How to Create, Test & Deploy Bug-free Blockchain Applications — QuillAudits
This article focuses on a Smart Contract Development life-cycle approach to rationalise how to tackle the issue of Smart Contract Security to create bug free Dapps, DeFi or Blockchain Protocol.
Written by: Abhishek Sharma
Smart Contract Security is an emerging area that deals with security issues arising from the execution of smart contracts in a blockchain system.
What is Smart Contract?
A Smart Contract is a piece of executable code that automatically runs on the Blockchain to enforce an agreement preset between parties involved in the transaction. Smart Contracts have been applied in various business areas, such as digital asset exchange, supply chains, crowdfunding, and intellectual property, fintech solutions, Decentralized finance system (DeFi).
What problems Blockchain products are facing and what are the solutions?
Generally, projects or Organizations approach 3rd party Audit after the completion of Smart Contract Development and before the launch of project or protocol on main-net to validate the project in terms of security and analyze the efficiency of a Smart Contract, custom smart contracts audit required couple of weeks and extensive audit process and eventually if auditors find high severity issues or fault in the architecture of a smart contracts than it will take a couple of more days by development team to address the issues and than again full audit take place. Above process will waste a lot of time in multiple auditing and correcting by 3rd party auditing company and development company respectively, also after the first audit report, auditing companies will charge more to re-check the audit corrections.
What is the right time to start Smart Contract Development?
Well, Smart Contracts Development should only be started after creating and approving architecture of a smart contract by smart contracts expert or consulting firms, this will help projects and protocols to follow standard software development life cycle as shown above and eventually will have low risk in project development.
What standard should be followed to create and deploy bug free Dapp or protocol?
This article focuses on a specific software/smart contract development lifecycle approach to rationalize how to tackle the issue of smart contract security and to create a bug free dapp or protocol.
Our research has a wider focus and includes not only vulnerability detection but also security modeling, security monitoring, bug bounties, etc. Specifically, this article offers a novel perspective for understanding smart contract security in a visualized manner, which enables developers to track, control, and avoid blockchain project risks systematically.
A protocol or Dapp should follow the software development life cycle to produce a bug free Dapp and also it will reduce the risk and manage the timeline of the project.
1) Consultancy by security firms:
To design secure Smart Contracts, proposed a general philosophy security guidelines. Both of them proposed five essential design principles, which present the methodology for designing secure contracts on the Blockchain. For example, the principle of prepare for failure indicates that the contract code must be able to respond to bugs gracefully due to the lack of patching schemes. For instance, if an attack such as DAO occurs, the contract must be able to pause to avoid further financial losses.
Dapps, protocols must have hired a consultant firm or smart contract expert in order to follow a software development life cycle to make a product more robust from initial level and to follow best practice in order to create a bug free Dapp or protocol with time management.
This should be a process that takes side by side where a consultant firm will help protocol in building a bug free Dapp.
Consulting firm Activities:
- Validate Architecture of a Smart Contract before development start and recommend optimize structure.
- Recommend best practices to be followed during development
QuillAudits, Smart Contract Developers and architects have a huge experience in smart contracts security consultation, we have worked with many projects in order to validate the architecture of smart contracts of projects like Banking, supply chain, decentralized finance system, Decentralized exchanges and many more.
2) Setup CI-CD Pipeline:
Smart contracts really required a pipeline during the time of development that is continuous integration. Let’s take an example to understand what is ‘Continuous integration’ and what are the features of CI-CD pipeline will help in developing a bug free Dapp.
What is continuous integration?
Continuous integration (CI) embody a culture, a set of operating principles, and collection of practices that enable application development teams to deliver code changes more frequently and reliably. The implementation is also known as the CI/CD pipeline.
Features of CI-CD will help protocols and Dapps to be built within a proposed timeline and without having a syntax error.
Some of the Features of CI-CD:
- Smaller Code Changes possible
- Easy Fault Isolations
- Faster Mean Time To Resolution (MTTR)
- More Test Reliability
- Faster Release Rate
- Smaller Backlog
- Easy Maintenance and Updates
QuillPipeline will help you in achieving your goals within timeline and also without a bug.
QuillPipeline will give you continuous assurance that your Ethereum smart contracts are safe and functional. It reports build status on every commit and runs a suite of security analyses so you get immediate security feedback. automate your contract audit process in your development lifecycle.
QuillPipeline is a product offered by QuillHash Technologies, that will help your project in continuous integration of the source code so that every time you push the code to your repository it will run the custom test cases and generate a report whether your smart contract is passing the test cases or not, QuillPipeline has used GitHub app to create CI for smart contracts.
What is GitHub app?
GitHub Apps can be installed directly on organisations and user accounts and granted access to specific repositories. They come with built-in web-hooks and narrow, specific permissions. When you set up your GitHub App, you can select the repositories you want it to access.
After the development phase, smart contract should go for 3rd party audited in order to validate use case of smart contract and to check security loopholes in smart contract.
How QuillPipeline works?
Developers can signup and login using their GitHub account on dashboard, afterwards developers need to subscribe their GitHub repos for continuous integration, Developers can subscribe multiple repositories.
After selecting repositories from GitHub app, Developers need to do a fresh commit on their GitHub repository, to run test cases. Developers can include other script commands as well. Once smart contracts code is pushed to repository , GitHub will send a notification to QuillPipeline with latest commit details, QuillPipeline will create an environment and install the dependencies to run test cases and other scripts as well.
Once dependencies will be installed, test commands will be executed and based on that test result will be declared. If all the test cases will be passed developer or organization will get the log results with test cases passed also correct tick will be assigned to that commit on GitHub repository, if test cases were failed than wrong tick is assigned that represents failed (Test cases), also developer or organizations will get the notifications on dashboard and through email with logs of test cases.
This will help projects, protocols in achieving timelines and milestones of project as all the test cases should be passed to develop a new feature, so that development and validation will go parallely in order to make a product with high quality measurements.
Once feature is implemented and combined with other modules of smart contracts and pushed to repository it will be validated instantly, previously without CI of smart contracts, smart contracts will only be tested when project was completed or while combining all the features of smart contracts, this will save much time.
Once project is completed and validated by development team, they can approach the QuillAudits team for the exhausted audit for their project.
Note : QuillHash has different team consultants and auditors to make sure that audit will not conducted by the same team that was a consultant, also audit will be conducted by multiple experienced auditors to make sure that code will be under the eyes of multiple experienced auditors.
3) Quill Audits Smart contracts security process:
Checkout Smart Contracts Security Audit Scope, Our Smart Contracts Security Audit process consists of the following stages:-
Stage 1 ) Specification gathering:
This is the most crucial stage because the detail is key for a successful smart contract Security audit, Here we will gather the specifications from the clients to know the intended behavior of smart contract. In this stage, we need a summary of the intended behavior of the smart contract from your side.
Stage 2 ) Manual Review:
Goals of manual review:-
a) Verify that every detail in the specification is implemented in smart contract.
b) Verify that the contract does not have any behavior that is not specified in specifications.
c) Verify that contract does not violate original intended behavior of specifications.
We will also ensure that your contract has some mechanism to defend against unknown vulnerabilities. Because the state of Ethereum is constantly changing and we cannot say which vulnerabilities will arise in the future so we must have a mechanism beforehand.
We would ensure that smart contract code must respond to bugs and vulnerabilities well. We would also ensure that there is no unnecessary code in the contract.
=> Best code practices will also be considered in this phase.
Stage 3) Manual testing:
Manual testing is king in smart contract auditing.
a) Smart contract will be manually deployed on any of the test network (Ropsten/rinkeby) using remix IDE.
b) All the transaction hashes will be recorded.
c) gas consumption and behavior of functions also noted.
Stage 4) Unit testing:
Goal: Writing and running a comprehensive test suite.
=> In this stage smart contract functions will be unit tested on multiple parameters and under multiple conditions to ensure that all paths of functions are functioning as intended.
=> In this phase intended behavior of smart contract is verified.
=> In this phase, we would also ensure that smart contract functions are not consuming unnecessary gas.
=> Gas limits of functions will be verified in this stage.
Stage 5 ) Testing with automated tools:
=> Testing with automated tools is important to catch those bugs that humans miss.
Some of the tools we would use are:-
stage 6) Solidity-coverage:
Solidity coverage will let us know how much our unit test cases are efficient, it will highlight the uncovered code of contract.
Stage 7) Initial Audit report:
at the end, we would provide you a comprehensive report along with details of audit and steps to cover up with the vulnerabilities if we found any in your contracts.
Final Audit report:
After initial audit fixes, process is repeated again and Final audit report is delivered.
After 3rd party audit is done and you got the report, now you can deploy the smart contract on main-net. Lets first discuss some questions after smart contract is created and deployed on main-net:
Answer is No, Smart Contracts cannot be declared as a 100 % secure, even after multiple audits passed by your smart contracts.
Whatever use case you have, smart contracts will need a monitoring tool in order to get a real time alerts of transactions.
Now we will discuss about how monitoring tools work and how they are helpful in order to secure smart contracts on Blockchain.
4) Smart contract Monitoring tool:
What is smart contracts monitoring tool?
Smart contracts Monitoring tools are used to continuously keep track of the status of the smart contracts, in order to have the earliest warning of failures of transactions, defects or problems and to improve them.
Features of Quill Audits Smart contracts Monitoring tool (QuillMonitor):
- QuillAudits monitoring tool (QuillMonitor) will help ICO, STO, dApps, fintech, DeFi Smart contracts owners and investors to subscribe events and monitor their smart contracts for each and every event of smart contracts.
- Monitoring tool also help in finding failed or pending transactions of smart contracts.
- Events can be subscribed on regular intervals to help identifying malicious activities on smart contracts and to take possible precautions.
- Events can also be customized according to particular use case (Advance features).
- All the analytics of smart contracts events is also maintained and you can interact with your smart contract through this platform.
QuillAudits smart contracts monitoring tool (QuillMonitor):
QuillAudits Smart Contracts monitoring tool (QuillMonitor) is the real time monitoring tool that will will let you subscribe events of smart contracts and notify you each time event is fired with event details, with its advanced options you can also customize your events.
Details of smart contract to monitor:
After login to QuillAudit monitoring tool (QuillMonitor), you can add your own contract or you can also create a contract using button new contract as shown above, you can also see your already loaded smart contracts as shown below press interact button, to get details, analytics and call functions of your smart contracts.
In the above GIF you can see already added smart contract in my contracts (contract name : Template), choose contract to which you want to interact or to get analytics.
As you can see user is subscribing to events of smart contracts, when you add smart contracts all the events in smart contracts will be shown under event subscription, you can on or off the particular subscription.
Note: above smart contract has only three events.
As you can see after subscribing events you will receive a confirmation mail on registered mail, you will get a confirmation mail for each event.
Ownership transfer event subscription confirmation mail:
As seen above when you click button(off button) in front of event, confirmation mail is send to you and event is subscribed. now you can interact with your smart contracts to get mail when event is fired.
Methods button let you interact with functions of smart contracts, as you can see below, call function and send transaction to blockchain also you can interact using remix or any other dashboard with your smart contracts, whenever event is fired will be mailed you and full report will be available in analytics.
As you can see above transfer function is called through monitoring tool, you can select any wallet through which you want to send transactions.
As soon as the transaction is confirmed you will get a confirmation message on your screen after getting confirmation message, go directly to your mailbox to check mail of fired events details as shown below.
Knock! knock! event is fired, as you can see you got the mail that event is fired with event details, complete details are shown below.
That’s all folks!. Also do check out our earlier blog posts.
QuillAudits is a secure smart contract audits platform designed by QuillHash Technologies. It is a fully automated platform to verify smart contracts to check for security vulnerabilities through it’s superior manual review and automated tools. We conduct both smart contract audits and penetration tests to find potential security vulnerabilities which might harm the platform’s integrity.
For further discussion and queries on the same topic, join the discussion on Telegram group of QuillHash — https://t.me/quillhash