Smart contracts are an excellent invention of the XXI century. However, technical vulnerabilities can expose the entire system to the risk of hacker attacks. Both platform users and a company's reputation can suffer, so it is important to conduct audits to mitigate project risks. Most of all, smart contract audit services are popular among crypto projects like DeFi exchanges, DeFi lending platforms, and others. In such projects, smart contracts are the main engine of the software, where all the logic of work is laid. In this article, we will tell you what a smart contract audit is and how to conduct it correctly.
Table of contents:
- Why is smart contract audit important?
- Types of smart contracts attacks
- Smart contract audit services
- The process of smart contract audit
- The IdeaSoft experience
Why is smart contract audit important?
Cracking smart contracts is a common phenomenon in the crypto world. Causes of the crash are divided into two types: technical code vulnerabilities and human error, and if it is difficult enough to exclude the possibility of human error, it is necessary to eliminate technical errors. This is where comprehensive smart contract audit services can help.
Smart contract auditing is a process that scrutinizes a piece of code to identify bugs, vulnerabilities, and risks. It is often conducted before the code is deployed and used on the main network because then it is no longer subject to change.
As practice shows, all blockchain projects need smart contract audit services because the crypto world is characterized by decentralization and openness. Almost all crypto projects are required to publish source code on Github to prove the purity and transparency of their platform, cryptocurrency, token, ICO, etc.
Let's say a quality blockchain project goes for an ICO but does not provide the results of smart contract testing and an external audit of the ICO. Trust in such ICO will be minimal, as investors have no guarantees of preserving their deposits. As a result, the blockchain project will not get into the top ICO projects and will receive poor recommendations from experts, despite the innovativeness of the idea. No guarantees - no investment.
The crucial point is that smart contracts should be audited externally. This is because the programmer, who wrote a smart contract, can find flaws in the code, but it is quite difficult for him or her to consider different variants of the logic of his or her smart contract functioning.
Last year was famous for a lot of smart contract attacks because of the poor smart contacts audits. One of the most high-profile events was the theft of $3 million from DeFi Protocol Cover on December 28, 2020. The intruder exploited the infinite mining vulnerability: the hacker invested assets, withdrew them, took the profit, and repeated it several times. Remarkably, the hacker turned out to be decent - he returned the funds.
The hacker used a combination of two minor bugs that are relatively harmless on their own. The first bug is related to memory. There are three types of memory in smart contracts: steak (local variables), storage (the most expensive memory that is stored in the blockchain), and memory (sequence of bytes). Since a smart contract uses all types of memory, this makes it possible to overwrite one variable from storage to memory, change it as a result of the operation, and then use it in the changed form.
The second disadvantage is related to the variables’ order inconsistency when performing operations. For example, you put in a smart contract a variable that has 18 digits, and then it's written that it has 12 digits - this also causes inaccuracy, but not critical.
Such minor bugs in the smart contract allowed the hacker to do serious damage to DeFi Protocol Cover. Overall, 2020 was famous for a lot of smart contracts attacks that contribute to great losses:
- The September 2020 attack on the KuCoin exchange was one of the largest hacks in the history of the industry. The damage was estimated at $280 million.
- Harvest Finance also suffered from the hacker attack - a smart contract bug cost them almost $20 million.
- Another DeFi project Pickle Finance suffered a major loss as a result of the attack. Hackers stole more than $19 million.
- In November 2020, hackers attacked the Origin Dollar stablecoin - the project lost over $7 million.
- In April 2020, the DeFi-protocol dForce was affected by the attack. At the time of the theft, the amount was almost $25 million. The hacker took advantage of a critical vulnerability in the smart contracts.
Types of smart contracts attacks
The number of smart contracts is growing exponentially. Accordingly, the number of smart contracts vulnerabilities and attack vectors on crypto platforms is also growing. Among the most common smart contract vulnerabilities are the following:
|Reentrancy||A smart contract is designed in such a way that the same copy of its instruction in memory can be used simultaneously by multiple users or processes. So users can initiate multiple transactions and potentially exceed their account balance, causing damage to the project.|
|Timestamp Dependence||A miner can slightly change the timestamp of a block. The number of blocks and average time per retrieval can be used to estimate the timestamp, but this is not a reliable way since the retrieval time is variable.|
|Gas Limit and Loops||Each block has an upper limit on the amount of gas that can be consumed to perform computer calculations. If the consumed gas exceeds the limit, the transaction will fail. This leads to the possibility of operating multiple denial-of-service (DOS) vectors. Infinite loops may occur in cases of improper gas processing.|
|Byte array vulnerability||A byte array is very slow, which affects performance. Such an array can be easily taken down with DDoS by sending a large number of requests to it.|
Except for these common smart contract vulnerabilities, there are also:
- Unchecked Return Values For Low-Level Calls
- Bad Randomness
- Time Manipulation
- Short Address Attack
- Arithmetic Issues
- Access Control, etc.
Smart contract implementations often have bugs that can lead to fatal consequences. When giving everything to smart contracts, a company should be as confident as possible in them. Here is where smart contract audit services come to the aid.
Smart contract audit services
Typically, smart contracts are audited using two approaches: manual and automated.
Manual auditing involves a team of experts/auditors examining each line of code to analyze it for compilation and re-entry errors. This can further help identify other underestimated security issues.
Manual code analysis can be performed using two approaches - checking a standard list of vulnerabilities or performing a free exploratory check based on the developer's own experience. This approach is considered the most accurate and comprehensive, as it detects hidden issues such as problems in the contract logic or architecture, not just bugs in the code.
Automated security analysis follows a sophisticated approach to penetration testing and helps find vulnerabilities much faster. This approach is suitable for projects that require faster time-to-market. As part of automated smart contract audits, auditors use a variety of bug detection software. This software helps find the exact location responsible for executing each input and also indicates where a possible error might occur.
However, automated auditing has its disadvantages. Since the software is very fast, it can sometimes miss vulnerabilities or identify any piece of code as an error when it is not. This can cause many serious problems. That is why manual code analysis or manual auditing is highly recommended. Automated testing helps a lot and quickly checks code for vulnerabilities and bugs, but not always understands the context.
So, when testing smart contracts, a blockchain development company uses manual or automatic methods of code analysis. Both have their advantages and disadvantages. For example, manual code testing is used to outline improvements related to efficiency, logic, and optimization of the smart contract. As for automatic code testing, it is less time-consuming and allows testing for vulnerabilities much more quickly.
The process of smart contract audit
One of the main difficulties in developing a smart contract is gas optimization (the fee that a user pays for using a smart contract). If it is high, it will be unprofitable for users. Only experienced developers know how to optimize it in the best way. So it's also one of the elements of smart contract auditing.
Auditing is a complex process, and usually, it consists of the next 6 steps:
- Collecting code design models. We gather the code specifications and review the architecture to assure the guaranteed integration of third-party smart contracts.
- Unit testing. We test each function of a smart contract by implementing test cases. Specialists utilize tools to ensure that unit test cases include an overall code of the smart contract.
- Manual analysis. Auditors inspect smart contracts row after row to detect the potential risks like external calls and service attacks, Front Running Attacks (Transaction Ordering attacks), and so on.
- Initial report. We suggest the report containing all the vulnerabilities.
- Fixing bugs/errors. Our team of experts fixes each bug/error detected while examining the report.
- Final audit report. Specialists publish the final report on Github which is accessible for everyone to read.
Smart contract code auditing is a rather specific area. Despite its small size, a smart contract is a full-fledged program, capable of organizing complex branches. Even for automation of seemingly simple transactions it requires thinking through all possible branches at every step.
The IdeaSoft experience
Smart contract audit services are popular for a reason. Identifying vulnerabilities and bugs in the contract is a crucial step that every DeFi product creator must take. Anyone can benefit from smart-contract audits: developers, owners of ICO startups, DeFi development companies as well as owners of decentralized applications. In this way, you protect yourself and your users from the risk of losing their funds.
IdeaSoft is a software development company, one of the main specializations of which is blockchain development. Our team has experience in creating DeFi products, lending/borrowing platforms, NFT marketplaces, crypto exchanges, digital wallets, DeFi aggregators, and much more. A deep understanding of blockchain and experience of over 250 projects allow us to write smart contracts and provide quality smart contract audit services.
So, if you need help with smart contracts, feel free to contact us to discuss your project.