Auditing Smart Contracts

What Is a Smart Contract Audit?

As smart contracts have become increasingly common, a number of companies have launched with the goal of serving as smart contract auditors. Smart contract auditors are most often blockchain developers who purport to understand how to interact with the technology.

Once smart contract auditors have received the finished code of a smart contract, they often do an analysis that is similar to what a developer might do for any code or software. This process usually includes drafting documents that explain the architecture of the smart contract, detecting any bugs, analyzing the code manually, and testing the smart contract to make sure it’s functioning as intended.

Vulnerabilities that audits could potentially catch may include those common to all software, such as a vulnerability to Denial-of-Service (DoS) attacks, as well as those that are unique to blockchain software. One concern that can arise with Ethereum-built smart contracts in particular is gas limit issues. When transacting on the Ethereum blockchain, the platform on which many smart contracts are built, you are required to spend what is known as gas — which is a fee charged to use the platform. Gas limits that are too high or too low can lead to snags or delays in the execution of smart contracts. Smart contracts usually require higher gas limits than do simple transfers on Ethereum. An audit could assess whether the set gas limit on a smart contract may cause issues down the road.

It is important to select a reputable company or service for your smart contract security audit. For simple smart contracts, automated tools may suffice to assure that your smart contract is coded properly. For more sophisticated smart contracts, an experienced auditor may be able to find uncommon or hidden vulnerabilities. They may also be able to provide you with a full report that clearly outlines those vulnerabilities and provides actionable guidance on how to fix them.

What Is a Smart Contract “Hack?”

In general, software can be hacked when a bad actor gains access to source code and either edits the program or installs malicious code. When transactions are hashed, or added, to a blockchain, they are typically not vulnerable to the types of hacks that input malicious code or change the code altogether. However, if smart contracts are not properly constructed and audited, there is the risk that a hacker could discover holes in poorly coded smart contracts and then execute the contract in a way that the parties were not anticipating.

The most noteworthy example of this vulnerability was The DAO Hack of 2016. The DAO functioned as a decentralized investment fund focused on investing in blockchain companies. As investment dollars flowed in, developers realized that vulnerabilities existed in the smart contract underlying The DAO. The vulnerability in the smart contract was subsequently exploited by a hacker who built a smart contract to interact with The DAO and steal the invested funds.

This event in the Ethereum and cryptocurrency worlds will forever be known as a “hack,” but technically, the smart contract worked exactly as designed. The hacker did not change the source code or install malware, but simply found a vulnerability that allowed them to interact with The DAO pursuant to how its smart contract was designed.

The DAO Hack caused Ethereum to fork, which is why we now have Ethereum (ETH) and Ethereum Classic (ETC) after some Ethereum stakeholders decided to revert to an older version of the blockchain to recover the hacked funds.

This experience made it clear that testing smart contracts is critical to the longevity of blockchain projects that use this automated technology, particularly when large sums of money are involved. While smart contracts are immutable once added to the blockchain, they are still vulnerable to hackers if not properly constructed and audited at the outset. Engaging in a comprehensive audit is crucial to ensuring the long-term viability of any smart contract.