EVM and smart contracts: a lay of the land

Anyone who is planning to write smart contracts on Ethereum needs to understand what the Ethereum Virtual Machine (EVM) is and how it works with smart contracts. For starters, EVM is an Ethereum component that gives programs an isolated and controlled environment to work. Consider this a global computer that hosts every piece of contract code there is on Ethereum. Every node on the Ethereum network runs the EVM.

If you are aspiring to be a smart contract developer, here is what you need to know in regard to smart contracts and EVM.

Once you write the program in Solidity, which is a high-level language, you need to compile it into bytecode — a machine-understandable low-level format. This bytecode gets into the Ethereum blockchain and resides there. Anyone interacting with the smart contract needs to send a transaction to the address of the contract.

Every node with the EVM installed can see this transaction, and once the validators approve the same, the smart contract code is executed. As every node has transaction visibility, nothing can be tampered with, and the code executes as it was written. And once the code gets executed, the blockchain’s state changes, making the process end-to-end and completely transparent.

Can anyone write a smart contract?

Writing smart contracts require technical know-how. But that’s not it. You also need to thoroughly understand how blockchain technology works, what language-specific needs are relevant to the blockchain you are targeting, interoperability, and more. In addition to that, you should also know a fair deal about smart contract vulnerabilities — things to avoid while writing code. And finally, contract testing and contract deployment knowledge is also a must.

All of that can become overwhelming. So here is a quick cheat sheet to get started:

  1. Start by choosing the platform or chain you want to work with.
  2. Learn the programming language associated with the chain, like Solidity for Ethereum.
  3. Learn about using the development tools like Integrated Development Environment like Remix.
  4. Start by writing your first contract and then testing using testnets.
  5. Once you are satisfied with the elements of the code, you can deploy it on-chain. Remember that deploying the contract on-chain will cost in the form of gas fees.

Here is a quick thread with some tips to write better smart contracts:

🥧 FREI-PI
‼️ Why smart contract devs NEED to know this!
Function:
– Requirements
– Effects
– Interactions
Protocol
– Invariants
This is the pattern you should all be thinking about when building smart contracts.
Here is why 👇
— Patrick Collins (@PatrickAlphaC) July 6, 2023

Diving into programing

It is time to get into to the technical aspects of smart contract development. Even though chains like Solana and Cardano allow you to develop smart contracts, Ethereum continues to be the most popular smart contract development platform.

Did you know? In 2022 alone, 100,000+ plus decentralized applications made it to the Ethereum network.

Why Ethereum?

Ethereum has a huge community of developers. Anything you develop will immediately get attention. Plus, its native language, Solidity, is relatively easy for individuals who know their way around Python or JavaScript. Finally, Ethereum global software, EVM, helps with seamless contract execution.

If you are in the majority and prefer to use Ethereum and Solidity, here is a quick list of things you need to track before getting started with smart contract development:

  1. Pragmas or the compiler version
  2. Contract definition for labeling
  3. State variables for storing data
  4. Events for EVM logging
  5. Modifiers to give specific rights to specific bodies
  6. Functions or the smart contract activities in play
  7. Inheritance for interoperability
  8. Understanding of control structures like if, else, for loops, data types like string, integer, and more.

Writing and deploying the first smart contract

Now that we know how things go down on-chain, let us dive into writing and deploying the first smart contract. Even though “Hello World” remains the first step, we will start by creating a smart contract to launch a hypothetical BIC token with a 100% unlocked supply of 1 million.

The basics

The first step is to install the latest version of Node.js and the NPM or Node Package Manager. This takes care of the development tools and the local environment for development. Also, Node.js and NPM allow you to set the web front-end for your smart contract.

Now, you need to set an IDE to write the contract code. For that, you can quickly install Visual Studio Code. Or you can cut the clutter and hop on to Alchemy — a blockchain development platform. With Alchemy, you can get some testnet ETH. This will cover the gas fees when you deploy the smart contract to the Goerli testnet or even the Sepolia testnet.

Do note that Sepolia is a younger testnet and therefore takes less disk space when it comes to node deployment.

For now, we will persist with the Goerli testnet as it has a larger number of deployed applications.

With the testnet and fake ETH ready, let us move to specifically writing the smart contract. Here is the code snippet for creating a BIC token with a 1 million fixed supply.

Note: We shall be deploying our smart contract locally on the MacOS and not the testnet. For testnet and mainnet deployment of smart contracts, we shall have a separate piece, which is beyond the scope of this discussion.

Steps to write and deploy

Here is the simple code snippet for the hypothetical token:

pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract BICToken is ERC20 {
    constructor() ERC20("BIC Token", "BIC") {
        _mint(msg.sender, 1000000 * 10 ** decimals());
    }
}

If you are aware of the syntax, you would know what each code component means. As for the Openzepplin part, it is the go-to library for importing ERC-20 smart contracts. This library offers the basic operating standards for ERC-20 tokens.

The mint function talks about the initial supply, which is deployed to the smart contract address or the msg.sender.

To set this code up locally and test it, we will need three components:

  1. Node.js and NPM (already discussed): Works like an engine to power your smart contracts
  2. Truffle: Works like a toolbox, helping you organize code, scripts, and other parts of a contract
  3. Ganache: Works like a virtual, on-device playground. Think of it like a personal blockchain.

What is contract execution?

If you have gone through the detailed process of writing a smart contract, it is imperative to know a fair bit about contract execution. It is a process by which the smart contract code is executed on a chain by the nodes.

It is the uniformity associated with contract execution that makes smart contracts transparent and immutable. Let us now understand the step-pronged process associated with contract execution:

Step 1

The code snippets that we have been writing need to be executed somewhere. In the case of smart contracts, this place of execution is the blockchain. The nodes or the participating members of the chain help execute the contract.

Step 2

The nodes accept the responsibility of executing contract code blocks in return for chain-related incentives. Every command or action that happens within the chain is led by smart contracts.

Step 3

Every smart contract has a specific address. For executing the contract, transactions are sent to that contract address. Do note that every node runs the EVM, which then has a copy of the smart contract code, making it easier to check for the authenticity of the transactions.

Step 4

The transactions targeted towards the smart contract are picked by the validators, who then include the same into specific blocks.

Step 5

Once the transaction is pushed through and successfully validated, it becomes a part of the blockchain. The smart contract function associated with the transaction is then called and executed across the blockchain nodes.

Step 6

Every node executing the smart contract should reach a deterministic conclusion — the same output for the same set of inputs — making the nature of the contracts completely trustless and transparent.

Note: Any error concerning the code execution or issues related to gas fees reverses the transactions. This means that the transaction based on a specific smart contract code will cease to exist. This is exactly what happens with flash loans when the inability to adhere to specific norms reverses the entire transaction, seemingly giving an impression that funds didn’t even move in the first place.

Every state change associated with smart contracts gets recorded within the blockchain and becomes an immutable part of the same.

Smart contract development and best practices

Now that you know a fair bit about smart contracts, here are a few pointers to get started with contract development:

  1. While writing contracts, relying on trusted libraries like the ones at OpenZeppelin to adhere to the desired code optimization and security standards is advisable.
  2. The idea is to keep the contract modular and simpler — making it easier to test and review.
  3. A good idea is to implement contract-specific access controls. This means declaring code bits where only a specific person or entity can change the crucial traits of the contract. Access control makes it easier to keep the smart contracts secure.
  4. While writing a contract, always make provisions for handling edge cases and exceptions — all while writing multiple tests.

Taking care of code sustainability

Each of the practices mentioned above helps with code optimization and security-specific implementations. However, there are a few contract-specific practices that you must follow and implement to take care of code sustainability. This aims to keep the contract code light and usable so that every node running and executing the same doesn’t have to dedicate a lot of computational power to the same.

  1. Handle storage efficiently by using smaller data sets. For instance, while writing a contract, use uint8 as the operational value instead of uint256.
  2. While writing a contract, it is advisable to optimize the code by combining multiple operations into one. We shall delve deeper into this in our detailed piece on “writing smart contracts.”
  3. A good idea is to use lazy evaluation in regard to smart contract execution. This way, you only need to execute a function when required and not every time something gets pushed to the smart contract address.
  4. Finally, relying on off-chain computations is also a good way to focus on sustainability. This helps lower gas fee requirements and can even speed up the contract execution.

Despite following the best practices while writing and developing smart contracts, it is necessary to focus on the contract security vulnerabilities while pushing them to the mainnet.

How to audit smart contracts?

Every smart contract that has a presence in the mainnet needs to be evaluated for code performance, security, and other traits. This is where auditing — a rigorous contract testing process — comes to the fore, allowing you to uncover potential contract vulnerabilities and weaknesses.

Here is a quick audit checklist to get started:
Amazing Smart Contracts Audit Checklist😈
Be sure to check them in your next audit✅
I’d appreciate a retweet, spread the knowledge🫡https://t.co/ILx0C67kf8
— cholakov (@cholakovv) July 7, 2023

Relation between reading, writing, and auditing: why even audit smart contracts?

While reading and writing smart contracts are intertwined when it comes to developing intelligent pieces of code, auditing has a special place and involves checking the logic in the first place. When it comes to blockchain-based code execution, everything is immutable, and anything catastrophic can have irreversible consequences upon contract execution. This is exactly why a thorough check of the contract code and other aspects via auditing is necessary.

Contract vulnerabilities and fixes

There can be a host of contract vulnerabilities that a detailed smart contract audit can identify. These include checking for reentrancy attacks, overflows or underflows, issues related to access control, and more. Once the exact nature of the issue is determined, the auditor can even suggest the best practices to fix the same.

Breaches cast studies and learnings

Still unsure as to how smart contract auditing can help? Well, let us circle back to the infamous DAO hack in 2016, which exploited a reentrancy issue and caused a loss of almost 3.6 million ETH. Similarly, there was the Parity wallet contract hack in 2017, leading to a loss of almost 500,000 ETH. These issues could have been avoided with the right set of audits.


DAO hack flowchart: BeInCrypto

Strategies to audit smart contracts

There are numerous strategies to audit smart contracts. Some of the more popular ones include:

Auditing tools

These tools act as the first set of defenses and are best used for locating common vulnerabilities. Some of the more popular tools include Securify, Mythril, and more — capable of performing static analysis of the code, detecting breach patterns, and helping get a security-specific headstart.

Tools to audit smart contracts: BeInCrypto

Code review

This is where manual code reviewers come into the picture, scrutinizing the codebase and identifying complex vulnerabilities, if any. A manual review can help take care of the business logic, context, and usage patterns.

Here is how manual code reviews help you locate threats:

A small trivia for our junior auditors!
Lets go and retweet if you found the bug! pic.twitter.com/i14YtweXcz
— CharlesPaladin (@PaladinCharles) July 8, 2023

Automatic scans

Tools like Snyk and GuardRails help with automatic contract scanning — a security implementation that gets invoked every time the code is updated. This form of audit ensures that new changes made to a code are safe and non-invasive in nature.

Formal verification

This is a complex process that solely relies on checking the business logic of the code. Do note that formal verification isn’t actually meant for verifying the syntax but only the logic to see if the code executes as desired.

In addition to the mentioned strategies, smart contract auditing can also be initiated using peer reviews, bug bounty programs, and test coverages via tools like the Solidity Coverage for maximizing efficacy.

A simple way to audit smart contracts: BeInCrypto

How to review the code right?

If you are new to smart contract auditing, it is important to note that there are two ways of broadly analyzing the code and identifying issues. These include:

Static analysis

This type of code analysis helps identify basic security vulnerabilities, coding errors, and other issues per the given coding standards and conventions. Threats like unchecked calls to external sources, integer overflows, and more can be highlighted using static analysis. The best thing about static analysis is that the code doesn’t need to be executed for it to be checked.

Dynamic analysis

This approach towards auditing tests the alignment of the code with the EVM. Instead of only checking the code, dynamic analysis cross-checks the response of smart contracts to a wide range of inputs. Dynamic analysis can identify issues like incoherent gas consumption and even erroneous contract logic. Personal blockchain environments like Ganache can work as dynamic analysis platforms, allowing developers to make transactions, execute commands, and do much more with their contracts.

Testing an actual piece of code

Here is a smart contract snippet that works as a fund storage, having a withdrawal function:

pragma solidity ^0.6.1;
contract VulnerableContract {
    mapping(address => uint256) public balances;
    function deposit() public payable {
        balances[msg.sender] += msg.value;
    }
    function withdraw(uint256 _amount) public {
        require(balances[msg.sender] >= _amount, "Insufficient balance.");
        (bool success, ) = msg.sender.call{value: _amount}("");
        require(success, "Transfer failed.");
        balances[msg.sender] -= _amount;
    }
}

If you look at the code closely, there is a key vulnerability:

In the previous case, the “withdraw” function can be called again if the user receiving the funds is also a smart contract, albeit malicious. Therefore, before the last function or the balance update happens, a reentrancy attack can be initiated to transfer additional funds. Experienced auditors identify this kind of vulnerability.

Here is the fixed code for the same:

function withdraw(uint256 _amount) public {
    require(balances[msg.sender] >= _amount, "Insufficient balance.");
    balances[msg.sender] -= _amount;
    (bool success, ) = msg.sender.call{value: _amount}("");
require(success, “Transfer failed.”);

}

Check how the balance update function gets called first and then the first move to the user. This change in operation order is what fixes the contract.

Non-Ethereum chains and code review

The world of decentralized applications and smart contracts has moved beyond Ethereum. Even though the bulk of action still happens within the Ethereum ecosystem, there are other chains like Cardano, Solana, and more that support smart contracts and require different auditing standards.

Why is every platform unique?

Different blockchains use different programming languages. The code’s semantics, syntax, and properties are different, making the smart contracts responsive to different writing and auditing practices. For instance, Ethereum uses Solidity, whereas Polkadot uses Ink and Rust — making it reactive to specific auditing standards.

Tools for going non-Ethereum

Now if you want to move beyond Ethereum, there are a few specialized auditing tools to get you started. For instance, with Cardano, there is the Marlowe suite for formal verification and auditing. When it comes to Solana, Rust-specific libfuzzer and cargo-fuzz are meant for auditing and contract testing. A multi-chain auditor must be familiar with these concepts to keep contract vulnerabilities at bay.

What are the different types of smart contract auditing?

Just to reiterate, you can segregate smart contract auditing into three types: manual, automatic, and hybrid. Do note that people prefer hybrid auditing strategies for complex contracts with deep business logic as they are the most comprehensive.

Outsourcing your audits

Organizations and individuals with minimal coding knowledge often outsource their writing and auditing requirements to reputed firms. When it comes to auditing, choosing the right company becomes all the more important as even though AI tools like ChatGPT can help write smart contract code, checking the same requires manual insights.

Also, here are the factors to take note of while outsourcing the auditing tasks:

Choosing the right firm

Before you zero in on the right outsourcing firm, it is crucial to check past audits, evaluate the experience, and even focus on the key team members.

Understanding responsibilities, costs, and overheads

Before making a hire, take note of the costs and services associated with the audits. It is imperative to first understand the nature of services offered — like issue identification, issue resolution, and more. You must also check if re-audits are also provided post implementing the first line of fixes. The cost of a smart contract audit can vary depending on the services, and therefore, it is necessary to track every requirement and offering before proceeding.

Best smart contract auditing practices

In case you want to ditch a firm and audit smart contracts yourself, here are the best strategies and practices to keep in mind:

  1. Always focus on a thorough code review, including the syntax and logic
  2. Start by picking up common vulnerabilities using tools like Slither, MythX, and more
  3. Surf through the Smart Contract Weakness Classification Registry or SWC to locate the known vulnerabilities and check for them beforehand.
  4. Test the smart contracts rigorously, including integration tests, unit tests, and more, to stress test the code across a wide range of scenarios.
  5. It is important to check for the chances of reentrancy attacks specifically. The best way to combat the same is to check for recursive calls that hackers can call before the first smart contract function.
  6. Focus on functions that lead to external calls. An error in this regard can alter the state and control flow, which isn’t desirable.
  7. Always keep an eye on code bits that point to gas usage. You do not want your contract to initiate interactions that are prohibitively expensive.

Smart contract development and AI: the future

Artificial intelligence is indeed making it easier to write smart contracts. However, regardless of AI innovation, the ability to audit smart contracts in the best possible way still requires human intervention. Therefore, if you plan to build your next web3 product emphasizing smart contracts and decentralized applications, it is crucial to focus religiously on the best auditing resources for your smart contracts. With cryptocurrency hacks and breaches surfacing with each passing day and hackers planning new strategies to break through, auditing a contract to perfection is certainly one of the more important modern-day skill sets.

Disclaimer:

  1. This article is reproduced from [Beincrypto], and the copyright belongs to the original author [Ananda Banerjee]. If there are objections to the reproduction, please contact the Gate Learn team, and the team will process it promptly according to relevant procedures.
  2. Disclaimer: The views and opinions expressed in this article represent only the personal views of the author and do not constitute any investment advice.
  3. Other language versions of the article are translated by the Gate Learn team. Without mentioning Gate.io, it is not permitted to copy, disseminate, or plagiarize the translated articles.