Open in app

Sign in

Write

Sign in

Ensuring Trust and Security: The Importance of Smart Contract Audits in Web3

Veridise
Veridise
Published in
8 min readSep 28, 2023

As blockchain technology becomes more and more popular, the line between Web2 and Web3 gets thinner. Naturally, more people get interested in decentralization, blockchain and crypto. The strongest point of attraction is perhaps decentralized finance (DeFi) — its returns and opportunities make it the perfect gateway to Web3.

However, with the increasing complexity of smart contracts, the risk of hacks and security vulnerabilities has also increased. There are huge amounts of money at play in DeFi and that makes it particularly lucrative for hackers.
All this reduces the trust of many people who are looking to dip their toes into crypto and DeFi.

Navigating the Turbulent Waters of DeFi Security

Decentralized finance has been the most obvious target for hackers and other malicious players. In 2023 alone, we saw multiple significant hacks and vulnerability exploits, costing investors and protocols billions of dollars.

Here are a few instances of malicious play that stand out in 2023:

  • The Euler Finance hack: In March 2023, the lending protocol Euler Finance was hacked for $197 million in a flash loan attack. The attacker stole millions in DAI, USDC, staked Ether (StETH), and wrapped Bitcoin (WBTC). Later on, the hacker succumbed to his guilty conscience, returned over $120 million to the protocol and apologized in a series of messages sent on the blockchain.
  • The MultiChain exploit: In July 2023, the cross-chain bridge protocol Multichain experienced unusually large, unauthorized withdrawals in what appears to be a hack or rug pull by insiders, leaving many ecosystem participants perplexed. The incident resulted in losses of more than $231 million, making it one of the biggest crypto hacks on record. The unexpected outflows stripped Multichain’s Fantom bridge of nearly its entire holdings in wBTC, USDC, USDT, and a handful of altcoins.
  • The Mixin Network attack: Most recently Mixin Network, a Hong Kong-based decentralized cross-chain transfer protocol, found itself a victim of an attack. The exact losses the protocol suffered have not been confirmed yet but they are approximated at about $200 million. The incident is one of the most significant crypto heists this year and created immediate suspicion about the infamous Lazarus group being responsible for it.

Some of the hacks we have seen in recent years have happened due to poor key management, phishing and social engineering; other exploits, however, could have been easily prevented had the security vulnerabilities that lead to them been spotted and patched on time.

This highlights the importance of smart contract audits in ensuring the security and reliability of blockchain-based applications.

Why is smart contract security so important?

Smart contracts are the soul of DeFi, automating and executing agreements without intermediaries. Yet, they’re not invincible. As we already pointed out, a single vulnerability can be the Achilles’ heel, leading to significant financial losses and a tarnished reputation. Every subsequent security incident is a stark reminder that no one is immune.

What’s more, security risk mitigation is not something to set and forget — just as we saw in the Vyper compiler reentrancy attack earlier this year. The attack vector was not common and the hackers dug deep in the Vyper release history to find an exploitable issue for a large protocol with many millions at stake. It was found in an older version of the compiler, and had been fixed in all subsequent versions.

Furthermore, this hack led to an avalanche of close calls and potential liquidations as it affected the largest DeFi lending protocols on the market. This means that the outcome could have been potentially devastated for the entire Web3 industry.

Smart contracts should be audited regularly, ideally by multiple independent auditors, to prevent incidents like this from happening.

But how do you identify the most suitable blockchain security auditors for your project? Let’s dive into this.

How to choose the best blockchain security auditing firm for you

There are many companies offering blockchain security nowadays. But how do you know which one would do the best job for your dApp, protocol or project?

Here are the things you should be looking for.

  1. Expertise: When contracting a security auditing company, you need to be sure they understand the complexity and intricacies of blockchain, and will be looking for all sorts of known and unknown vulnerabilities. If you have a highly specific code that needs to be audited, say the smart contracts of a crypto wallet, a lending protocol, a ZK circuit, etc., you need to be looking for a company that has experience with that particular type of smart contracts. The same goes for programming languages — if your smart contracts are written in Solidity, look for an auditor with expertise in Solidity.
  2. Reputation and track record of success: We have seen multiple hacks and exploits happen to projects that have been audited — sometimes by multiple companies. In our everyday work, we at Veridise often catch high-severity bugs that have been missed by other auditors. Hacks happen even to audited projects and nobody is insured against creative ways of exploiting the blockchain ecosystem. But if you see a company that has a record of multiple clients getting hacked after audits, that’s a clear sign that company is rubber-stamping instead of doing a thorough job. Just as with crypto trading, it’s best to DYOR before engaging a blockchain security firm.
  3. Resourcefulness: The majority of blockchain security companies focus on traditional audits. Ideally, you need an auditor that uses all the tools at their disposal. At the end of the day any human, no matter how good they are at auditing, may miss edge cases. A hybrid model of manual audit + automated security tools makes the process much more effective and efficient.
    At Veridise, for example, we combine human-led audits with automated vulnerability detection tools that we have created (these use both program analysis and formal verification). Combining the work done by our human auditors with the security product suite we’re developing helps us identify a much larger number of attack vectors than the bugs we’d catch if we were only using one of these approaches. What’s more, combining all these methods, we are able to catch a much wider variety of security vulnerabilities (a lot of them — non-trivial!).
  4. Transparency and clear communication: Look for an auditor who is transparent about their audit process and provides detailed reports on their findings. Make sure that you have an open line of communication with your auditing company to ensure that they set clear expectations and timeline for your audit. Last but not least, you would want to hire a company that will provide you support after the initial audit report — that is, a company that will audit the bug fixes you implement based on this initial report.

What to Expect from a Smart Contract Audit

A smart contract audit is a rigorous process that involves a comprehensive review of the code to identify potential vulnerabilities and weak points.

Different companies have different approaches but here are the general stages of the auditing process that you should expect.

  1. Setting the scope and timeline of the audit. It is important to specify the exact scope and contracts that the auditors will be reviewing so that you can also set a realistic timeline for the audit together with your auditor.
  2. Code review: This is where the auditor would dive deep into your project’s documentation and review the smart contract(s) code to identify potential vulnerabilities and weak points.
  3. Initial audit report and proposed bug fixes: When the auditor is done with the code review and testing, they should provide you with a detailed report of their findings. Make sure that the report contains actionable insight for fixing the bugs discovered during the audit.
  4. Bug fixes: This is the part where the audited client steps back in and implements patches and fixes for the vulnerabilities reported by the auditor.
  5. Final audit report: At this step, the auditor verifies the bug fixes deployed by the client, and issues the final audit report.

When should you get your smart contracts audited?

Ideally, you should get a security audit before your contracts are deployed. This will help you mitigate costly errors and reputational risk.

However, as we mentioned earlier, security is not an isolated one-off action but rather an ongoing process. If you have the resources to carry out regular audits of your codebase, you significantly reduce the chances of falling victim of an exploit.

How to prepare for an audit

While the heavy lifting falls onto the shoulders of the auditor, you as a client need to do some prep work in advance. Based on our extensive experience, we at Veridise find that these are the mandatory steps required to get ready for an audit.

  • Compute the code coverage of tests: high code coverage + audit leads to lower risk than either of these approaches on their own.
  • Write additional tests to exercise the “bad path” of code. Most tests exercise the “happy path” when things go right. But for security, we need to make sure that the protocol prevents bad actions from happening. For example, test that your access controls work by having a non-owner entity call an owner-only function. Another example is AMMs, in which some basic invariants (e.g. swapping and then unswapping doesn’t profit the user) should be tested.
  • Document your code, and collect any design documents relevant to the project.
  • Decide what will be included in the scope of the audit; and
  • Reach out to the auditing firm well in advance to find a time slot that works for you.

FAQ: Unraveling the complex web of blockchain security

Q: Why are smart contract audits essential?
A: They identify and address vulnerabilities, enhancing the security and credibility of DeFi platforms.

Q: How often should audits be conducted?
A: Regularly, especially after major updates or the introduction of new features to ensure ongoing security.

Q: What’s the ROI of a blockchain security audit?
A: Beyond monetary savings, it’s about preserving reputation, trust, and the invaluable asset of customer confidence.

Your next step in the blockchain journey

A world where every smart contract is audited, every vulnerability addressed, and every protocol a bastion of security and trust is not just a utopian dream but an attainable reality. Every audit conducted, every vulnerability fixed, is a step closer to this vision.

As we navigate this journey, the question isn’t whether you can afford a blockchain security audit. The real question is, can you afford not to have one? In the intricate dance of codes and protocols, a blockchain security audit isn’t a luxury; it’s a necessity.

If you are ready to take the next step, get in touch with us to discuss your security needs:

📩 Contact us

Want to learn more about Veridise? Connect with us!

Twitter | Lens Protocol | LinkedIn | Github | Request Audit

Blockchain Security
Blockchain Security Audit
Smart Contract Auditing

--

--

Veridise
Veridise

Written by Veridise

265 Followers
Editor for

Hardening blockchain security with formal methods. We write about blockchain & zero-knowledge proof security. Contact us for industry-leading security audits.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams