Smart contract security audits are manual reviews of code conducted by security professionals that highlight vulnerabilities in a project’s code base. Auditors use both manual review techniques and automated tools to detect and evaluate potential security weaknesses, although exact processes vary by auditing firm. Audits are considered the final and most critical step in ensuring the security and reliability of a project’s smart contract code, and upon completion, outline any issues discovered and recommended remediation steps in an often public report. In high-risk Decentralized Finance (DeFi) ecosystems, these audits are essential as they can directly impact investor confidence and participation in a DeFi project. With the increasing popularity of DeFi platforms and the potential for significant financial losses due to security breaches, smart contract security audits have become more important than ever for building a secure and trustworthy DeFi ecosystem. They are a critical component of demonstrating good security health, building trust within the DeFi community, and ensuring the continued growth and success of the ecosystem.
This article will evaluate the general process followed by most auditing firms.
But first…
What is a Smart Contract?
A smart contract is a self-executing computer program that automatically enforces the terms of an agreement between two or more parties. Smart contracts are typically written on a blockchain platform, allowing for decentralized and immutable record-keeping of the contract’s execution. A smart contract’s code contains a set of rules and conditions that the parties agree to, which, upon completion, executes automatically. Smart contracts are used for various applications, including finance, real estate, supply chain management, and more. Because they are transparent, secure, and operate without intermediaries, smart contracts have the potential to streamline business processes, reduce costs, and increase trust between parties. One use case of smart contracts is automating the transfer of funds between two parties when certain conditions are met, such as when a product is delivered or a service is completed. The smart contract, in this case, would automatically verify that the set conditions were met and then execute the transfer of funds without needing a third-party intermediary. Because the use cases for smart contracts are infinite, audits become even more critical, as they represent the final stage a project has to go through before they are stamped as ‘safe to use’ for the masses.
What are the Main Stages of Security Audits?
The first step in the process is the audit request, where the project requesting the audit submits its code and contract definition to the auditing team. Once that is done, auditing teams follow a 5-step process:
Planning: Establish a clear understanding of the smart contract’s purpose, scope, and technical requirements.
Execution: This is where the actual audit is carried out. The auditor will review the smart contract’s code, dependencies, and interactions with other contracts and systems.
Reporting: Produce a detailed report outlining any issues discovered and recommended remediation steps. The report may include an assessment of the risk associated with each vulnerability and its potential impact.
Remediation: Collaborate with the smart contract development team to address the vulnerabilities identified in the report by updating code, improving the architecture, or implementing additional security controls.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
By following these six steps, auditors attempt to ensure that the project they are auditing is safe from every angle. However, even with that, there are still gaps in audits, leaving most larger projects paying multiple auditors to loop through steps 2–4 several times, replicating the writing/editing process (where authors tend to create various drafts and incorporate feedback on each into the following one).
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
Follow-up: Conduct a follow-up review to ensure that the remediation steps were effective and that the smart contract is now secure.
In Brief
Remitano suffered a $2.7M loss due to a private key compromise.
GAMBL’s recommendation system was exploited.
DAppSocial lost $530K due to a logic vulnerability.
Rocketswap’s private keys were inadvertently deployed on the server.
Hacks
Hacks Analysis
Huobi | Amount Lost: $8M
On September 24th, the Huobi Global exploit on the Ethereum Mainnet resulted in a $8 million loss due to the compromise of private keys. The attacker executed the attack in a single transaction by sending 4,999 ETH to a malicious contract. The attacker then created a second malicious contract and transferred 1,001 ETH to this new contract. Huobi has since confirmed that they have identified the attacker and has extended an offer of a 5% white hat bounty reward if the funds are returned to the exchange.