Smart contract security audits are manual reviews of code conducted by security professionals that highlight vulnerabilities in a project’s code base. Auditors use both manual review techniques and automated tools to detect and evaluate potential security weaknesses, although exact processes vary by auditing firm. Audits are considered the final and most critical step in ensuring the security and reliability of a project’s smart contract code, and upon completion, outline any issues discovered and recommended remediation steps in an often public report. In high-risk Decentralized Finance (DeFi) ecosystems, these audits are essential as they can directly impact investor confidence and participation in a DeFi project.
With the increasing popularity of DeFi platforms and the potential for significant financial losses due to security breaches, smart contract security audits have become more important than ever for building a secure and trustworthy DeFi ecosystem. They are a critical component of demonstrating good security health, building trust within the DeFi community, and ensuring the continued growth and success of the ecosystem.
This article will evaluate the general process followed by most auditing firms.
But first…
What is a Smart Contract?
A smart contract is a self-executing computer program that automatically enforces the terms of an agreement between two or more parties. Smart contracts are typically written on a blockchain platform, allowing for decentralized and immutable record-keeping of the contract’s execution. A smart contract’s code contains a set of rules and conditions that the parties agree to, which, upon completion, executes automatically. Smart contracts are used for various applications, including finance, real estate, supply chain management, and more. Because they are transparent, secure, and operate without intermediaries, smart contracts have the potential to streamline business processes, reduce costs, and increase trust between parties.
One use case of smart contracts is automating the transfer of funds between two parties when certain conditions are met, such as when a product is delivered or a service is completed. The smart contract, in this case, would automatically verify that the set conditions were met and then execute the transfer of funds without needing a third-party intermediary.
Because the use cases for smart contracts are infinite, audits become even more critical, as they represent the final stage a project has to go through before they are stamped as ‘safe to use’ for the masses.
What are the Main Stages of Security Audits?
The first step in the process is the audit request, where the project requesting the audit submits its code and contract definition to the auditing team. Once that is done, auditing teams follow a 5-step process:
- Planning: Establish a clear understanding of the smart contract’s purpose, scope, and technical requirements.
- Execution: This is where the actual audit is carried out. The auditor will review the smart contract’s code, dependencies, and interactions with other contracts and systems.
- Reporting: Produce a detailed report outlining any issues discovered and recommended remediation steps. The report may include an assessment of the risk associated with each vulnerability and its potential impact.
- Remediation: Collaborate with the smart contract development team to address the vulnerabilities identified in the report by updating code, improving the architecture, or implementing additional security controls.
- Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
By following these six steps, auditors attempt to ensure that the project they are auditing is safe from every angle. However, even with that, there are still gaps in audits, leaving most larger projects paying multiple auditors to loop through steps 2–4 several times, replicating the writing/editing process (where authors tend to create various drafts and incorporate feedback on each into the following one).
But Why Do Smart Contract Audits Matter?
Audits are essential given the significant amount of money that passes through smart contracts. Even minor programming errors can result in substantial financial losses, making them attractive targets for malicious actors, as demonstrated by the 2022 Rari Capital & Fei Protocol, where over $80 million in cryptocurrency was stolen via a relatively common reentrancy vulnerability.
Smart contract audits are necessary for many crypto investors when considering new DeFi ventures. Therefore, as a project owner, it is crucial to understand how to prove good security health to investors through a robust security audit since most credible projects have made it the standard. Additionally, choosing a reputable and experienced auditor is also vital since potential investors may value some businesses’ audits more highly than others.
Given the irreversible nature of blockchain transactions, a project’s code must be secure. It is crucial to prevent any potential flaws due to the difficulty of retrieving funds and addressing issues that may arise. Due to blockchain technology’s high level of protection, it is advisable to focus on ensuring that the code is secure from the outset instead of after deployment on the mainnet.
I Understand Everything up to Here, but How do Audits Work on a Deeper Level?
Below is a breakdown of each of the five steps mentioned above.
1. Planning: Specifications Agreement
The auditor’s first and most important job is to understand the purpose of the smart contract being audited: not only does every line of code need to function, but it needs to function properly to execute what is specified. That is why the smart contract description and accompanying documentation that auditors can view is key, as it provides a comprehensive explanation of a project’s structure, development framework, and design choices. The specification is frequently also explained in the project’s README file, and on occasion, the code is described in whitepapers and docstrings as well, so they are also helpful for auditors. However, none of these can take the place of the detailed requirements, which explains the project function and goals to auditors.
After developers are confident that there are no more bugs or errors, a “code freeze” is implemented, where the developers have finalized the smart contract’s code. At this point, the developers must certify that no further changes will be made to the code beyond this point to pass the audit. By providing the commit hash and certification, developers and auditors agree that the code being audited is the final version the developers intend to release.
2. Execution: Code Review & Security Testing
The execution phase is where the actual testing and analysis of the smart contract code takes place. During this phase, the auditor uses manual and automated techniques to verify the smart contract’s correctness, security, and functionality.
The auditor begins the process by manually reviewing the smart contract’s code and dependencies to identify potential vulnerabilities or bugs. During this initial review, they also check for any deviations from the specification that might indicate errors or inconsistencies. Once the auditor has ensured the contract runs as planned or has documented where the contract errs, the auditor begins the testing phase.
The testing phase involves
- running the smart contract on a local development network or a test network,
- simulating a real-world environment, and
- carrying out various tests to verify its functionality and security.
During this phase, the auditor checks for vulnerabilities such as reentrancy, access control and other common smart contract security issues. However, the overall breadth of the testing conducted includes unit testing, integration testing, functional testing, security testing, performance testing, and user acceptance testing, the combination of which ensures that the contract is secure and interacts with users, functions, and acts as intended.
Throughout the execution stage, auditors use automated tools to detect security vulnerabilities, syntax errors, and other coding mistakes that could impact the contract’s security and performance. Code analysis tools specifically are frequently employed to detect bugs in the contract code and any of the contract’s dependencies, such as external libraries.
The final variable auditors test for during execution is the contract’s performance, ensuring it has the lowest resource consumption possible and the fastest execution time. In addition to efficiency maximization, auditors also simulate network congestion, high transaction volumes, or denial-of-service attacks during the testing phase to verify that the smart contract can handle such situations.
3. Reporting
With the testing phase complete, the auditor generates a report that includes all the findings and recommendations for mitigating the identified issues. The report serves as a summary of the audit results, describing any issues that were found and providing recommendations for how to address those issues.
While the exact structure of the report varies by firm, all audit reports include a summary of the audit process, a description of the smart contract and its purpose, and an explanation of any issues identified during the audit. Additionally, auditors classify the severity and potential impact of the issues identified near the top of their report, allowing the project owner to prioritize what to address first.
The report may also provide recommendations for how to address the issues. Recommendations include suggesting changes to the smart contract code, recommending best practices for improving security, or providing other guidance on improving the contract’s functionality.
4–5. Remediation & Follow-Up
Once the report is completed and sent back to the project owner, the development team begins remediating the issues discovered by the auditor. At this point, a call is often scheduled between the two parties to discuss the results and clarify anything beyond the report itself.
Once the development team remediates the code specified by the auditor, the project chooses between ordering an additional audit cycle or polishing up the report. If the former is chosen, a completely new audit cycle is conducted from step 2 forward. If the latter is chosen, a finalized report is made public disclosing the auditor’s findings and the project’s actions taken to prevent the issue from having an effect. While not required formally, it is security best practice to obtain an additional audit cycle if introducing new code to the project being audited. Not doing so can leave a project easily susceptible to a large exploit, as exhibited by the Nomad protocol after their Quanstamp audit, when over $190 million in crypto was stolen from their bridge via an obvious unaudited code flaw.
Conclusion
Smart contract audits are currently essential to ensuring the security and reliability of a project’s source code. Because smart contracts often manage significant amounts of value and execute irreversible actions, all vulnerabilities and bugs prove potentially disastrous. An audit can help identify these issues before they can be exploited, providing confidence to investors and users in the safety and soundness of the contract. Additionally, smart contract audits can identify code improvement areas, helping developers refine and enhance the contract’s functionality and making it cheaper to operate for investors.
However, while audits are beneficial, they are not enough: 25 of the top 70 protocols exploited have been audited according to the Rekt leaderboard. Just like in the early days of web2, leaving security for the last minute has proven costly and cannot be the only option as the space advances. That is why Olympix.ai has developed an instant code-analysis tool that focuses on securing code as it’s written, guiding developers through code security during the entire lifecycle of their project.
