What is a Smart Contract Security Audit?

Virag Mody - Authio, COO
March 16, 2018
What is a Smart Contract Security Audit?

The development of blockchain technology has been exciting to follow. Over the past decade, the community has evolved from a group of individuals working on a theoretical concept to over 1,500 coins and tokens listed on CoinMarketCap with undoubtedly more in existence. This exciting revolution, jump-started by Bitcoin, hit an inflection point when Vitalik Buterin launched the Ethereum blockchain in mid-2015. Where Bitcoin is the first protocol to leverage the decentralized, trustless, and cryptographically secure blockchain for payments (did I win Buzzword Bingo?), Ethereum is that and so much more. It’s a decentralized platform built to run smart contracts using a Turing-complete scripting language. To put this in more layman’s terms, Ethereum allows for creative and innovative developers to build applications, which enable novel behaviors on existing blockchain infrastructure via smart contracts. This is a huge deal for the crypto community, as any skilled developer can now leverage already-existing blockchain infrastructure in building dApps! Ethereum ushered in an era of exponential growth in crypto-valuation and community engagement. Out came curious developers, as they did during the dot-com bubble, to tinker with this bleeding-edge technology and expand the crypto ecosystem in a hundred different directions.

However, there is no rose without thorns. The crypto-investment craze around November, 2017 launched cryptocurrency’s market capitalization to astounding heights. With it came a mania of investment, speculation, FUD (fear, uncertainty, and doubt), shilling, and truly “dumb money.” However, these characteristics are not unique to crypto and to some extent should be expected. Periods of speculative and emotional trading, inflated prices, and massive influxes of new market entrants have occured for centuries. We can thank the Dutch for kicking it off. But in the madness, a key element of the ecosystem is being muted — Security.

To understand what I’m getting at, recall that the users interact with the Ethereum blockchain through Smart Contracts, pieces of immutable and automatically executing code, allowing for value and data to be transferred without the oversight of a centralized party. Technically speaking,

A smart contract is a computer protocol intended to digitally facilitate, verify, or enforce the negotiation or performance of a contract.

The important thing to note about smart contracts are their immutability. This means that once they are live and published to an address, the contract code cannot be modified or corrected in any way. This poses a problem, What if there is a flaw in the code? With the amount of Ether flowing through contract addresses, any single flaw could prove disastrous to the unsuspecting, enthusiastic crypto-user. I want to take a moment to think this through by providing some true-to-life vulnerabilities found regarding crowdsales:

  • Crowdsale cannot be refunded and Ether will remain in a locked state, inaccessible to any agent
  • More coins can be minted than the set amount, diluting the value of the asset
  • The entire crowdsale can be refunded by anyone, voiding the sale and destroying the reputability of the project
  • ETH to USD conversion rate can be tampered with during the crowdsale, allowing a malicious contract owner to manipulate conversion rates and dupe participants out of their allocated coins.

I hope this begins to give you some idea of the amount of value that can be at risk. Solidity is not an easy language and is filled with quirky behavior that can seem correct at a cursory glance. An open-source blockchain platform revolves around writing smart contracts and dictating how data and value is received and sent, dependent on set criteria and inputs. Most members of the community are not developers. Fewer understand the finer details of Solidity. Even fewer have the time to comb through each contract they interact with to ensure security and identify malicious threats. We are putting our trust in the hands of a minute fraction of people when we send billions of USD in value through transactions, and that is dangerous.

But not all is doom-and-gloom. Blockchain is not destined for failure and you should not anxiously sweat over the thought of sending Ether to a contract address. The crypto-community has not been fully dormant to these issues; they recognize the challenge here. In its niche place, auditing has flourished as a means to facilitate a more secure ecosystem for blockchain. To give a more formal definition of an audit:

An audit is a scanning of a smart contract script for vulnerabilities, exploitative features, and inefficiencies to provide security against malicious actors and oversight, as well as adding a layer of trust and safety between project and community.

Audits are vital to the progression of blockchain implementation and adoption. A second pair of eyes, trained to view code through the lens of an auditor, is absolutely necessary to secure against losses of funds, value, and/or data on behalf of the people that cannot. The fewer hacks, thefts, and malicious acts that propagate through mainstream news spreading FUD, the more legitimate blockchain will seem, and we will see quicker adoption.

However, we have a long way to go. There are few standards in auditing. Auditors need to be even more vigilant than project developers. Both passive community participants and project members need to respect what auditors bring to the table. Community members need to be engaged with auditors and demand security standards of the coins/tokens they purchase. There is much work that needs to be done in this space, and with time, we hope blockchain development will become more standardized and teams will be able to follow established security protocols to ensure the safety of the funds their users entrust them with.

In the next article, I will go into further depth about the necessity of audits, including what is at stake, perspective on its importance for developers as well as community members, notable examples of failures, and more.