Layer 4: Smart Contract Audits

Challenges and Considerations in Selecting Audit Services: Making Informed Decisions

TriWei.io
8 min readJan 14, 2024

The article emphasizes the importance of Smart Contracts audits in identifying vulnerabilities, safeguarding against fraudulent activities, and enhancing code quality. This piece serves as a guide for project teams looking to navigate the complexities of selecting and undergoing smart contract audits, highlighting their essential role in building trust and ensuring the integrity of Web3 initiatives.

What is a Smart Contract audit?

The Web3 sector, still in its infancy, lacks established processes and definitions for smart contract auditing. Unlike traditional fields such as accounting or finance, a smart contract audit is essentially a comprehensive security assessment conducted by specialized experts. Although certain best practices have begun to emerge as industry standards, auditing approaches and outcomes vary significantly among different firms and professionals.

In essence, a smart contract audit involves a detailed examination of a contract to identify any potential security risks. Auditors meticulously scrutinize the contract’s business logic and code, ensuring there are no exploitable flaws and verifying that the code’s behavior meets the project’s specific requirements.

Why are audits useful?

The primary goal of smart contract audits is to address code vulnerabilities. Many organizations, lacking in-house expertise or preferring an external viewpoint, turn to specialized firms for these audits. These firms are equipped with both the necessary expertise and automated tools, including specialized software, to conduct a thorough analysis of a contract’s code and pinpoint potential issues. An external review of the code, performed by professionals not involved in its creation, is vital. While internal audits can reveal certain vulnerabilities, an independent audit ensures an impartial examination of the code.

Another important purpose of smart contract audits is to protect users from rug pulls, a significant concern in the current landscape, as highlighted by the Hacken’s 2023 Q3 report indicating that a majority of losses are now due to fraudulent teams. Auditors identify and flag potentially hazardous centralization practices that could lead to such fraudulent activities. Audit firms often conduct client KYC procedures as an additional safeguard against rug pulls. However, it’s noteworthy that certain centralization aspects, integral to some business models, might only be noted as risks in audit reports. This scenario is prevalent in a significant portion of deployed protocols, such as those with upgradeability features.

Another aspect where audits prove beneficial is in enhancing code quality. They help identify areas for improvement, whether it’s in performance optimization or adherence to emerging standards. Auditors often highlight not just severe issues but also low-severity or informational points that can enhance the code’s quality and readability.

Undergoing a security audit has become a means to attain a ‘quality badge’ for many projects. This badge is often seen as a necessary step to build market reputation and user trust. However, some teams fail to recognize the deeper importance of audits beyond this superficial value and might neglect other critical security best practices. It’s essential for teams to understand and value the comprehensive benefits of a thorough audit, not just the reputational boost it offers.

When to perform a Smart Contract audit

It’s imperative to conduct the audit before deploying the project, aiming to identify and rectify vulnerabilities before they can be exploited by malicious actors. The ideal timing for this audit is immediately prior to deployment. Conducting the audit too early in the development process can be counterproductive, as any subsequent changes to the code might necessitate another round of auditing.

A crucial point for project owners to understand is that any alteration to the code, regardless of its size, requires a new security assessment — it might be cheaper if performed by the same team that performed the initial audit. While the thought of repeated audits may seem daunting, especially for minor changes, it’s a necessary precaution. Even seemingly insignificant code tweaks can introduce serious vulnerabilities. Hence, it’s vital not to underestimate the impact of any modification, no matter how small it appears.

Are audits reliable?

Audits are not infallible solutions that guarantee 100% protection for your project. If they were, the extensive security measures detailed in this series would not be necessary. Consider for example the case of Exactly Protocol, which underwent 14 audits by four different firms and achieved 92% test coverage, yet still suffered an exploit.

Security in software development is more of a spectrum than an absolute. While audits can significantly enhance security, the complex nature of software means that achieving a completely bug-free state is unrealistic. Multiple, thorough audits are essential, albeit costly — this is especially true for projects of substantial complexity and those handling significant funds. A single audit is likely to identify and address all the more obvious vulnerabilities, but more intricate or subtle issues might remain undetected.

It’s important to note that many compromised protocols had not undergone any auditing process. However, even projects that have been audited multiple times are not immune to security breaches. This reality underscores the importance of adopting a multi-layered approach to security, as outlined throughout this article series.

How to Prepare for an Audit

Going for an audit without some preparation might be a waste of resources — both money and time. Trivial issues should be weeded out before performing an audit, as every minor problem can divert an auditor’s attention from more critical concerns. Auditors have limited time, and the focus should be on allowing them to dedicate as much of it as possible to uncovering complex, high-impact security issues.

Audits are not cheap. To get the most value out of your money, make sure your project has the following steps covered:

  • Unit tests with High Coverage: When Test-Driven Development (TDD) is not applied, make sure to write extensive test cases to maximize the code coverage. The coverage metric most meaningful is the branch coverage.
  • Fuzzing: A great way to weed out more vulnerabilities before the audit.
  • Peer Review: If you have a security specialist on your team, have them conduct an internal review prior to the external audit.
  • Proper Documentation: This includes Functional Requirements, Technical Specification, NatSpec, and code comments. Clear documentation of all requirements, a complete NatSpec, and well-commented complex logic are vital. Auditors often lose significant time extracting requirements from poorly documented code, so invest effort into creating clear and thorough documentation.

The typical audit process

  • Establish the audit scope: The scope is crucial as it defines the boundaries of the audit. It’s important to include all the project’s contracts that interact with those being audited, as omitting them can lead to incomplete assessments and delays, with audit firms often requiring their inclusion.
  • Get Quotes: Obtain quotes based on the availability and pricing structure of the firms or solo auditors.
  • Choose the Auditor: Decide on the firm or individual auditor based on your specific needs and their expertise.
  • Code Freeze: Once the audit commences, avoid making any changes to the code. The final deployment should reflect the audited version to ensure consistency and reliability.
  • Audit Process: During this phase, expect ongoing communication with the audit firm. They may request additional documentation or clarifications and will provide preliminary findings to the client.
  • Report Delivery: The initial audit report is delivered to the client, detailing the findings and the related suggested fixes.
  • Vulnerability Review: A meeting between the audit team and the client is held to ensure a thorough understanding of the report and discuss the implementation of recommended fixes. Occasionally, some issues may be reclassified as false positives based on further information from the client.
  • Client Implements Fixes: The client addresses the identified issues as per the audit report.
  • Review of Fixes: The audit firm re-evaluates the amended code. This review may be part of the initial agreement or may incur additional costs, depending on the firm’s policy. Typically, multiple reviews are conducted, and introducing new features during this phase is generally not permitted.
  • Report Publishing: The final report is published, serving as a valuable marketing tool for both the audit firm and the client, showcasing their commitment to security and quality.

Types of Audit providers

  • Audit Firms: Traditionally seen as the benchmark in the industry, audit firms offer a comprehensive suite of services. Their teams usually comprise multiple experts with diverse specializations, providing a well-rounded audit. They use sophisticated tools and methodologies to ensure thorough code analysis. However, their services can be more expensive, reflecting the breadth and depth of their expertise.
  • Solo auditors: While solo auditors are becoming more popular, caution is advised when selecting professionals from platforms like Fiverr and Upwork, as the quality can vary.
    High-quality solo auditors, such as Pashov and Bytes032, often promote themselves through educational content on Twitter and other social media platforms. The limitation here is the singular perspective provided, as opposed to a team’s collective insight.
  • Team of solo auditors: TriWei is a great example. It is a collective of three solo auditors and offers a unique blend of individual expertise and collaborative review. This setup enables a more agile and cost-effective approach than larger firms, benefiting from minimized bureaucracy. However, their capacity to take on multiple or large-scale projects is limited due to their smaller size.
  • Audit Contest: Platforms like Code4Arena, CodeHawk, and Sherlock host audit contests, which are effective as a supplementary layer of auditing. These contests allow for broad scrutiny of the codebase by numerous participants at a lower cost. However, they might not attract the most experienced auditors due to relatively lower financial incentives compared to standalone audits. The pricing model depends on the provider platform, but the final cost is usually way higher than a traditional audit.

How to choose audit firms

When choosing an audit firm for smart contract auditing, it’s important to use a multifaceted approach as there is no standardized method for measuring expertise. Key factors for evaluation should include the quality of previous audits conducted by the firms and their overall reputation in the industry. Look into their track record, the types of projects they have audited, and any feedback or reviews from their past clients. Industry reputation can often be gauged through their presence and participation in relevant forums, discussions, and their contributions to the field.

The branding and market presence of a firm also plays a significant role. Firms that actively contribute to the community through educational content, Capture The Flag (CTF) competitions, and showcasing successful results in audit contests tend to have a higher standing. These activities not only demonstrate expertise but also a commitment to advancing the field.

Exercise caution with ‘rubber stamp’ audit firms. These firms may offer audits at competitive prices but often provide subpar services, relying on their clients’ need to simply state they have been audited. While some manage to maintain a decent reputation through marketing, they are generally known within the security community for their lower standards. Conduct thorough research to avoid these firms.

As for the cost of audits, pricing models vary among firms. A common approach is to set a base rate per line of code, with additional charges for more complex code or interactions with external protocols. Compared to other highly specialized fields, the cost of smart contract auditing is proportionate, but it can be a significant investment, especially for smaller teams.

To get an idea of the potential cost, direct communication with auditors or their sales departments is usually necessary. Some, like TriWei, offer self-assessment tools to help estimate the pricing for their services.

Is AI going to bring free audits for everyone?

At present, AI tools are not a replacement for human expertise in auditing. They tend to be less effective than established static analysis tools and are mainly useful for identifying basic, easily detectable issues. While AI may assist in automating certain aspects of the auditing process, it cannot yet match the nuanced understanding and complex analysis provided by experienced human auditors.

As we conclude our exploration of the fourth layer in our seven-part series on Web3 security, remember that this is just the beginning. Each layer offers unique insights and strategies crucial for the security and success of any Web3 project. Continue your journey with us to uncover more essential aspects of Web3 security.

Dive into the remaining layers and enrich your knowledge at triwei.io/education. Stay informed, stay secure, and lead the way in the Web3 space.

--

--

TriWei.io
TriWei.io

Written by TriWei.io

Three experienced solo auditors joined to create TriWei, a Smart Contract auditing firm. Lean process, high quality, competitive pricing. www.triwei.io

Responses (1)