I aim to provide some insight on the importance of smart contract security audits from the perspective of a project development team and community members. This article, like the last, will remain relatively high-level to appeal to the layman crypto user. The first part is directed at development teams while the second part is directed at anyone that interacts with a contract address (though I highly suggest both groups read both parts!)
In the previous article for this series, I talked in some depth about the current take on security in the blockchain space. Notably, security is currently under-emphasized as decentralized applications (dApps) are coded in immutable smart contracts, putting vast amounts of value at the mercy of some lines of code. I also introduce the Audit, a method of combating insecurities by looking through contracts with a fine-toothed comb for the express purpose of finding vulnerabilities. Here, I will expand on the topics covered in the last article (I implore you to read it if you have not!) but from the perspective of its value for project developers and general community members that interact with any contract address. This installment will concern itself with the community.
Dear Average Crypto User:
Your tokens/coins are important to you. They’re a valued asset, whether you’re hodling, using them to interact with a blockchain product, or participating in an exciting ICO that may take off in value and credibility. Your funds are the end-all-be-all for your interactions in the crypto space. And while you may feel powerless in this high-tech world, putting blind trust in the hands of a few, you have more clout than you may think.
Let me start with a message of empowerment. You, as a user, are a vital part to the health and survival of companies that look to public blockchain. In this direct-to-consumer world that blockchain will spearhead, you have the ability to raise a project to greatness, or send it to the coin-graveyard. Remember DogeCoin? The fun cryptocurrency typographed with comic sans that became a huge meme within the crypto-community and a market cap that soared to $2 billion? To the extent that the DogeCoin community funded a NASCAR racer and sent the Jaimacan bobsled team to Sochi? The absurdity and awesomeness are amazing. That is true power in the hands of the many, the consumers of crypto. No preferred shareholder has the same level of humor.
Now, let’s move on to why Audits are relevant: Simply put, audits of the contracts through which you interact, give credibility that your funds are safe. I’ll walk you through a case study that exemplifies this notion: The July 2017 Parity Wallet Hack (If you’ve read the first part, I talked about the November Parity Wallet Hack — Yes there were two!). TL;DR: A malicious agent found a bug in the multi-signature wallet code that is used as a part of the Parity wallet. With two transactions, the agent obtained the exclusive rights to a multi-signature wallet and then used those rights to move funds to a wallet that s/he owned. ELI5: A flaw in the code was exploited by a bad actor and tens of millions in USD were stolen for a few cents.
In a public release, Parity explained that the exploited bug was missed during an internal audit (which was not published) performed by the Parity team. Third party audits serve to remedy oversights like these. If you’d like to know the advantages that audits provide, I suggest you to read Part 1 of this post (I implore you do for the perspective). In summary, auditors have a unique advantage when reviewing code that developers don’t: Having never seen the code before auditors can interpret elements in different ways, allowing deeper pen testing. This skill becomes more pronounced as methods for auditing become more standardized, similar to how the Accounting industry came to be with certified CPAs. Be it a Professionally Serviced Audit, internal audit, or Bug Bounty (preferably all three, multiple times), each additional run-through of the code-base adds another layer of the security of your funds or data.
Set the Bar
Smart Contracts leave your funds to the mercy of code. There are no central authorities to make sure everything is clean and fair, no undo buttons, and very little you can do if something goes wrong. If someone can take control of your funds and rewrite the data, your funds are gone. While hacks can be scary, they should not preclude you from participating in the blockchain ecosystem. That’s the cost of being in at the ground level of the future. There’s more chaos than there is order. But there are ways to build order in time. A year ago, Zeppelin, Solidified, Bounty0x, Quantstamp, and Authio were no one. There was no identifiable area of auditing. A year from now, things may look very different, but it is your responsibility as crypto-users to drive that change.
To explain why, I’d like to provide two examples to demonstrate the current lack of sophistication in the space:
We, at Authio, had audited contracts for one of our clients where their multi-million dollar ICO was at risk. They were surprised to find that we had identified so many vulnerabilities. When prompted, our point of contact informed us that they had their contract audited previously, but the auditor simply responded with “IT’S ALL GOOD” and disappeared. Clearly a scam and an extreme example, but without reputable and affordable firms gaining credibility, the authenticity of the audits will remain questionable. This is further muddled if the conclusions of the audits are not publicly available and accessible. Without detailed reports that explain the vulnerabilities and subsequent fixes that can be understood generally and technically, how can the community trust that an audit was effective? (Eg. Parity internal audit)From a different point-of-view, during one of our audits, we came across a vulnerability that could prove problematic for the project’s community. However, the client chose to centrally manage the consequences of the vulnerability. While this is entirely their right, there was no way to let users know. With community members so removed from the process of auditing itself, how would they know about this disregarded vulnerability? How many ICO investors or platform users regularly check auditing blogs to ensure their funds are as safe as possible? I’d argue very few. The large disconnect between audits and those affected by audits can impede the delivery of truly important information.
Auditing is still not nearly as mature as it needs to be, and will not be for years to come. The two examples above clearly show that. In order for standards to be set, protocol to follow, and expectations to adhere to, there must be movement from auditing firms, users, and project teams alike. What this means is that the community is not helpless in their ability to secure their own funds. With the influence users have, mentioned earlier, they can help build more rigid standards of security.
Insist on multiple audits! Know the credible auditing firms! Demand these audits be public, regardless if they are internal or external! Hold firm until expectations are met!
You have power here. Through your own advocacy, you can secure your own funds. So, speak up!
This concludes the second part of this blogpost. In it, I’ve demonstrated to the community of crypto-users the advantages of having an audit done, namely that it aids to ensure the security of your data and funds (More in Part 1). However, the auditing space lacks the refinement that it needs, given the gravity. Within time, this will change as the blockchain space itself matures, but it starts with actively advocated for the changes you wish to see. The crypto-community can partake in ensuring the safety of their own funds. Not by knowing Solidity and catching vulnerabilities themselves, but simply by pushing for secure audits to be done before they are willing to invest in an ICO or use a platform.