smart contracts audits

Smart Contract Audits: The Ultimate Security Guide

Reading Time: 11 minutes

  •  
  • 5
  •  
  • 11
  •  
  •  
  •  
    16
    Shares

Smart Contracts audits. The A-Z Audit Process

In the lines below, you will learn what is Coinfabrik’s complete audit process from the pre-sale to the audit submission after the client confirmation.

smart contract audits flow diagram

A) Pre-sale

We are contacted by the customers asking for an audit. We ask them to send the code and documentation to evaluate its length, complexity, viability, and purpose. Once it has been analyzed by our experts, we quote it accordingly. Next, we send the calculated price and the audit duration by email. If the customer agrees on the terms, we send a formal proposal with all the details of the audit, price, terms and payment instructions.

B) Payment Confirmed

Once we receive the required upfront payment, we start to work on the audit. We start at the same time reviewing the documentation provided and going through all the code sent. If we have any questions about it, we contact the customer via chat or email. Some customers require direct contact so we open a telegram channel where we send the questions and the errors found before sending the audit document, to speed up the process and make them correct the errors before we deliver it.

C) We start to audit the smart contracts

On one hand, we check the smart contract code searching for technical coding problems, but on the other hand, we make sure that the smart contract logic makes sense with the documentation delivered by the client and that it is meaningful within the context. This is why we ask the customer to send us the documentation as detailed as possible, especially explaining the purpose of the code and its motivation behind. A clear documentation helps us in the whole security audit process and shortens unexpected delays.
Once we understand the code and its purpose, we start the code analysis. We make the pdf document described below and send it to the customer for review and correction. Generally, before sending the complete pdf audit report to the customer, we send them via chat or email the main problems of the contracts to speed up the process and make them correct the errors before we end doing the report.
Code Check:  We do not analyze the design or purpose behind the contracts unless we clearly see the main problem with it. In such case, we would need to do a consultancy prior to the audit, because the path chosen is obviously a future problem for the security of the smart contracts. At least, we run a compiler to check the code warnings. And we have our own scripts that we use to represent the code and to analyze with ease. However, not always it provides useful information.
Audit Duration: It all depends on the code you want to audit: its length, complexity, protocol, purpose and documentation provided. To have an idea, if the code is a simple crowd sale, well documented and previously scheduled, it takes about 1 to 2 weeks if everything goes smoothly and we are not working at the same time on other audits. Due to the importance of the process and quality standards we follow in the audits, only a handful of people in our team will audit the contracts. In case they are booked, you need to wait for them to be available. Please contact us and ask for the timeline requirements and send the code link to check if we can get it done on time.

D) PDF Report Delivered includes the following: 

  •  A detailed summary of what the audit process is, with the link to the smart contract to be audited and its commit and what the contract does and in which protocol it is written. It also explains what are the analyses performed.
  • The Findings: We describe what are the issues that have been found in the contract and we qualify the issues by the severity level (High, medium, or low severity issues found).
  • Enhancements: Based on code best practices, we propose some enhancements to improve the contract code semantics.
  • Conclusion: It is a short description of the most important items we remark in the whole document.

This pdf will be sent to the customer, and it can be corrected by following our recommendations. If we found that the errors have been corrected successfully, will mark these issues as fixed.
After the audit is completed and corrected by the client: with the customer’s permission, we will publish the audit in our blog under the category “/”. The client can link it back from their site and they can also use our logo to notify that their smart contract has been audited by us.

Why are the Smart Contracts Audits so important?

Smart contract security is a serious problem today. Security flaws, misbehavior, and inefficiency are very expensive when you deploy a Smart Contract to the Blockchain. Companies are especially concerned about their Smart Contract code because once it is run, there is no turning back (they are irreversible) and money can be stuck in the blockchain and lost forever.

Thus, to make sure their code is written correctly, these enterprises usually hire well known external auditors (like Coinfabrik) because they know that a problem in their code could cost a lot more money if they skip the audit. Smart contracts are used to move, store, distribute funds, errors in smart contract code and design must be minimized. Furthermore, since the appearance of the ICOs in the past few years and with their boom in 2017 and 2018, the smart contract security audits have become one of the most ordered services in the blockchain industry.

What are the types of smart contracts?

  • Fully on chain standard compliant contracts with no ether transfer (i.e. ERC20 Tokens, ERC721 Tokens): These are the easiest ones to audit since they must follow a standard, which restrings its design. Being fully on chain and having no ether transfers reduces the severity of attacks and surface area of exploits.
  • Fully on chain contracts with Ether transfer (i.e. Crowdsales/ICOs): These are a bit harder to audit since they do not follow a standard. In some cases, like in Crowdsales, there are multiple open contract implementations that contract developers can follow, which makes it easier thanks to having familiarity with the code. Still being fully on chain makes these contracts not the hardest to audit.
  • Contracts with off chain interaction: These are the hardest to audit since it involves some critical component outside of the blockchain. It can be oracles, channels, or anything else that constitutes an essential part in the flow of said contract interaction. Fully auditing these contracts can be hard or even impossible, since it may have some unreachable off chain component that needs to be trusted beforehand. Even then, we can audit these contracts assuming said parts can be trusted, as long as we take this into consideration.

What happens if smart contracts are poorly designed?

Common design issues:

  • Overengineering/High Complexity: This is a common issue in modern software development in general, especially in projects developed by multiple programmers. It is expected to see this issue in non-contract development and many people allow it as a tradeoff for faster deployment. But in contract development it is not tradeable, high complexity significantly increases the surface area of exploits, hugely reduces auditability and increases the resources used by the environment which are usually very limited and expensive (i.e. Gas in the case of Ethereum).

What are the risks involved in ICO Crowd Sales Smart Contracts?

To explain better what are the risks of building an ICO with security problems and what are its consequences, I suggest you read about the DAO or DAO history and consequences. Someone used a bug in the smart contract code to take more ethers from the caller that it could deal with stealing 3.6 million ETH within hours.

Two critical issues have been successfully used by the attacker:

  • Recursive calls in the contract were not taken into account.
  • The smart contract sent the Ethers first and then it updated the balance.

Thus, solidity code has to be written correctly and carefully in order to avoid anything similar to happen to your tokens.

This is why it is so important to perform external security audits to check the code and try to find any vulnerabilities before running the code when it is too late to go back. Consider the Security audits, not as a cost but an investment. Imagine how many funds can you lose if your code is attacked.

Do you need to book a place to audit your contracts by Coinfabrik?

Yes, definitely! Since we have limited quantity of auditors in our team, they may be working on other audits so it is important to book your place to get them done in the timeline needed. Before you ask about the pricing, please let us know when are you needing the audit completed and when would you want to start to do it.

Smart contract vulnerabilities and attacks suffered?

  • Stack overflow and underflow.
  • Reentrancy attacks.
  • Reordering attack.
  • Replay attack.
  • Short address attack.

How to Save Gas on smart contracts?

Saving gas is necessary to build an efficient smart contract. It is one of the main issues that the developers face because not all of them know how to do it correctly. The first thing they need to understand is how to optimize the code for gas saving and which instructions are the ones that consume more gas and how to avoid or minimize its use.

The Gas spent in each instruction can be referenced in the following 2 google docs :
Gas Costs1
Gas Costs2

Below are our recommendations for your contracts to save gas:

  • Do not use your contract as a data storage.
  • Consider that Create contract is one of the most expensive instructions. Do not create another empty contract in the contract.
  • Storing new data spends 20,000 gas and 5,000 gas to modify data. Avoid redundant statements of expensive statements such as SSTORE.

For example:
a)

You are assigning 50 times the accumulator sum within the for cycle running the sstore instruction 50 times and consuming 20,000 *50 gas. This code is inefficient.

b)

Whereas, in this example, you are running the storage command just once at the end of the for the cycle. The code does the same but consuming 50 times less gas.

  • Calling external contracts to consume 1400 gas. Do not separate multiple contracts if it is not necessary. You can sort this out creating multiple inheritances.
  • Use the cheapest built-in hash algorithm unless necessary. Gas consumption: ripemd160> sha256> keccak256. Use the one that consumes the less.
  • Make sure you transfer to a known address (call, send, transfer). If you send to a never seen address, you may have to pay additional 25,000 gas.
  • Try to combine the loops when you can.
    Ex:
    a)

    b) If you combine both for statements, you can save gas.


    Use local variables to save gas when you have iteration statements:


    In the above example, the “count” global variable does i assignments which consume i times the gas it consumes in the following code using a local variable.     

  • Never Call a library which if does something simple that can be done easily inside the contract. You would avoid calling the library and executing it which spends a lot of gas unnecessarily.
  • Use fixed bytes1 to bytes32 if you can limit the number of bytes. Never use bytes[] unless strictly necessary. Bytes[] takes up 31 bytes per element every time you call it.
  • When you use && operators, when you make this operation a && b, you should consider two things. 1) The cost of each statement: If a, is less expensive, you would save gas by short-circuiting when a is false and b, which is more expensive to run doesn’t count.
    2) Make sure that a is more likely to return false than b, because if a is false, b doesn’t count and you have more chances of saving gas.
  • When you use OR || operator: a ||  b, consider two things.
    1) The cost of each statement: If a is less expensive, you would save gas by short-circuiting when a is true and b doesn’t count because the complete operation is true and you avoid running b, which is more expensive to run than a.
    2) Make sure that a is more likely to return true than b, because if a is true, b doesn’t count and you have more chances of saving gas.

More information on how to save gas can be found at:

Is it expensive to Audit smart contracts?

Auditing smart contracts is one of the most critical tasks in blockchain projects because security has to be the priority to avoid important issues after the code is running. Not doing so, could lead to thousands of dollars going nowhere and lost or in a best-case scenario contracts wasting more gas than needed due to inefficiency. Keep in mind that when you manage smart contracts you are usually dealing with a lot of money of the people who trusted you. Imagine the trouble you would be in if after making a crowd sale if it is hacked and all the money is lost.
Therefore, this is why all the important exchanges online require that you perform an external audit to your tokens and smart contracts in order to protect your investors and their company listing your tokens.
With all these concerns in mind, the auditing company is reached to find possible security problems, usually in a very short time (especially in crowd sales where time is sensitive). It is a big responsibility to find bugs, possible holes and inefficiency problems in the contracts before they are run. It is an in-depth service that needs to be done correctly because a lot of money is involved in the transactions, and if an error is not found and the contract is run, there is no turning back (they are irreversible) and the funds could be lost forever, as stated above.
Furthermore, taking into account how sensitive it is, the audits need to be performed by experts in the programming field whose profiles are up to the exhaustive, meticulous work and they must have experience both in smart contract programming and security.
Our team has a dedicated department working exclusively on security audits. We are one of the leaders in this service worldwide having done more than 50 audits in the last year.

How much does a smart contract audit cost?

If you want to know the cost of auditing your smart contracts, you may need to send us the code to us (better if you send the repo github code) and the timeline to complete it. We will reply with the pricing and time it would take us to complete it. Take into account that a service like the audit is not a fixed price service because every code is different and we always need to check the code and type of code to audit before quoting it.

Who are the smart contract auditors in Coinfabrik?

We currently have 3 smart contract auditors on our team. 2 of them are devoted 100% to this task. However, 2 of them are develping smart contracts on other projects and they audit the contracts in their spare time, helping the other 3 auditors finding bugs/issues in the code.

Why is Coinfabrik a good fit to audit smart contracts?

We are a well-known web security company and have been working in the security industry for more than 20 years first under Nektra.com and now with Coinfabrik. We have 4 years of experience working on blockchain security and we audited more than 50 smart contracts in the past year that were run smoothly after they were checked by us. Taking security seriously, and since our logo is well known in blockchain market, being audited by us would give your smart contract trust and prestige to your investors/clients. We audited important ICOs as Status, mona.co, Patientory, which together raised hundreds of millions and have been successful raising funds in their crowd sales we audited.

Furthermore, we have been listed in:

Latest Coinfabrik Audits by year:

2018 Smart Contract Audits
2017 Smart Contract Audits

Conclusion

The smart contract auditing process has been planned to be as straightforward as possible because we know that most of the times audits are time sensitive due to ICO crowd sales having their fixed deadlines to be respected. Thus, to speed up the process we make sure the customer understands all the documentation and code needed, the cost to audit, how is the whole process and its ETA (delivery time). Our auditors will be notified with the details and timelines and they will start with the audit after it is confirmed. We may open a telegram group to discuss the code and documentation to clarify if we have any doubts.

Request a security audit

Our quotes and turnaround times vary according to the codebase’s length and complexity.
Contact us including your project’s website, links to your source code, and system documentation.


  •  
  • 5
  •  
  • 11
  •  
  •  
  •  
    16
    Shares