How to Prepare for a Security Audit
What are Smart Contracts?A smart contract is a program that runs on the Blockchain, e.g., Ethereum blockchain. It is dispersed across the network and runs without any management by the user. However, users can communicate with a smart contract by sending transactions, which are irreversible by default, for carrying out specific tasks.
What are Security Audits?
Owing to the irreversible nature of smart contracts, it is vital to ensure that there are no flaws and vulnerabilities in the contract, which can be achieved through a security audit.
A security audit is used to thoroughly verify a project's smart contracts and is necessary to safeguard the funds invested in a project. The auditors extensively examine the smart contract code, create a final report, and submit it to the project for use. The final report, with unresolved bugs, documents previous work done to address vulnerabilities or security issues. The audits add further credibility to a project, which provides a competitive edge to the developers in the industry.
Are Security Audits important?
Security audits provide security against hacking attacks, which may lead to financial and reputational loss. For example, Cream Finance announced in October 2021 that hackers removed approximately $130 million in Ethereum tokens because of a bug in the flash loaning contract.
The audits are essential because any potential loss by executing a project without an audit is usually much larger than the cost of an audit. In April, Akutars NFT undertaking lost around 11,539 ETH ($34 million then @2,958.67/ETH) due to a minute bug or error in the project's smart contract. Not only did the developers of the project have to bear the financial losses, but also the loss of trust and reputation in the community.
Who does the Security Audit?
A security audit consists of multiple complex but necessary steps and developers must ensure they get help from a professional security auditor. There are several experienced smart contract security auditors, such as Truscova. Truscova leverages formal verification and other leading technologies to ensure security of smart contracts. Truscova currently analyzes Solidity code combining formal verification techniques: abstract interpretation, constraint solving, theorem proving, and equivalence checking. These are well understood academic fields and Truscova’s team has over 30+ years of experience in contributing to formal verification.
How to prepare for a security audit?
- Documentation: It is the process where code is summarized descriptively so that auditors can easily understand the overall coding procedure. It also allows the auditors more time for fixing the bugs or finding vulnerabilities instead of understanding the basic functionality of the code.
- Cleaning Up: This step consists of combing through the code and removing all unnecessary coding. For example, any unfinished code needs to be deleted before it can be forwarded to the auditors. Similarly, all the warnings given by the compiler should be addressed beforehand. Cleaning up also consists of finishing up any incomplete line of code. The simpler and cleaner the code, the more convenient it is for the auditors.
- Testing the Code: It consists of executing the code (smart contracts) and checking if the code provides the desired outcome based on any given input. One needs to check the code as per all possible scenarios to ensure that everything is thoroughly tested, and all the gaps are checked.
- Analysis Tools: This is more of a bonus step that helps save the auditors' time by finding some bugs automatically. However, the tools are still in infancy and have their limitations, e.g., false positives. Hence, completely relying on these automated tools is not recommended; hence Security Audit by professional companies, e.g., Truscova, is required.
- Ensuring Code is Ready: Before submitting the code, ensure that the smart contract is finalized, and no changes are required in the code from the developer’s end as the code cannot be changed once the audit starts. Otherwise, the auditors must start from scratch, incorporate the new code-changes, and audit everything again.
- Checklist: It’s always recommended to create a checklist for the above-mentioned steps and go through it before submitting the code for audit.
Stats and Data about Smart Contracts and Security Audits:
One of the reasons why Security Audits of Smart Contracts are becoming extremely important is the rising frequency of fraudulent activities happening in the cryptocurrency world. For example, crypto-based hacking surged 58.3% year over year through July 2022 to a total of $1.9 billion.
Figure 1: Source - Chainalysis
The amount of stolen funds surged 516% year over year in 2021 to about $3.2 billion, indicating the importance of security audits.
Figure 2: Source - Chainalysis
About Truscova:
Truscova comes with 30+ years of academic research and hundreds of academic publications which pioneered the area of Formal Verification. The team combines academic leadership, industrial strength and Blockchain expertise. Truscova currently analyzes Solidity code combining Formal Verification techniques: abstract interpretation, constraint solving, theorem proving, and equivalence checking.