Smart contract audits

Gepubliceerd op 20 november 2022 om 09:30

When it comes to crypto, security is one of the most important things to look at. The fact that crypto is decentralized can be seen as a positive by many. However, there are also many risks when investing in crypto.

When something goes wrong, it cannot be reversed. Blockchain is immutable, meaning that once a transaction is verified on the blockchain, it cannot be changed. Scammers can also remain completely anonymous to some extent because of blockchain.

To ensure that people do not fall into scams, smart contract audits have been created. Such audits give smart contracts a sort of seal of approval that indicates you can trust the project (but is that really the case?)


Smart contract quick overview

A smart contract is a programmed contract whose agreements between parties are recorded in computer code on the blockchain. A smart contract consists of preset terms and conditions. If these conditions are met, then the contract will execute itself. No third party intermediary is needed for this. Any party can see this code, but it cannot be modified once it is on the blockchain. The execution is completely automatic.

Many crypto projects use smart contracts. In this way you no longer need intermediaries and it works completely decentralized. The smart contract itself determines whether the transaction can be executed, not the middleman. So smart contracts make it possible to work in a completely decentralized way.

Of course it is important that these smart contracts - and therefore the programming code - are programmed safely and correctly. If there is a mistake in the smart contract code, there is a good chance that people will lose their money.

One example is that scammers will insert into a smart contract code all kinds of clever code that will make you transfer money to them and not to the person you wanted to transfer to. It is also possible that by using that smart contract, you give the scammers access to your wallet. Therefore, scammers and smart programmers can loot a lot of money by programming smart contracts cleverly. And that's when smart contract auditing comes into play.

What is a smart contract audit?
Smart contract auditing is a way of assessing the legitimacy and security of a smart contract. Such an audit is often done by a company that specializes in this. This company audits the entire code of the smart contract. They look for errors and blemishes. By doing this, they ensure that the code of the smart contract is secure and legitimate.

The process of a smart contract audit
There are several steps that need to be taken to do a smart contract audit: testing, automatic analysis, manual analysis and finally the report. It is not the case that automatic and manual analysis is always performed. Sometimes only an automatic analysis and sometimes only a manual analysis. But often both.

  • Testing

In this process, the smart contract is tested by running transactions through the smart contract. This allows the initial errors to be taken out.

The line of coverage is used for this purpose. This calculates how many percent of the code can be executed before the first error occurs. Smart contract code consists of dozens and sometimes hundreds of lines of code. Suppose a smart contract code has 100 lines. If an error occurs on line 55, it means that the line of coverage is 55%. When executing the smart contract, an error is not detected until 55%.

We want to get to a line of coverage of 100%. Then you can be sure it's right. But a line of coverage of 85% - 90% is not bad either. Even then, the smart contract can work well.

  • Automatic analysis

When the testing phase is completed and the line of coverage is clear, an automatic analysis is performed on the smart contract code to detect other errors in the code. When there are hundreds of audits, automatic analysis is a good alternative. Such software to perform automatic analysis can be found on Github. But larger parties have often developed their own software.

  • Manual analysis

After the automatic analysis is completed, you can choose to actually check some smart contracts by hand. Whether this is chosen depends on the company.

This phase speaks for itself. Experts examine the entire code of the smart contract and look for errors. These experts know exactly how the code works so that, in theory, they can find all the errors. It remains human work and errors can be made. This phase is often combined with an automatic analysis.

  • The final report

When all tests and analyses have been done, a final report can be drawn up. This step also speaks for itself. The report contains all the findings and the blockchain company knows where errors lie.

Why is an audit so important?
A smart contract audit is important for all parties involved. Not only for the blockchain company itself, but also for the potential users of the project and interested parties.

For the potential user, it goes without saying that an audit is important. If an audit has been done, then they can assume that the smart contract is secure and legitimate. This also allows potential investor to choose to only use audited smart contracts. This already allows you to differentiate between the types of smart contracts (legitimate versus not legitimate).

For the developers and creators of the blockchain project, an audit is important. These developers can have the best intentions in the code for their smart contract, but they can still make mistakes. After all, they are still human beings. They don't want to rip off their users and want to do everything they can to prevent this from happening. An audit is a great help in that regard. By having an audit done, certain errors can be taken out so that their smart contract code is error-free. This also increases confidence in the project itself.

Smart contract auditing the holy grail?

It is not that if the smart contract looks legitimate and that an audit has been performed, it also immediately means that the whole project is legitimate. Scammers often use audits to gain investors' confidence. This allows scammers to run away with the investors' money. A rug-pull is still possible. An audit does not prevent this. It is therefore good not to look blindly at a smart contract audit, but to consider the entire project. A thorough investigation includes more than just the smart contract audit. Even if the smart contract is legitimate and secure, but there are many red flags in other parts of the project, an investment is risky.

FTX  debacle

A very good example of the situation where an audit had been done on the project, yet afterwards it was found that the entire project was flawed in many aspects. This concerns the FTX bankruptcy.

The court filings of the FTX bankruptcy state the following:

The FTX Group received audit opinions on consolidated financial statements for two of the Silos – the WRS Silo and the Dotcom Silo – for the period ended December 31, 2021. The audit firm for the WRS Silo, Armanino LLP, was a firm with which I am professionally familiar. The audit firm for the Dotcom Silo was Prager Metis, a firm with which I am not familiar and whose website indicates that they are the “first-ever CPA firm to officially open its Metaverse headquarters in the metaverse platform Decentraland.

Even though the company was audited by a party, doesn't necessarily mean that the project is legit. The FTX bankruptcy should remind you of that! 

Examples of auditing companies

  • Certik;
  • Consensys;
  • OpenZeppelin.

Reactie plaatsen

Reacties

Er zijn geen reacties geplaatst.