How to Conduct a Smart Contract Security Audit of Your Project? [and why this is important]
Blaize deals with smart contract security audits on a regular basis, so we can say that the matter of blockchain project security is very urgent nowadays. However, we have noticed that many developers and product owners neglect security audit importance and internal optimization.
A smart contract security audit is an accurate and thorough analysis of application smart contract sets. The main aim of such an audit is to detect and eliminate smart contract vulnerabilities as well as check the reliability of the contracts’ interactions between each other.
This article will show you some interesting and important issues to take into account while checking for bugs and errors in the general work of the blockchain part of your project.
Why Smart contract audit is important ?
A high level of security and code quality are the main requirements for developing a good smart contract. Otherwise, your project may experience a hacker attack and suffer enormous losses as it had happened before with a list of well-known projects.
Cybersecurity is extremely important for DeFi sector, as long as smart contracts deal with a lot of money. Also, money losses mean not only funds stolen by a hacker, but also assets locked down on the contract forever (which may cause even more damages).
Those are DeFi projects, that suffered from hacking due to smart contract vulnerabilities recently:
Yet, do not underestimate the security risks in other decentralized systems using smart contracts. There are the most known cases:
Those issues purely demonstrate that even a small bug in smart contracts logic or functionality may lead to irreversible consequences. Therefore, smart contracts auditing is one of the best practices of defending your smart contracts from attacks.
In Blaize we have audited several contracts and secured over 12 mln total value of those. That is why, we want to share our knowledge along with experience in order to underline the importance of auditing smart contracts security.
Common Smart Contract Attacks
One of the best ways to prevent the future attack on your smart contract is to be aware of existing attacks and study them carefully. Smart contract weaknesses classification registry contains a list of all the known attacks until now.
SWC registry presents a list of all familiar smart contract vulnerabilities and examples on how to deal with them.
Reentrancy is one of the common and most dangerous Ethereum vulnerabilities. It can have a variety of forms and make different changes to the calling function which makes it highly unpredictable. This type of attack was used in the previously mentioned DAO hack in 2016.
As long as reentrancy attacks may occur across multiple functions or contracts it gives additional complications to its prevention. The experience and deep understanding of smart contract logic is the main requirement for the developers who deal with reentrancy mitigation because a single function solution is not enough in this case.
The next very common and costly attack is front-running. This issue became one of the biggest vulnerabilities in DeFi decentralized exchanges such as Uniswap or 0x.
Read more about front-running issue and ways of its elimination in our article Solutions to Impermanent Loss and Front-Running
A list of attacks related to the smart contract gas cost appeared recently. Some of those are insufficient gas griefing or DoS with block gas limit. The description and code specifications might be found here.
We will share some tips on how to prevent those in the next parts of this article.
How Blaize audits your smart contract?
- Check the consistency between the functionality of the contract and its description in the whitepaper and other supportive docs (like smart contract specifications). Undocumented features check;
- Checks against the standard list of vulnerabilities;
- Symbolic analysis of potential weak spots;
- Static analysis by automated tools;
- Manual code and code quality review;
- Gas usage analysis;
- Unit tests coverage check;
- Report preparation.
Blaize recommendation: We would like to underline the importance of a clear and well-written smart contract specification. A plain description of all the smart contract functions and the explanation of how the contracts should work together is a must have thing for a good audit. Those prevent our team from misreading or misunderstanding of your code and save your time & costs.
How does the smart contract testing process go?
Before starting any audit, it is required to register the state of the audited system. If the code is stored on GitHub, then this is the commit number or release version. Additionally, the checksum or hash is registered for each file, in order to know if some changes occur.
Those steps are a prerequisite for a quality security audit. After that Blaize experts begin the checking processes.
Blaize experts have developed a set of specifications for measuring smart contract security levels in order to provide the best smart contract audit services.
|Critical||A system contains several issues ranked as very serious and dangerous for users and the secure work of the system. Needs immediate improvements and further checking.|
|High||A system contains a couple of serious issues, which lead to unreliable work of the system and might cause a huge information or financial leak. Needs immediate improvements and further checking.|
|Medium||A system contains issues which may lead to medium financial loss or users’ private information leak. Needs immediate improvements and further checking.|
|Low||A system contains several risks ranked as relatively small with the low impact on the users’ information and financial security. Needs improvements.|
|Lowest||A system does not contain any issue critical to the secure work of the system, yet is relevant for best software defensive practices implementations.|
All smart contracts are carefully audited according to those standards. Those are further explained and presented in the final report along with the recommendations for security improvements.
Approaches to smart contract audit
There are two approaches for auditing smart contract security – manual and automatic. Blaize developers are experts in both aiming to ensure highly reliable results.
Automatic smart contract security analysis
Along with smart contracts wide adoption, many alternative softwares for bug detection occurred. Automatic analysis considerably fosters smart contract vulnerability checking and saves developers’ time.
Bug detection software determines which part is responsible for each input execution and shows where the possible bug occurs. Mythril is one of the tools Blaize experts use for automatic analysis.
Mythril is a very reliable software for contract security analysis. It is a perfect bug detection tool for Hedera, Ethereum, Quorum, Tron, and other EVM-compatible blockchains.
Alternatively, we often use Sithler, a Python-based software which allows analyzing Solidy code with low false positives.
As far as every project has a unique set of smart contracts the other tools should be used accordingly. The full list of security tools for automatic vulnerability detection might be found here.
Manual smart contract security analysis
Although the automatic approach is much faster and offers quite reliable results, sometimes it reports false positives which are not necessary code bugs. Those happen because tools cannot understand the code context.
Yet, false positives are not such an issue as long as they can be easily identified. Automatic analysis detecting wrong contract vulnerabilities is a much bigger concern. That is why manual analysis of your smart contract is highly required.
A manual code analysis means the examination of each code line by a team of experienced Blaize developers. It works either as a check against a list of standard vulnerabilities or as a free “exploratory” check based on a developer’s experience.
This approach is more complex and thorough. It helps to detect the most hidden problems which are not in the code itself, yet in the contract logic and architecture.
Smart contract audit common mistakes
As you know already, smart contracts require not only good coding yet the ability to build a logic which makes your contract cost-efficient. As long as this feature might be often overlooked while developing processes one of the main purposes of conducting a smart contract audit is to see how well your contract is optimized.
Smart contract performance validation
Smart contract performance validation is a vital thing of a good security audit. Badly optimized contracts will always face delays and “eat” more gas that means cost more than it should be.
Contract performance issues are often connected to the quality of the code. It mainly deals with some mistakes or inappropriate order in the contract logic. If a contract is poorly optimized it will often experience a wrong work of contract functions defined in the specifications earlier. Then, it can be very hard to determine the problem, as long as it will not be in the contract itself, yet on the edge of contracts’ interaction.
Want to carry out performance validation of your contracts? Contact Blaize in order to get further details.
The other important thing why to check smart contract performance is contract upgradability. Although your contract works well today, it does not mean it will work the same way after performing any upgrade or adding a new feature. That is why it is crucial to make a security audit after any upgrade or improvements.
The seamless upgrade is a required feature in terms of developing smart contracts for DeFi projects. Smart contracts in DeFi should be highly operable and easily adaptable to any changes as far as it deals with users’ money.
If you want to know more about smart contracts development for DeFi or thinking of conducting an audit of such, check out some useful advice in our article How to Develop a DeFi Project?
Smart contract gas fee optimization
One of the main challenges in today’s development is the reduction of gas fees within a protocol. The gas fee is the amount of ETH you should pay for contract deployment and maintenance. To get a pick at the estimated gas price for your contract, check for Ethereum gas fees here.
Gas fee depends and grows along with smart contract complexity, so fee reduction is connected to the development of a more thoughtful smart contract logic.
A cost-efficient logic is such that is able to perform protocol main tasks with the minimal amount of transactions used. That is why auditing smart contracts gas prices will help to save a great amount of money and to optimize project development costs in general.
Moreover, if a contract is well-written but not optimized in terms of gas fee, it will not be beneficial or even too expensive and impossible to deploy.
There are following steps Blaize experts recommend to do in order to optimize and reduce gas fee for smart contract:
- avoid triple nesting cycles and (if possible) double nesting cycles;
- reduce the number of used variables;
- avoid cycling through the mappings;
- do not use contracts as a database – keep only necessary info in the storage and use events instead;
- split bulky procedures into several steps performed in different transactions;
- prefer pooled operation instead of a row of consistent operations;
- clear storage if possible – it will return some of the gas cost;
- try to use fixed-size arrays instead of dynamic.
Remember, smart contract performance validation and gas fee reduction should be well-considered even before the development process while security audits ought to detect eventual misleads and vulnerabilities of the system. Therefore, hiring a team of skilled smart contract developers is a must. Find out more on how to choose a solid blockchain development company to avoid all scams and uncertainties on your way.
As you can see, a variety of nuances should be taken into account carefully while building a thoughtful smart contract logic. Conducting a security audit, for its part, helps to check the proper work of the system together and prevent misleading of one of such.
Want to conduct a security audit of your smart contract? Contact us and Blaize experts will take care of your cybersecurity!
It is useful to remember that the final report of the security audit of your smart contract provides recommendations and a list of potential vulnerabilities. The task of the audit is to check the formal logic, detect all potential risks and inform the client.
Then, the client is able to decide which bugs and vulnerabilities will be eliminated. It is very important to understand that the auditors do not fix anything themselves. We also recommend conducting several independent audits in order to ensure the highest level of security.
A number of recent events have shown that auditing of smart contract security has to become a vital part of project deployment & launch. That is why, we in Blaize, entirely enhance our knowledge and get new skills in order to provide the best smart contract security audit services on the market.