Introduction to Auditing and our smart contract audit process

1. What are smart contract audits?

A smart contract audit is a thorough investigation and examination of a smart contract’s code. An audit aims to uncover any errors, vulnerabilities and security issues and provide remediation or suggestions on how they can be addressed.

  • Analyse the code for common errors (variable types errors, compilation errors etc.)

2. Types of auditing

There are two types of auditing that are used to check smart contract code. A well rounded audit will consist of both:

3. The benefits of auditing

Benefit Reason Risk Identification Highlighting any security issues in the contract before it is launch on the blockchain. This can then be address proactively before any serious issues arise (ie. exploits). Code Improvements Checking the quality of the code including adherence to best practices ensures that code is easily readable and maintainable. It also helps to produce a more secure and robust contract. Gas Optimisation An audit can check to see how efficient the contract is with gas and help to provide solutions to improve gas costs. Performance Checking contract executions and any variations that may occur can check for possible unintended outcomes that may arise and to enhance performance Credibility Showing that your contract has passed an audit can offer some credibility to users that the contract is working as intended (however this should not be taken as a guarantee) Compliance A smart contract may need an audit as part of compliance on performing regulated activity(Cryptoassets: AML/CFT regime)

4. Common exploits

Reentrancy

function withdraw(uint256 amount) public returns (uint256) { require(amount <= balance[msg.sender]); require(msg.sender.call.value(amount)());
balance[msg.sender] -= amount;
return balance[msg.sender];
}
function reentrancyAttack() public payable { targetAddress.withdraw(amount); 
}
function () public payable {
if(address(targetAddress).balance >= amount) { targetAddress.withdraw(amount);
}
}
mapping(address => uint256) public balance; function transfer(address _recipient, uint256 _amount) { require(balance[msg.sender] >= _amount); 
balance[msg.sender]-= _amount;
balance[_recipient] += _amount;
}
contract Auctioneer { uint256 currentHighestBid; 
address currentHighestBidder;
function bid() payable {
//new value check
require(msg.value > currentHighestBid);
//return funds require(currentHighestBidder.send(currentHighestBid)); //modify higher bidder information
currentHighestBidder = msg.sender;
currentHighestBid = msg.value;
}
}

5. Our auditing process

  1. Review source code and scope of the audit and agree timescale and price
  2. Check the code manually to ensure that the logic is resistant to common attack vectors.
  3. Use tools to check the contracts for vulnerabilities.
  4. Debrief with team to discuss findings.
  5. Creation of an audit report that highlights any security risk to the project and its users and recommend remediation.

What we look for during an audit

Sound architecture

Gas Optimisation

Gas optimisation is an important part of an efficient smart contract. We check the current gas consumption of the smart contracts to ensure that they waste as little gas as possible to reduce operational costs.

//SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;

contract multiplication {

uint256 amount = 13;
uint256 newAmount;

function multiplyAmount(uint256 multiplyBy) external {
uint256 multipliedAmount;
for (uint256 ii = 0; ii < multiplyBy; ii++) {
multipliedAmount += amount;
}
newAmount = multipliedAmount;
}

function getNewAmount() public view returns (uint256) {
return newAmount;
}
}
struct myStruct {
uint64 number1;
uint128 number2;
uint256 number3;
uint64 number4;
}
struct myStruct { 
uint64 number1;
uint64 number4;
uint128 number2;
uint256 number3;
}
string[7] daysOfTheWeek;
uint256 randomNumber = 0; 
uint256 randomNumber;
import ‘./SafeMath.sol’ as safeMath;contract SafeCalculations { function computeSubtraction(uint256 x, uint256 y) public view returns(uint256) { 
return safeMath.sub(x, y);
}
}

Tools we use to support our process

There are a range of tools that can be used to aid in the analysis of smart contracts. Some of the tools we use:

Timescales

This will vary upon the scope of the audit and the complexity of the project. For a small audit (less complex) normally 1–2 weeks. For a larger audit (more complex) normally 2–4 weeks. This will be agreed upon with the client in the initial scope of work.

6. Complimentary processes for ensuring code security

Regular Auditing

7. Disclaimer

Smart contract audits should not be taken as a security warranty as the total number of test cases are unlimited.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store