Interview with ICO Smart Contract Auditor — Bok Khoo
When it comes to ICOs, one of the key factors which must be considered is the smart contract. Auditing of a smart contract is an important step in any ICO project as it ensures that the contract is not susceptible to security breaches, among other things. The LiveEdu smart contract was audited by the renowned Bok Khoo aka BokkyPooBah. For the LiveEdu interview series we decided to ask Bok a few questions about smart contract auditing. You can view Bok’s audit of the LiveEdu smart contract here.
1.It’s a pleasure to speak with you today Bok. Can you tell us about yourself?
Hi. I’m Bok Khoo, or BokkyPooBah, an Ethereum fanatic.
2. How long have you been working with the blockchain and ethereum?
I heard about Bitcoin when it first came out. I only started getting interested in the trusted platform that blockchain enables in early 2015. There was however, nothing much that could be done on the Bitcoin network except to transfer coins from one account to another.
The Ethereum network went live on July 30th 2015. This blockchain is like a giant box of Lego Mindstorm ™ for me. New parts are released every few days and there are lots of interesting projects to work on.
3. How did you get into smart contract auditing?
I helped a colleague develop and check their crowdsale contract. After that, the word spread that I was assisting to secure smart contracts. This led to a stream of smart contract auditing.
4. What are the main steps involved when auditing a smart contract?
My primary objective when auditing smart contracts (especially crowdsale smart contracts) is to ensure that the contributed ethers (ETH) are not easily stolen or hacked. The easiest way to do this, is for the ETH contributed to the crowdsale contract to be moved immediately into a well-tested multisig wallet. The ETH will sometimes have to accumulate in the crowdsale contract, to support the refund of contributions if the minimum goal is not reached. Special attention must be paid to all the ways that the ETH can leave the crowdsale contract.
My secondary objective is to ensure that the crowdsale token contract works as expected. This is not as critical as my primary objective of securing the ETH, as the crowdsale token contract can be redeployed with the token balances copied over. This is easy during the period when the crowdsale closes and the tokens start trading. However, it is still important to get the token contract correct, as these token contracts may live forever on the blockchain.
Finally, there is the trust factor of the token contract. Once the crowdsale is completed, token contracts should ideally be unstoppable. The token contract owner should not have the permission to mint new tokens, burn an account’s tokens or suspend transfers.
5. What are the biggest ICO smart contracts you’ve audited?
I have now worked on, or am working on, 32 crowdsale contracts. I have not kept track of which crowdsale contract raised the largest amounts. More memorable for me is the complexity of the crowdsale contracts. The top of this list comes from Digital Strategies’ Chronologic DAY token contract, followed by their Vyral Network contract (work-in-progress).
6. How are you doing the LiveEdu smart contract?
I reviewed the smart contract source code and then built some tests around the critical areas of LiveEdu’s smart contract.
7. What are the biggest issues you’ve faced so far while auditing the smart contract? What needs to be fixed?
There are some recommended actions that can be done to improve LiveEdu’s crowdsale and token smart contract, but these are of low importance. Some of these recommendations relate to changes in the recently finalized ERC20 token standard.
8. What do you think about the LiveEdu project? How do you think it will impact the cryptocurrency world?
LiveEdu’s use of crypto-tokens as payment for it’s existing service will be another example of how cryptocurrencies can be used to reduce the friction in payments.