What is a Smart Contract Audit?
Smart Contract Audit is a process to identify any bugs in the smart contract. Such bugs can be security vulnerabilities, gas cost issues, logical problems, business logic related issues.
Looking for Professional Smart Contract Audit? Etherauthority.io
Why Smart Contract Audit is needed?
Blockchain is secure, but its applications (dApps) are not! These applications are run on blockchain using Smart Contracts. These smart contracts are written by humans, so it carries many human errors.
The very infamous DAO attack was carried out in 2016, which allowed hacker to steal over $50 million worth of ether from the smart contract. And because it was not governed by any single person, no one could stop it.
Before going into process of smart contract audit, lets quickly discuss what are the major security vulnerability patterns.
Common Smart Contract Vulnerability Patterns
1: Over flow and under flow
An overflow happens when the limit of the type variable uint256, 2 ** 256, is exceeded. What happens is that the value resets to zero instead of incrementing more. On the other hand, an underflow happens when you try to subtract 0 minus a number bigger than 0. For example, if you subtract 0–1 the result will be = 2 ** 256 instead of -1.
2: Short address attack
If the token contract has enough amount of tokens and the buy function doesn’t check the length of the address of the sender, the Ethereum’s virtual machine will just add zeros to the transaction until the address is complete.
3: Visibility & Delegatecall
It is also known as, The Parity Hack, which occurs while misuse of Delegatecall.
4: Reentrancy / TheDAO hack
Reentrancy occurs in this case: any interaction from a contract (A) with another contract (B) and any transfer of Ether hands over control to that contract (B). This makes it possible for B to call back into A before this interaction is completed.
5: Forcing ether to a contract
While implementing “selfdestruct” in smart contract, it sends all the ether to the target address. Now, if the target address is a contract address, then the fallback function of target contract does not get called. And thus Hacker can bypass the “Required” conditions.
6: Transaction-Ordering Dependence (TOD) / Front Running
In simple words, when any smart contract function depends on order of transaction getting confirmed, then some users can manipulate the order or transaction confirmation at the expense of other users transactions coming behind.
The Steps for a Full Smart Contract Audit
- Preparation — consists of review of specification, code compiling and deployment to testnet, understanding the functionality of the contracts
2. Functionality Analysis — consists of analysis of the code’s specification, developing AS-IS overview for the contract (a high-level description of the smart contract functions)
3. Automated code analysis — we do automated scanning for commonly known vulnerabilities including scanning with Mythril, Slither. These tools are developed for Solidity contracts on Ethereum, however, they can also be applied for TRON-based Solidity contracts
4. Manual code analysis — consists of Performing testing against known attacks and manual security audit
5. Report Development — consists of Preparing a template of the report for the project, Assembling results from stages 1–4 and Finalizing report
6. Quality assurance and Secondary review — consists of Consulting developers on the ways to fix vulnerabilities and Secondary audit against fixed issues
7. Project Management — includes liaising with both sides, constantly monitoring a progress of work, controlling the stages, keeping everyone informed of the project’s accomplishments, issues and changes
Need professional Smart Contract Audit?
Please contact team at: EtherAuthority.io
