Smart Contract Auditing

21 March 12:37

[TL;DR]

With DeFi smart contracts topping the chat of blockchain hacks in 2021, over $1.3 billion worth of cryptocurrencies have been lost to exploit, scams, and hacks. These massive losses can be traced to unaudited contracts, hasty forks, outright scams, and many more. But according to the Certik DeFi security report, the majority of the exploited projects are unaudited.

In this article, we will examine what smart contracts are, how to protect them from bad players in the market.
We will also look at some smart contract audit companies and their focuses.

Fill in the form to receive 5 reward points→

Smart contract attacks

smart contracts are self-executing lines of Codes that obey set instructions on the blockchain network. These contracts enable users to carry trustless, and transparent transactions on the blockchain without the need for a central authority or any legal system.

Because of their usefulness, they have become the building blocks to complex decentralized applications, such as in DeFi and DExs, ICO, voting protocols, and supply chain management.
As intelligent as may seem, they can attract huge losses if any security vulnerabilities or bugs are detected in the code.

Usually, the smart contract might perform its design functions, but the presence of a loophole will give room for hackers to build codes that are capable of interacting with the smart contract to divert funds.

- A good example is a recent attack on Qubit Finance, where the hacker exploited its cross-chain bridge and stole 206, 809 BNB tokens- About $80 million.
- Another historic example is The DAO hack of 2016, accounting for a $50 million loss

Smart Contract Known or standard vulnerabilities

Race Conditions: where events do not occur in the intended order. In Smart Contracts, Race Conditions may occur when external contracts take over control flow.

Reentrancy: in this case, some function is called repeatedly before the first function invocation is completed. One of the crucial solutions is to block concurrent calls in certain functions, especially when scrutinizing external calls.

Cross-function Race Conditions: describe a similar attack of two functions sharing the same state, with the same solutions.

Transaction-Ordering Dependence (TOD) / Front Running: is another race condition that affects the transaction orders within a block. By manipulating transaction orders, one user benefits at the expense of another.

Oracle Manipulation: this kind of attack is associated with smart contracts that rely on external data as inputs. If the input data is incorrect, it is still fed in and automatically executed. Protocols relying on oracles that have been hacked, deprecated, or have malicious intent might have disastrous effects on all processes that rely on them.

Short address attack/ parameter: this type of attack is associated with EVM. it happens when the smart contract is accepting incorrectly padded arguments. In this way, attackers can exploit poorly-coded clients by using specially-crafted addresses to make them encode arguments incorrectly before including them in transactions.

Smart Contract Audit

Similar to regular code audit, The safety of a smart contract Smart is directly proportional to the robustness and quality of the deployed code. It involves extensive scrutiny and analysis of a smart contract code. To do this, smart contract auditors check for common errors, host platform known errors, and simulate attacks on the code. Developers (usually external smart contract auditors) are then able to identify errors, potential bugs, or security vulnerabilities in the project’s smart contract.

This service is all-important in the blockchain industry because the deployed contracts cannot be changed or are irrevocable. Any defect will most likely make the contract dysfunctional or prone to security breaches that could lead to irrecoverable losses. These days getting an audit validation is a boost to win the trust of users.

Steps To Smart Contract Audit.
1. Examine the consistency between the code functionality and the project’s whitepaper
2. Check for standard vulnerabilities;
3. Symbolic analysis
4. Automated analysis by automated tools(Approach 1): tools like Truffle and Populus are used for automated code testing. This approach takes a very short time and it has a more sophisticated penetration compared to manual code check. Although it also has limitations of false identification and missed vulnerability.
5. Manual code and code quality review (approach 2): in this case, the code is manually examined by experienced developers. Although the automated checks are faster, manual checks account for both false & missed vulnerabilities.
6. Gas usage analysis;
7. Performance optimization
8. Report preparation.

Smart Contract Audit Companies

1. CertiK: Certik was founded in 2018 and it is one of the preferred in the blockchain niche due to their transparency and proof engine verification tools that ensures scalability and topnotch security. That is, their approach is mainly mathematical. The company claims they have detected over 31, 000 vulnerabilities in smart contract codes, audited 1737 projects, and have secured over $211 billion worth of digital assets.

2. Hacken: Hacken is another company that provides audit services for blockchain platforms like Ethereum, Tron, EOS. Although their services are not limited to blockchain solutions alone, Hacken also provides security products for IT companies. HackenAI security platform is a solution designed by Hacken to protect the end user from security compromises with enabled features such as Darknet monitoring alerts.

3. Quantstamp: Quantstamp is a blockchain security company with developers from top IT companies like Facebook, Google, and Apple. Quanstamp has a wide array of blockchain security tools and services, including; a decentralized security network for smart contract auditing. According to their claims, Quantstamp has protected over $200 billion in digital assets, and they have more than 200 foundations and startups that have engaged their products.

4. ConsenSys: founded in 2014, ConsenSys is a robust team consisting of software developers, business experts, lawyers, security providers. Its platform is based on the Ethereum ecosystem and aims to provide blockchain solutions such as security and product protection, financial infrastructures. The company has a smart contract security analysis product. ConsenSys Diligence; which provides crypto-economic analysis and automated smart contract scanning for Ethereum chain.

5. Chainsecurity: provides products and services securing blockchain protocols and smart contracts. Chainsecurity is trusted by over 85 blockchains and has secured over $17 billion worth of digital assets. They have also partnered with PWC Switzerland to carry out security reviews, create solutions that assess smart contracts, test and run performance metrics for smart contracts.

6. Runtime Verification: Runtime verification uses the runtime verification-based method, which has increased standard compliance, wide coverage during execution, to run security audits on virtual machines. Runtime product and service includes smart contract verification, protocol verification, advisory service, Firefly, ERC20 token verifier, and IELE.

Author: Gate.io Observer: M. Olatunji
Disclaimer:
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.