From NFTs to DAOs, DeFi, and dApps, web3 runs on smart contracts and can only be as secure as the smart contracts themselves. Smart contract audits are an essential tool for providing that security. We’ll explain them here.
First, let’s review what smart contracts are, how they operate, and why they’re used.
What are smart contracts and how do they work?
Smart contracts are programs that execute on a blockchain under conditions specified by the code. They enable transactions without a middleman. For example, a smart contract can enable you to buy crypto directly from another crypto owner without intermediaries whenever its parameters are met.
A smart contract might specify that if a user directs it to send a specified amount of crypto to another user, the code would first take a series of steps to verify that user's credentials. If that checks out, it would then send the coins. The blockchain makes a permanent, immutable record of the transaction.
A key thing to remember about smart contracts: They can’t be altered or deleted once they are operating on the blockchain. That’s why it’s so important that they work exactly as intended and not offer any opportunity for bad actors.
What is a smart contract audit?
A smart contract audit searches for any design problems, reviews the contract’s code, and probes for any security vulnerabilities. A thorough audit will usually involve a round of checking with automated tools, followed by manual code review to find any remaining problems.
Smart contract audits should be conducted by an independent organization. In-house audits, while necessary, are not enough. You need fresh eyes on your code and auditing expertise. That ensures a comprehensive audit that proceeds logically through all testing phases to identify any problems that could lead to a security breach.
Why you need a smart contract audit
Blockchains, especially well-tested layer 1 blockchains like Ethereum, are typically secure. The problem is that the smart contracts that run on them are vulnerable to hacks. This vulnerability goes back to The DAO hack of 2016, in which code vulnerabilities in The DAO wallet enabled a $60 million theft of ether.
The web3 ecosystem is still developing, and smart contracts implement a kind of distributed system that poses unique security challenges. This is why smart contract audits are vital. Any code problems in a smart contract need to be identified and resolved prior to launch.
Automated tools aren’t enough
Automated tools are great, but they can’t detect every security problem in smart contracts. In a review of all its smart-contract audits, Trail of Bits found that half of the security flaws detected were unlikely to ever be found by automated tools. A manual smart contract review by experienced human auditors was needed to ensure all coding issues were resolved.
Audit preparation checklist
To work efficiently with your auditors, it helps to have a checklist of actions that should be completed before the audit begins. In some cases, such as in a DAO, hundreds of people may collaborate in the formative stages of creating a new smart contract–but eventually, a core team needs to take responsibility for testing and implementation.
Typical audit readiness checklist items include:
- The oversight team has been chosen.
- The team has established their development process and appointed a leader.
- A community that will support this contract is identified and their needs assessed.
- A free software license is selected.
- An approach to developing clean, modular, readable code is agreed upon.
- A complete test suite is built for in-house testing.
- Code is finalized.
Once the smart contract code is frozen, documentation must be reviewed to make sure it’s complete and ready for the auditors.
Besides simply reviewing code, auditors will want context for this project. What problem is this smart contract intended to solve, and how does it accomplish that? What design choices did the team make and why?
Beyond the usual README file, there should be complete documentation of every function, event, and variable included in the contract’s public API. If there’s complex functionality, inline comments should explain those operations. Automated tools for generating external documentation based on the inline comments should be enabled.
Finally, if the smart contract will receive on-chain upgrades, there needs to be documentation for how the deployment process should work.
Initial in-house testing
Before outside auditors review the smart contract, the team should do its own tests. Testing should cover as much of the code as possible.
Once any errors or problems turned up in the in-house testing are resolved, it’s time to hire outside auditors to conduct additional testing. Your team has been looking at this code so long that it can be easy to miss problems. Outside eyes are needed to make sure your smart contract is airtight and will execute its commands exactly as intended.
Criteria for selecting an auditor
How do you know an auditor is a fit for your project? The team should ask about:
- Experience–Has this auditor worked on similar smart contracts?
- Personnel–How many members of the audit team have done manual code review, and what is their experience?
- Terms and timing–Is the auditor available to complete work when you need it done, and priced within your budget?
- Scope–Can you agree on the scope of the audit?
- Readiness–Does the auditor believe the contract code and supporting documentation appear ready for the audit to begin?
Once you find an outside auditor that meets your requirements, the smart contract audit usually plays out in several phases.
Basic steps of smart contract audits
A good smart contract audit proceeds in an orderly fashion through a predictable set of steps. Performing these steps in order helps ensure no flaws are missed.
1. Employ automated tools
The auditors will first test using automated symbolic execution tools. These tools are designed to determine what commands or inputs will cause each action defined in the contract to execute.
This testing phase will often turn up possible false positives. These incidents need to be investigated to confirm if they are indeed false positives or actual problems that must be addressed.
2. Manually analyze code
Once automated testing is complete, the auditors move to manually analyze the smart contract’s code. This is a critical stage of review since automation usually won’t catch all errors.
3. Issue report
When both the automated and manual phases of the smart contract audit are complete, the auditing firm will compile and issue a report to the team. The report should detail all the possible design flaws or coding errors that could cause problems or pose security risks when the smart contract is deployed.
4. Create action plan
The team reviews the audit report and decides on next steps. How will problems be fixed and who will be responsible? A written action plan should specify each issue that needs attention before the smart contract can be deployed. Team members receive assignments and work on fixes.
5. Review changes
Once updates are made and in-house testing shows the improvements have resolved the problems, the auditors will re-test the contract to verify the contract now works as intended and security loopholes have been closed. If not, the team continues its work until the auditors’ testing reveals all security issues are now fixed and the contract is operating as intended.
6. Final audit report
The results of any additional auditor testing are delivered to the team in a finalized audit report. Hopefully, at this point all problems have been resolved and the smart contract can be implemented on the blockchain.
To build user confidence, many projects make this final audit report public. Displaying complete transparency in sharing your security process helps reassure users your team can be trusted to build smart contracts that can be relied upon for financial transactions.
Don’t launch without an independent smart contract audit
It can be tempting to rely on in-house testing tools and rush a new smart contract into production, but that can leave the door open for hackers. In-house testing simply isn’t enough to make sure users’ assets are protected.
Hiring an outside auditor for your smart contract audit is the best practice. This isn’t a step to skip, given the value of crypto assets controlled by smart contracts. A final report from an outside auditor that you make public is a necessary step for smart contract developers to foster trust with their users.