How AI is Transforming Smart Contract Audits
A smart contract is a source code that can execute tasks autonomously with minimal or no human interaction. It runs on the blockchain and can take the form of a coin or decentralized protocol.
According to DeFiLlama, as of mid-2024, smart contracts are holding $262 billion across blockchain networks. They’ve become the most critical components in the industry and a primary target for attacks by hackers.
There are 2 main forms that hold the most funds as follows:
- As Stablecoins ($162.95B) — The stablecoin that has a trusted entity acquires USD and converts into a crypto version of USD dominates majority of this market. It always has a smart contract that allows an authorized party to mint and distribute stablecoins.
- As Decentralized Protocols ($98B) — This is much larger in terms of the number of protocols and is currently dominated by prediction markets, re-staking, DEX and lending protocols or applications that allow public users to become the supply side of the protocol.
This excludes native staking and token contracts that some blockchains have implemented at the smart contract level.
In response to market demand for security review tools, Tamago Labs has launched a new service to help projects easily review their smart contracts at a much lower cost with the help of AI technology.
The Importance of Smart Contract Audits
The crypto industry has seen several significant hacks, with The DAO hack in 2016 being the most notorious. During this incident, the hacker stole $60 million USD, resulting in Ethereum splitting into a new chain.
// Withdraw user's balance
(bool sent, ) = msg.sender.call{value: bal}("");
require(sent, "Failed to withdraw sender's balance");
// Update user's balance.
balances[msg.sender] = 0;This hack used a reentrancy attack. It can be simply explained by examining the source code above. We can see that the balance state was set to zero after sending ETH to the recipient address during withdrawal.
The hacker created a smart contract that repeatedly called the withdraw function whenever ETH was received and allowed to drain ETH that didn’t belong to them. Hence, the last line of code was never reached until all the ETH was stolen.
The case is classic and can be easily patched by moving the line balances[msg.sender] = 0; up before sending ETH out of the contract.
Having a security expert check is mandatory especially when handling funds on behalf of users and at a high level, there’re 3 types of vulnerabilities we need to check before launching a project:
- Vulnerabilities caused by blockchain nature.
- Vulnerabilities caused by the insecure use of smart contract language.
- Vulnerabilities caused by mistakes in the architecture of the system.
In the next section, we will outline the various auditing options available.
Introduction to AI in Code Review
Despite the controversial headlines claiming AI will transform smart contract audits, we think AI won’t replace a full security audit for at least the next 3–4 years.
However, when it comes to audits, we have 2 options depending on the budget and project stage: (1) full security audit (2) code review. Projects need to determine when a full security audit is necessary or if a code review will suffice.
AI can now replace code reviews that are commonly done by developers or peers. Each code review is typically subject to the expertise of the developer (which is the knowledge we trained the AI on in our case).
With AI, we can turn the code review process into an on-demand, low-cost and fully automated service, ensuring consistent quality and faster turnaround times.
Current Development and Value Proposition
The AI code review tool emerged from the global Move On Aptos Hackathon in July’24, where we received 1st place in the AI x Web3 track. It is now open-source and available for anyone to use.
For those who do not want to handle API keys, you can use the tool through our main website with a limit of 3 requests per day.
The system works by extending the use case of LLMs with a RAG approach. This allows us to provide specific knowledge on vulnerabilities and lets us analyze the source code whenever we want with ease.
After the review process, the system can generate human-readable comprehensive reports similar to those produced by developers or peers in a traditional code review and ready to be shared with the community.
Below are the AI services and tools we’re using to develop the AI-powered code review tool in the current version.
- LangChain — An AI workflow orchestration framework facilitates the interconnection between AI services and allows us to have a fallback option if one AI service is down.
- Claude AI — Our primary LLM which includes advanced features such as graduate-level reasoning, undergraduate-level knowledge and coding proficiency. It’s the most suitable for source code analysis.
- Voyage AI — Used for embedding text into numerical representations (vector) that can be easily processed by machine learning models. All data is stored in a vector database.
Vector memory management currently uses an in-memory module from Langchain. However, we plan to transition to the more durable ChromaDB once their SDK supports the AI services mentioned above.
At the beginning, we prioritize the Move smart contract language, which originated from the Facebook Diem blockchain. When Facebook shut down the project due to legal issues, former employees split into two groups: one founded Aptos, while the other founded Sui.
This also addresses the huge demand from existing projects looking to port to Move-based blockchains, as well as developers seeking to launch new projects on these networks.
Overall, the project is still in the early stages of development. The current version may contain incomplete features and bugs, so use it at your own risk. We will provide updates on the development through our blog.
Stay tuned for more and email if you have any questions:
Email: support@tamagolabs.com
Website: https://tamagolabs.com
Twitter/X: https://x.com/Tamago_Labs
