Hosho — Smart Contract Audit
We were privileged to have a long conversations with Hartej Sawhney, Co-Founder of Hosho, the world’s premier smart contract audit company, during his recent visit to Tokyo. Hosho has been founded merely a year ago, and during this time have audited over 100 smart contracts, allowing them to build up an industry-leading knowledge base of vulnerabilities & best practices. Very often, Hosho is being engaged as a second or third audit firm, and identifies issues that have gone undetected before. They are also contracted by Big Four audit firms, when the consulting branches of these firms develop smart contracts, and the firms are prohibited from auditing themselves. In the process, “Hosho audited” has become a quality seal in the industry, sought after by investors and exchanges.
What is a smart contract audit?
A smart contract audit is a review of the code as well as the functionality of the code in regard to the white paper and/or other documentation. It also includes the complete writing of a test suite from scratch to near-100% coverage, and manual verification of any math, with the token issuance mechanism being a very large portion of that.
In a typical smart contract audit, it will be ensured that the token contract:
- Implements and adheres to existing token standards appropriately and effectively
- Documentation and code comments match logic and behavior
- Distributes tokens in a manner that matches calculations
- Follows best practices in efficient use of gas, without unnecessary waste
- Uses methods safe from re-entrance attacks
- Is not affected by the latest vulnerabilities
This is achieved through the following, mostly manual steps performed by various team members:
- Due diligence in assessing the overall code quality of the codebase
- Cross-comparison with other, similar smart contracts by industry leaders
- Testing contract logic against common and uncommon attack vectors
- A thorough, manual review of the codebase, line-by-line
- Deploying the smart contract to testnet and production networks using multiple client implementations to run live tests
It should be noted that the typical Hosho smart contract audit engagement includes a re-test of identified vulnerabilities once the client has been given a chance to fix them (phases #2 and #3 in the above schematic). Other firms might charge separately for this.
Typical vulnerabilities
Naturally, Hartej is full of anecdotes of vulnerabilities that his team has found. One that was very memorable concerned a smart contract that was structured so that it actually did not release any tokens to the founders — no doubt that this founding team will think of the Hosho smart contract audit as money well spent.
By now, given the emergence of “Hosho audited” quality seal, many audit reports are made public to sooth investors. In fact, we see a smart contract audit listed as one of the deliverables in private sale fund raising documentation, so that the audit report can be used to attract a broader investor base during the public sale/ICO.
Here are just a few other vulnerabilities that have been extracted from various public audit reports:
- Violation of purchasing limits of crowdsale participants
- Total supply of token is kept private (violation of ERC-20/ERC-223 standards)
- Incorrect addresses for sending tokens
- Crowdsale can be put on hold by any participant
Establishing an industry standard
Hosho realizes that in this nascent and quickly evolving industry, standards are needed. Therefore, the company will bring major industry players together in Berlin shortly, with the goal of establishing a non-profit association that defines standards for smart contract audit. Every member of this association would commit to adhering to these standards, so that the results of different firms become much more comparable, and the bar for the industry as a whole is being raised.
If you found value in this article, please “clap” (up to 50 times).
This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day. Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup.
