Why Should You Audit Your Ethereum Smart Contract?

May 17, 2019

Why Should You Audit Your Ethereum Smart Contract?

In 1994 a US computer scientist named Nick Szabo first proposed the idea of a “smart contract,” [1] which he defined as “computerized transaction protocols” that carry out the conditions of a contract.

The primary selling point of such contracts was the ability to carry out trackable and irreversible transactions without the need for a third party, thus reducing transaction costs.

One of the more notable examples of the implementation of a smart contract is that of Ethereum, based on a number of different computer languages such as Solidity, Serpent, and Mutan.

Most people with a passing interest in the technology will know the undoubted benefits of smart contract technology, but the truth is that the assets that exist within these contracts aren’t always as secure as we’d like to believe.

By early 2018 there was reported to be somewhere in the region of $4 billion contained on the ERC-20 token standard, which is a lot of currency to be sitting somewhere that isn’t always as secure as we are maybe led to believe.

Over the years we’ve seen some pretty high profile and costly, examples of the technology not always being as secure as it could be.

$300 million of assets frozen

Only a year ago we saw a hack known as Parity [2], which resulted in $300 million worth of assets being frozen as yet unclaimed by their rightful owners, while the POWH coin, a self-subsistent Ponzi scheme of sorts enticed users with the promise of dividends worth 10 percent.

Quickly growing to in excess of $1 million and a thousand ETH, it wasn’t long before 866 ETH disappeared entirely from the smart contract due to a coding flaw.

There was a vulnerability found in the implementation of the contract that essentially allowed a user to approve another user to transfer tokens on their behalf.

The infamous Decentralized Autonomous Organisation (DAO) [3] was once upon a time considered to be the smart contract that was going to change the landscape of Ethereum altogether, a decentralized venture fund which would be the financial platform for all DApps.

On June 17th, 2016 someone managed to exploit a loophole which had been pointed out to the DAO creators some time previously only to be dismissed as not an important issue.

This loophole was exploited to the tune of $50 million, which was around a third of the total funds held by the DAO.

This simple act, taking advantage of a loophole that had been identified sometime earlier by the community, resulted in the closing down of the DAO, and the value of Ether taking a huge hit, with the Ethereum community later splitting into two camps.

Ethereum and Ethereum Classic.

The incidents described above are only a small example of a relatively high number of malicious hacks that have occurred in the recent past.

Negative incidents draw the attention of the media

Not every security issue found in smart contracts is related to hacking though, there are occasions when bugs are located within the system, which is one of the downsides of technology, unfortunately.

Sadly, it’s these negative incidents which are pounced upon by the media, and it can lead to a somewhat distorted view of the crypto and blockchain space in general, with many novice investors and people interested in using the technology becoming hesitant.

Another fact that those within the community will have to accept is that as technology such as smart contracts gain in popularity and are deployed across varying platforms and for different uses, we will see a higher risk of hacking and error. It’s only natural.

It’s here that blockchain and cryptocurrency technology can learn from the methods used by traditional finance.

Many see the new technology as the next step in the financial industry and often look at traditional methods as outdated and dying, which is true in many respects, but there is still a lot to be learned from how the current sector protects itself against fraudulent issues.

A financial audit is an objective, neutral evaluation of an organisations financial processes.

Its primary purpose is to provide regulators, directors and most importantly investors an even-handed assurance that the financial statements and the methods used within the structure are accurate, legal and safe.

Anyone who believes that smart contract technology can continue to grow and find its way into more industries without measures being put in place to ensure the safety of those who rely on the technology is either being naive or merely underestimate the value and importance that smart contracts will play in the future.

This is particularly true when it comes to the finance sector, where regulation is of enormous importance.

The answer is a smart contract security audit

To understand how a smart contract security audit works it’s important to know the three main types of smart contract.

An entirely on chain standard compliant contract which has no ETH or token transfers are considered the easiest to audit as they follow a specific criterion. Existing solely on the blockchain with no currency or token transfer means they are not susceptible to attacks.

A little harder to audit are the fully on chain standard compliant contracts which have ETH and token transfers enabled, but contracts that facilitate ICOs are known to usually follow a specific template which makes them easier to audit.

Off-chain contracts are considered incredibly difficult to audit, as they will involve many processes that occur outside of the blockchain. Many would describe these contracts as virtually unauditable.

The DAO example from earlier is a prime example of why high-quality auditing services are utilized wherever possible. The implosion of the DAO and the subsequent loss of $50 million could most likely have been avoided if the contract had been audited.

The auditing industry at present

The truth is that the auditing industry within the blockchain and crypto space leaves a lot to be desired, with a minimal number of developers who have the skill required to audit the code and find vulnerabilities, despite demand being extremely high.

There’s a good chance that the industry will catch up eventually, but for now, it’s not that easy to find quality auditors who can do the job correctly.

DLT Software is one such company who can provide security audits for smart contracts. We operate with the firm belief that our audits can help prevent the type of attacks documented in this article, and thrive on providing a solution which is both affordable and convenient.

Why not get in touch today and see if they can help you with your auditing needs?

[1] http://www.erights.org/smart-contracts/

[2] https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

[3] https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee

Let's Work Together
Your experiences have motivated us to specialise in a different direction - discovering solutions where other teams have stalled. Technologies we use: C++, Clojure, Rust, Java, JavaScript, Node, React, Smart Contracts for the Ethereum Virtual Machine and similar VMss.