Smart Contract Security Audits — An Experience Report

Stefan Beyer
Jul 4, 2018 · 5 min read

Smart contracts were originally envisaged as legal agreements implemented in computer code for automation purposes. Nick Szabo wrote about smart contracts in 1994, but blockchain technology has turned the concept into a reality.

Smart contracts on the blockchain are both publicly accessible and immutable, meaning that anyone can access them, and they cannot be updated. This produces some interesting security challenges, which we have discussed previously. Because of this, it has become common practice and, in some cases, mandatory to perform external smart contract security audits.

At Cryptronics, we have been performing security audits of Ethereum smart contracts for a while now. In this article, we will give an overview of our observations.

Most Audits are for ICOs

Initial Coin Offerings (ICOs) tend to be called “token sales” now in the belief that this will stop regulators from looking carefully, but the concept remains the same. Businesses are “tokenized”, in order to raise large amounts of funds for a project. Despite scams and negative news, there is no end in sight for the ICO boom. Consequently, most audits we perform are of token and crowd sale contracts, although some more interesting contracts, in particular, those dealing with non-fungible assets, have also made it into our auditing portfolio.

Our first observation of this space is that all the projects that have engaged our auditing services seem legit projects. We cannot confirm the often quoted statistic that 80 % of ICOs are scams. Maybe this is because scam projects are not worried about audits anyway, by our observation is that the ICOs we have come across in our audits seem serious projects with the full intention of building a company. Most projects actually seem quite interesting, although some leave us to wonder whether the token actually adds any value beyond raising funds.

Lack of Experienced Blockchain Engineers

Our second observation is that the quality of most smart contracts is shockingly poor. There are exceptions to this and we will name a couple of projects for their exceptional smart contract quality towards the end of this article.

However, it is amazing how much some projects are willing to spend on marketing and all sorts of advisors, and how little they are prepared to spend on protecting their business from simple programming errors.

The lack of code quality cannot be explained by the fact that blockchain technology is relatively new. There is a distinct absence of software engineering knowledge that can only be explained by cheap and inexperienced labor. Basic concepts, such as separation of concerns and modularity are often absent. Implementing crowd sale functionality in the actual token contract is surprisingly common.

Furthermore, many developers seem to be unaware of existing community audited open source code that can be re-used. If you need a standard ERC-20 token you have to look no further than Open Zeppelin’s reference implementation. Even for token sale contracts, you would be hard-pressed to find a model not already covered by one of the many reference implementations. Instead, developers chose to re-invent the wheel with amazing creativity.

Due Diligence as an Afterthought

One of the things that surprised us most when we started out with smart contract auditing was how late in the process many projects start their due diligence. It is not uncommon to receive urgent requests for audits on a Friday evening because their ICO is about to start the following Monday. We like the occasional night shift as they tend to pay extremely well, but there is a limit to what can be done over a weekend. The auditing process takes time. It is a complex process involving several steps that require high levels of concentration. Usually, there is also a second round, in which issues found in the first round are fixed.

In most cases, we have taken on time-sensitive audits, the client ended up unhappy when issued where found. One client got really angry with for having to postpone the start of his ICO. We have also had a client ask us to remove issues from the report, as the token was already on exchanges and could not be fixed. We refused, of course, which led to some debate about outstanding payments.

Protecting the Company, not the Client

Smart contract authors are understandably keen to make sure no-one can misuse their contracts. They are less enthusiastic about the auditor identifying backdoors the contract owner might exploit or inconsistencies with the whitepaper.

In most cases this is not malicious behavior. It is human nature to believe in one’s own integrity. However, project owners should realize that the whole point of smart contracts is to provide trust for both parties. A solid smart contract that protects both sides and provides transparency will improve a project’s credibility. This should not be underestimated.

Positive Exceptions

The above may sound very negative, but most projects have managed to improve their process through the auditing procedure and their contract can now be considered secure (or as secure as they can be).

In addition, several projects have surprised us positively.

The XCHNG token sale stands out amongst ICOs for exceptionally well written smart contracts employing known good practice guidelines.

CryptoFights is a blockchain-based game that represents game characters and their accessories as digital assets on the blockchain. In addition to not following the ICO model, the smart contracts we have audited were refreshingly original, well organized and secure.

(Disclaimer: The author has been previously engaged for technical writing by the CryptoFights team but is not paid for this mention. Nor does the author or Cryptronics hold any CryptoFights shares or tokens).

The Importance of Smart Contract Audits

The nature of smart contracts makes due diligence auditing a necessity. The process is neither simple nor fast and projects should allocate both budget and time for external smart contract audits, preferably from more than one independent providers.

Cryptronics is an experienced smart contract audit provider with a well-defined workflow. Feel free to look at an example audit report from the above-mentioned CryptoFights and contact us for information on pricing and process.

Cryptonics

Blockchain Technology Insights

Stefan Beyer

Written by

Computer Scientist with research background in Operating Systems, Distributed Systems, Fault Tolerance and Cybersecurity.

Cryptonics

Blockchain Technology Insights

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade