Applying the Business Application Controls (BAC) audit framework when reviewing the smart contract
Assuming you are an experienced IT auditor, your past assignment focused on reviewing IT controls and business application controls. Now your organization wanted to adopt blockchain and about to deploy its first product on blockchain utilization smart contract.
As IT auditor you are now responsible for reviewing this smart contract but you do not have any experience in smart contract, what would you do?
The concept of smart contract may sound foreign to you when you are coming from traditional IT environment. So, let’s start by understanding exactly what smart contract is. Smart Contract is a program written with “Solidy” programming language (.sol) which can be deployed to blockchain to perform intended tasks. As this program or application is operating on blockchain or decentralized network therefore it can be referred to as “DAPP”.
With this understanding, you start to recognize that smart contract is a variation of application, therefore you can certainly apply the Business Application Control (BAC) audit framework as foundation for your testing approach.
Where should we focus in the audit ?
When we review any application there are 3 main points to be reviewed which follows how application works which are
- Input Control: Validating that input is in correct size and format to ensure that they would not cause disruption to the processing.
- Processing Control: Business logics of the application are correct as designed by the application owner.
- Output Control: The application presents output correctly, only shows details according to user’s permission and does not display excessive information when handling error.
Once we have established what needs to be reviewed, the next stage is to identify where these controls should be. According to ISACA (https://www.isaca.org/), recommended approach is to prepare a diagram showing how the application should work from starting from when user submit their input until output is shown.
Noted that this data flow should be consulted with project owner or developer to make sure that you have correct and full understanding before using this diagram further.
As an auditor after you have established full understanding of the application, you can start preparing list of control points which you need to tested and expected output from a given contro point. This list of what to test and expected result is called “Audit Program”. Although audit program is not mandatory for the application control review but having it prepared would make the audit more effective and ensure that you are not missing anyting.
Testing approaches
For Business Application Controls, usually you can test the define control by either reviewing application source code or reperform the transaction (using pre-defined input and compare result with expected output). However when testing smart contract, although we can use the same approach as explained earlier but reperforming the transaction may not be financial feasible since for every transaction tester need to pay transaction fee (gas fee).
With the financial limitation, recommended approaches for testing smart contract are
- Automated code review: Using source code scanner to dertemine if the smart contract has been written according to blockchain standard or vulnerable to common coding error. Example of popular automated code review are https://mythx.io/ and https://openzeppelin.com/defender/.
- Manual code review: Auditor need to review source code of the smart contract and try to understand how it work the contract work including which functions are defined in the smart contract and available variables. After going through codes, auditor have to figure how smart contract will work in both normal and exception scenarios.
Althogh using automate code review may sound sufficient but because code scanner can not detect issue which arise from error in business function therefore a manual code review is necessary to complete the assessment. It is necessary that auditor use both automate code review and manual code review to ensure completeness of the assessment.
Usual vulnerabilities for smart contract
For the smart contract, there are list of well known vulnerabilities which could be exploited by malicious individual. Below diagram show list of these vulerabilities which can be reference when planning your audit.
Refer to list above there are multiple known vulnerabilities but one of the most common is “Reentrancy”. By its definition, the word “reentrancy” means “the act of entering again (reentering)”. A reentrancy attack occurs when a function makes an external call to another untrusted contract. Then the untrusted contract makes a recursive call back to the original function in an attempt to drain funds.
Refer to article from https://www.securing.pl/ (Reentrancy attack in smart contracts — is it still a problem?). These are example of hacks which happen in 2021 which result in significant financial losses.
- The BurgerSwap hack (May 2021) — $7.2 mln, because of a fake token contract and a reentrancy exploit.
- The SURGEBNB hack (August 2021) — $4 mln, seems to be a reentrancy-based price manipulation attack.
- CREAM FINANCE hack (August 2021) — $18.8 mln, reentrancy vulnerability allowed the exploiter for the second borrow.
- Siren protocol hack (September 2021) — $3.5 mln, AMM pools were exploited through reentrancy attack.
What to do with your finding?
After comprehensive review of the smart contract, if you identified any issue with the smart contract the first thing to do is confirmed it with project owner or developer. By discussing your finding with them, auditor can confirm if issues are valid and it could result in risk implication which you have determined.
Conclusion
When you need do an audit contract for the first time, dont’s panic. Business Application Controls (BAC) audit framework which you used for reviewing business application can be applied to smart contract.
However the audit of smart contract can be challenging as it would require techincal understanding of solidity programming (.SOL) and ability to come up with exceptional case which would disrupt or exploit the smart contract. So it is normal to ask for help from experience smart contract auditor to help you develop audit program and guide you through first few audit engagement.
