Despite the recent downturn in the crypto market, there are still some extremely interesting and worthwhile projects that are undergoing development. For every Dogecoin and Elon Musk-related headline that questions the legitimacy of blockchain as a truly innovative force, there is an exciting venture that receives less attention.
While some projects inevitably don’t get off the ground, there are some that show us what blockchain can be capable of in the right hands. One such example is the Worldcoin project, which aims to equitably distribute wealth through cryptocurrencies to citizens around the world, regardless of whether they are part of the formal banking system or not. Other projects that are gaining attention are Ethereum 2.0, which introduces Proof-of-Stake (PoS) and sharding, TrueFi, which joins the competitive lending market, and PolkaFoundry, which makes creating DeFi apps and NFTs on the Polkadot blockchain easier.
A developing DeFi Ecosystem – Innovation and risk
What we have seen so far in 2021 is:
- There is a great amount of development occurring, regardless of the volatility in the crypto market.
- Much of this development is occurring in the DeFi and NFT space.
- It is becoming easier to create DeFi applications with the help of third-party development environments and services.
The DeFi space, running on smart contracts, has indeed gone from strength to strength, and while we can be happy that there is so much fertile ground for development, the rush to release new products before competitors can result in vulnerabilities that have not been given the thorough attention that they need. From Hegic’s $48k to Bancor’s $23.5 million in losses, smart contract vulnerabilities can be devastating on two fronts; they not only have the ability to damage or sink a project, but also scare off investment in the wider DeFi ecosystem.
What are the common smart contract attacks in DeFi applications?
Read more in our blog post: TOP 10 recent DeFi hacks that have affected the whole industry
What is a smart contract audit?
Despite smart contracts being in the crosshairs of cybercriminals, there is frequently still a test in production mindset that developers adopt, making their deployment as part of a DeFi application especially risky.
So how can we improve security? The answer is of course a smart contract audit, which involves a specialized team looking for bugs in a smart contract’s code, analyzing areas that could be manipulated by hackers, or examining code that goes against common convention. While we often think of smart contract audits in terms of security, they can also be beneficial in terms of diagnosing areas of your application that can be made more efficient.
Whether you are a newcomer to the DeFi development market or an experienced team that needs a fresh set of eyes, a smart contract security audit can be a lifesaver, protecting your smart contracts from critical vulnerabilities that can easily become calamitous, when considering the implications of self-executing code and immutable transactions.
Smart contract auditing – things to consider
As we detail in our blog post on building a DeFi ecosystem, creating a functional application on a blockchain is not such a simple task. There are lots of different factors to consider, from the blockchain and language used, to the development environment and workflow. Who are the members of your team? Which third-party components are being used? Have you allocated enough time for testing? What might have started out as a great idea can turn into a real headache, which is why specialized teams or dedicated CTOs with demonstrated experience are often drafted in to help steer a project to the desired outcome.
Preventing code vulnerabilities
Looking for code vulnerabilities is one of the main functions smart contract audit companies will undertake. This is a necessity, as the public-facing code DeFi is renowned for can be scrutinized and exploited by bad actors, leading to oracle manipulations, reentrancy attacks, and other bug exploits. Despite this, knowing you will get a blockchain smart contract audit report is no reason to be lax in the initial stages. Here are some ways safety can be improved in the development process before it gets to the auditors:
- Do the basic checks – Logic and numerical errors to do with incorrect calculations are common. A double-check of something seemingly simple can be vital.
- Ensure proper access control – Make sure all authorized parties have the correct access and unauthorized parties can’t slip through.
- Use security tools to test throughout development – Security testing and verification tools are everywhere and are often free. Run tests throughout the entire development process, not just with the near-to-finished product.
- Keep the code simple – Understand exactly what needs to be done and write the simplest code possible to achieve that aim. Needlessly complex code increased the risk of a security incident.
Following these steps will help protect you against smart contract blockchain attacks.
Smart contract auditing steps
Depending on the complexity of your smart contract and the reviewing team, the time estimate for a security audit of a smart contract can be anywhere from 1 day to 2 weeks, with the smart contract audit cost also varying accordingly.
While specialist companies have their own audit flows, the following steps are fairly standard for smart contract audits and will give you a good idea of what checks are likely to occur.
Project familiarization
Testers can only properly understand if the smart contract is working as intended if they understand the role it plays in the wider project. Auditors review the white paper and often ask the development team to explain their architecture.
Code freeze
Auditors then request the date of the “code freeze”, that is, the date when the code will be at the stage where it can actually be tested.
Code review
It is necessary for reviewers to understand certain aspects of the code, such as the design and the libraries that were used by developers. This gives further insight into how the project should run, and is completed by a check of how much of the code is covered by tests. The closer to 100% the test coverage is, the fewer bugs will make their way through testing.
Automated analysis
Before the manual testing begins, a quick automated check, complemented by expert advice can resolve some of the more obvious issues early on. If there is a failure in a high number of tests, the auditing process may need to be paused in order to give developers time to redo some of their code.
Manual analysis
Manual analysis is necessary because it requires not only technical skills, but also an understanding of the project and the developer’s intentions. By understanding this, a manual reviewer not only can uncover problems with the code, but also test for desired functionality, review permissions, and suggest improvements through constructive dialogue with the client.
Known vulnerability analysis
A line by line audit of code against vulnerabilities is essential, testing against things such as:
- Denial of Service (DOS) Attacks
- Gas Limit Issues
- Insecure Random Number Generation
- Overflows and Underflows
- Reentrancy Attacks
- Timestamp Dependencies
- Variable Shadowing
The best practice is to list the vulnerabilities in order of seriousness: critical, high importance, medium priority, low priority.
Live testing
This involves deploying code on a local testnet, with white-hat hackers trying to manipulate the smart contract.
Audit reports / code adjustments / final audit report
Following all this extensive testing, auditors will write up a detailed report with findings and recommendations for the client, which is then worked on by the developers, with new code submitted. Depending on the number of bugs and issues raised, this process may be repeated 3 or 4 times before the auditors (hopefully) deem the project to be technically sound, with a final audit issued.
Securing your NFT
NFTs are having their moment in 2021, with everyone from graphic artists and musicians to even the NBA releasing their own non-fungible tokens. Like DeFi applications, NFTs run on smart contracts as well, so the need for an audit is just as important. If a security breach occurs, you may lose your NFT forever!
Here, the smart contract auditing steps mentioned above can be applied but customized to simulate the payment and transfer of NFTs. Auditors can also provide advice on things such as regulatory compliance when assets are transferred across borders. As more countries apply taxes to the buying and selling of cryptocurrencies and crypto-related assets, the need for regulatory advice is becoming more and more pressing.
Final thoughts
While smart contracts are powering the DeFi and NFT sectors to new heights of innovation, it is important to remember that each attack erodes trust in a system that could play a large role in the future of global finance. Knowing how to perform a smart contract audit for your business is a good step in making sure your code is not just secure, but can run at optimum efficiency and deliver better value and a greater experience for the people who interact with it.
INC4 has been working with blockchain, DeFi, and smart contracts since 2014, helping over 90 projects realize their potential. For smart contract audit pricing, get in touch with our knowledgeable team today, or visit our page on smart contract development for more information.