The Need for Smart Contract Audits
We at Solidified came across this interesting read on Medium yesterday. It the story of a man who, through simple exploitation, manipulated an Ethereum smart contract to get 153,037 Ether (that’s a lot of money!). Without much Solidity experience or knowledge of the Ethereum ecosystem, he supposedly hacked many wallets with ease.
The article ends with a debrief of the hack, and the man states his opinion on the rightness of his actions, having stolen a lot of money from numerous people. He states, matter-of-factly:
“Look, here’s the thing. If you’re holding 30 million dollars in 250 lines of code that you haven’t audited, then it’s on you. Seriously.” (1)
While fictional (read the closing paragraph), this article highlights a few glaring mistakes in the smart contract. An audit would have caught the fact that anyone could claim ownership of any wallet due to the omission of a visibility declaration. In our opinion, an audit would certainly have caught this issue.
It’s evident that the developer of the smart contract did not comprehensively test the contract, particularly for the case of “just anyone” coming along to claim ownership of a wallet. Most importantly, a comprehensive test would verify that the contract rejects unacceptable requests to prevent exploitation.
The exploitation of this smart contract and other smart contract hacks convincingly illustrates the need to thoroughly evaluate the correctness of smart contracts. These contracts codify legal agreements, financial obligations, and other conditional logic with potentially large finances and assets at stake. Even formal audits may not be sufficiently comprehensive and imaginative when conducted by a single individual or team.
Solidified aims to create approachable and affordable smart contact review. We’ll be bringing the strength of the Ethereum community itself into play. We are creating a platform where smart contracts can get many qualified examinations, moving beyond the singular review of private audit firms.
We believe our platform will help prevent attacks like this by providing a channel where teams can easily and affordably confirm the readiness of their smart contracts. Please register on our website to be the first to know about our launch this November.
