Smart Contract Audits : A Complete Guide
The ultimate guide to what are smart contact audits and their benefits to cryptocurrency projects.
Cryptocurrencies have been one of the most discussed and controversial innovations of the past decade. Blockchain technology, that is powering cryptocurrencies has seen many uses in the past years from payments to supply-chain management and many more. While you might be mostly reading about images of apes and rocks being sold for millions and dog-themed coins reaching billions in market cap, there are significant technology advancements that have been made through the use of cryptocurrencies.
One of the most important aspects of blockchain is smart contracts. It’s what makes blockchain technology go beyond a simple virtual currency and allows terms to be executed as part of a transaction. It goes without saying that making sure that all the terms (or code) that are included in the smart contract need be flawless in order to make sure that the transaction is not exploited by malicious actors. And that’s where smart contract audits come in. In this post, we’ll give you a complete overview of what are smart contract audits, how they work, why they are needed and some free tools that will help you with your smart contracts. Whether you are an investor, a developer or simply are looking to learn more about smart contract audits this is the guide for you.
What Is a Smart Contract?
Smart contracts are simply terms (or programs) that are stored on a blockchain and are executed when certain conditions are met. They typically are used to automate the execution of a contract or agreement without the involvement of a third party. It is a way for the participants of the agreement to be certain of a certain and immediate outcome.
The concept of smart contracts was introduced (believe it or not) 10 years before the invention of bitcoin. It was first proposed in 1994 by Nick Szabo, a computer scientist and cryptographer, with the goal of bringing practices of contract law to the internet. It is one of the reasons that many think Szabo might actually be Satoshi Nakamoto, the creator of Bitcoin. However, Szabo has repeatedly denied any such rumours.
Smart contracts were initially defined as computerized transaction protocols that execute the terms of a contract or agreement. Szabo’s vision was to extend the functionality of electronic transaction methods, such as POS (point of sale), to the internet.
In his paper, Szabo also proposed the execution of a contract for synthetic assets, such as derivatives and bonds. Szabo wrote: “These new securities are formed by combining securities (such as bonds) and derivatives (options and futures) in a wide variety of ways. Very complex term structures for payments can now be built into standardized contracts and traded with low transaction costs, due to computerized analysis of these complex term structures.”
In simple words, he was talking about the sale and purchase of derivatives with complex terms. Many of Szabo’s proposals and predictions in the paper came true in ways preceding blockchain technology. For example, derivatives trading is now mostly conducted through computer networks using complex term structures.
What Is a Smart Contract Audit?
A smart contract audit is a process during which a smart contract is thoroughly analysed and reviewed for any potential vulnerabilities. The auditor will review the business logic and the code of the contract and will make sure that there are not any flaws that can be exploited.
Smart contract audits will usually include a report that will be shared with the relevant parties (usually investors and the developers of the contract) detailing all suggested improvements to address any performance and security issues.
The auditors typically work closely with the developers of the smart contract to make sure all potential vulnerabilities are addressed. It is at this stage that the final report will be made public to the investors of the project to decide whether they want to invest in the project or not.
Why Is a Smart Contract Audit Important?
With cryptocurrency scams reaching all-time highs and the most recent one (at the time of writing this) reaching a whopping $614M it is imperative for everyone interacting with smart contracts to make sure they are properly audited.
There are usually two main parties that are interested in smart contract audits, investors and blockchain developers. For investors, it is a crucial part of their research process (commonly referred to as DYOR). They want to make sure the project they will invest in is free of any potential exploits and the developers have taken all the suggested actions suggested by the auditors. It is not uncommon for developers to purposely create a malicious smart contract in order to take advantage of investors. If you are thinking of investing in a new cryptocurrency make sure it’s properly audited and read thoroughly the audit report to make sure your investment is safe.
For developers, on the other hand, a smart contract audit will help them identify potential issues in the code that they might have missed. An experienced auditor will identify quickly potential flaws in the business logic and vulnerabilities and help them fix them before taking the project live.
How To Do A Smart Contract Audit?
Generally, smart contract security audits are performed by cyber security firms that are specialised in finding code vulnerabilities. That said, if you are well-versed in programming languages like solidity or rust, there are certain checks you can perform by yourself before consulting with an expert.
Before deeping into the code, the first thing you need to do is to define the scope of your audit. There are many aspects to smart contract audits from checking the business logic, analysing transaction costs or gas, performance review and checking for vulnerabilities. Defining your audit scope will help you come up with a test plan and a strategy on how you will audit the smart contract.
Once you have come up with your test strategy, you will need to start thinking about what tools to use to make your life easier. Some smart contracts can be quite large and dynamic to be monited effectively manually. In some cases, even after a project goes live, you need a system to continually monitor the transactions and inform the participants immediately if something fishy is discovered. Here are some popular tools auditors use as part of their process:
After identifying the right tools for you, it’s time to get to work. The tools above will give some initial findings that they might be able to detect like suicidal functions or reentrancy vulnerabilities, but it’s up to you, the auditor, to go line-by-line and check for further vulnerabilities or optimisations that can be made.
Common Smart Contract Vulnerabilities
In case you are not familiar with some common vulnerabilities that are found in smart contracts, we’ve made a list of the most common ones.
Lack of Verification Checks
One of the most common issues seen in smart contracts and in generic programming is the lack of verification of the function parameters. Certain operations need to have necessary checks in order to be valid and most of the times developers forget or omit to add these checks to their code.
A common case of such vulnerability might include missing checks to see if an unauthorised user has enough balance to perform a specific operation. Another good example is access control, where only certain types of users should be allowed to call a certain function, but this verification is never done or if you leave a certain function as public instead of “OnlyOwner”. This is the simplest and yet most common form of exploits that you will see in new smart contracts.
A reentrancy attack happens when a function in the smart contract calls another external one in an untrusted contract. Then the untrusted contract that is being calls makes a recursive call back to the original function in an attempt to drain the funds of the initial contract.
When the contract fails to update its state before sending funds, the attacker can continuously call the withdraw function to drain the smart contract’s funds. At the time of this writing the most recent re-entrancy attack was on the Fei Protocol. In April 2022, it became the victim of a $80 million hack that was made possible by its use of third-party code containing re-entrancy vulnerabilities.
Not a vulnerability per see, but gas analysis during smart contract audits is an important aspect of the process. Blockchain networks such as Ethereum need to use ‘gas’ in the form of Ether to cover the costs of transactions. Gas prices may vary depending on the complexity and the lentght of the smart contract. So it goes without saying that you should always check your code for any unusude functions. A good example of that is the SafeMath library. If you only use the uint256, add a function for the operations you need and then remove the rest from the contract.
Another common vulnerability with smart contracts is incorrect calculations. This vulnerability, also referred as arithmetic underflow or overflow, means that if some calculations are left uncheck the result that the calculation will product will be a number outside the range of the data type that stores them are performed. For example a uint8 variable, can only store integers between 0 and 255. Trying to store any value higher than 255 into a uint8 will result in zero. This can cause problems when performing calculations causing your smart contract to malfunction.
Finally, we couldn’t leave outside common functions like the mint token function and the blacklist function. These functions might be used maliciously by the project owner to turn the contract into a ‘honeypot’, meaning no-one can sell any tokens. If you find these functions in the smart contract of a token you are looking to invest in be very cautious and make sure you understand why they exist.
Automated Smart Contract Audits
If you are not familiar with programming and you are looking to review a smart contract without an audit report there are a few free tools you can use. One of the most common smart contract audit software used by investors to do a quick security analysis is Cyberscan.
The software is pretty easy to use, all you need to do is type the smart contract address you want to analyse, select the blockchain network from the dropdown, and press “Search”. You will then get to see a full report from the desired smart contract, as well as some key indicators like if the contract ownership was renounced or if the contract contains any common exploits (like blacklist or mint function). Finally, you can check the similarity of the code of your contract versus popular forks. This will help you understand if it’s minted from a specific platform and how unique it is.
Top Smart Contract Audit Companies
Performing your own security audit of your contract or using free software tools available out there, is by no means a replacement for hiring an experienced cyber security company. These companies employ experienced professionals with many years of experience under their belt that will help you make sure you didn’t miss anything.
However, there are dozens of companies out there performing smart contract audits, how do you choose one? We’ve put together a list of the best smart contract audit firms, separating them into two tiers, premium smart contract audit companies that have higher pricing and are working with top market cap projects and standard smart contract audit companies that offer more affordable rates for cryptocurrency projects that are just starting out.
Premium Tier Audits
Founded in 2018 and recently crowned as a 2-times unicorn, Certik is the biggest name in the auditing space. Certik’s founding team consists of professors from Columbia and Yale, and has introduced a number of innovations in blockchain security, utilizing best-in-class Formal Verification and AI technology to secure and monitor blockchains, smart contracts, and Web3 apps.
Certik is funded by world-class investors like Binance, Sequoia and Goldman Sachs and claims to have protected over $300 billion worth of crypto assets for 2,500 enterprise clients through its auditing and fraud investigation services, among other offerings.
HashEx was founded in 2017 and since then they have conducted over 700 audits. The company claims to have prevented the loss of over $2 billion worth of assets and has developed a number of tools for crypto investors like AnalytEx and CryptEx.
HashEx also offers consulting services and smart contract development to projects that need a 360 solution. Some of their notable audits include SafeMoon, TraderJoe and ApeSwap among others.
Another notable company in the industry is Hacken. It was founded in 2017 in Kyiv by a group of security specialists and hackers to deliver cybersecurity solutions to companies.
Hacken has worked with more than 300 businesses and is also offering penetration testing and bug bounty services. Some of their clients include 1inch Exchange, VeChain and OneLedger.
Standard Tier Audits
Cyberscope is one of the leading auditing and AML firms in the blockchain industry. Having worked with more than 900 crypto projects, it has become the number one trusted cyber security firm on all major launchpads like PinkSale, Unicrypt and DxSale.
Cyberscope’s team consists of world-class cyber security experts and anti-fraud professionals that are well-versed in the latest information security best practices. The company also offers popular software tools for free to crypto investors, like Cyberscan and Safescan.
Solidproof is a Germany-based audit firm whose audit reports are widely recognised and accepted across the industry. They have worked with more than 400 projects in the blockchain industry.
Solidproof, like Cyberscope, also offers KYC services to project owners and developers.
3. Solidity Finance
Solidity Finance was founded in 2020 and is another popular audit firm. They employ a team of experienced solidity smart contract auditors that can perform audits for tokens, NFTs, crowdsales, marketplaces, gambling games, financial protocols, and more. They claim to leverage a combination of static analysis, automated tools, and a robust manual review process to provide industry-leading security recommendations to project teams.
Unlike Cyberscope and Solidproof, Solidity Finance does not offer KYC services to projects yet.
How Much Does A Smart Contract Audit Cost?
A smart contract audit can set you back from a few hundred dollars to a few hundred thousand depending on the complexity of your smart contract. Auditors will usually give you a personalised quote based on your contract complexity, the number of lines of code and the business logic behind it.
Albeit it might appear expensive to new project owners, a smart contract audit should be considered an investment rather than a cost. Smart contract audits will attract more investors to the project and make sure the funds that are involved in the transactions are safe. A lot of new cryptocurrency projects are aware of this and use the audits as the pillar to their marketing strategy helping them attract investors early on, as they are able to assure them that the contract will be SAFU.
In this (not so short) guide we covered all the aspects that you need to know about smart contract security audits. It’s become clear that they add a new form of assurance that the code will work as intended before it is deployed, which protects investors and other stakeholders. The service improves the trust in smart contracts that have traditionally been surrounded by distrust because of breaches in security and hacks.
Smart contract auditing services can also promote compliance with laws and regulations protecting investors as well as users from certain industries from illegal activities. There’s no shortage of auditors that perform smart contract audits, all with different scopes, levels of expertise, and price ranges. If you are considering utilizing a smart contract auditor for your ICO or future project, you’ll want to be sure to fully understand the scope of their audit, how much it costs and what to expect from the audit process itself.