Last year was the worst year yet for Web3 hacks, with nearly US$4 billion in funds stolen, primarily from decentralized finance platforms. The cause for these events is almost always connected to bugs, exploits or other problems with the underlying smart contracts that run these services. Fortunately, developers already have access to the most powerful tool for preventing attacks: smart contract auditing. Audits involve third-party experts performing a detailed analysis of all code, identifying flaws in logic, possible exploits and ways to fix them.
While this is fundamentally essential for development teams, it’s just as important that regular investors review them as well. This can help refine investment decisions immensely and protect users from putting money into a product that isn’t up to scratch.
Why smart contract audits are necessary
When code is unaudited or not thoroughly audited, it can lead to disastrous results. Take, for example, the case of the Terra-Luna collapse. While the code had been audited, the auditors only looked for specific flaws in the smart contracts but didn’t account for the bigger picture of how the system would operate under various real-world economic conditions.
If DeFi and Web3 are going to become globally adopted by billions of users, the elephant in the room must be addressed. How is it possible for these services, processing billions of dollars in funds, to have so many critical issues? The problem lies in the smart contracts — the code that defines how various platforms and assets work together. Because of the inherent immutability of blockchains, it is essential that this code is flawless and works exactly as intended. Anything less and it is entirely possible that massive amounts of value can be compromised.
This is why most Web3 projects perform one or several code audits before deploying anything in the wild. These audits involve having technical experts review all smart contracts, looking for any issues with their logic, how they interact with one another, or possible vulnerabilities that may be present. Audits can be done internally, but it is considered best practice to have them done by a third party to ensure they are impartial and thorough.
Audits are a manual process, but can, and should be enhanced with tooling, technology and automation. Generally, having real human experts perform the final overview is the most effective approach. The auditors first look at the broader code infrastructure to understand what the project is trying to achieve. Then more specific areas of code are both reviewed and tested under various conditions. The results of these findings are compiled and given one last review, and ultimately submitted back to the development team and subsequently published online where the public can see it.
Audit reports are an essential line of defense for developers to ensure they don’t launch a broken service. However, regular users and investors should read them, too. They can provide critical insight into both the inherent risks that come with using a platform or asset, as well as how diligent and transparent the team is about resolving those risks. This information is important when real money is on the line because it can mean the difference between choosing solid services and losing everything. Furthermore, the lack of a quality audit should also be seen as a huge red flag because honest projects want to be transparent about their security.
How to read a smart contract audit
Now, let’s explain what you will likely see when looking at the results of an audit. Different audits may be presented a little differently, but they should all more or less have the same components. For starters, there should be an overview that contains various information about the project being audited. This should include the smart contract address, information on the compiler version used, what blockchain it is built on, and certain external assumptions such as privileged roles and integrations the project depends on to remain secure. This can be helpful if you are fairly unfamiliar with the project, while others may already know most of this info.
Additionally, it’s important to check the version of the code that was audited. It is possible that future changes to the code may occur and not receive a follow-up audit. It’s imperative to be aware that any change occurring after the audit may introduce bugs so strict version control and audits of changes are important.
Next, there will be the real meat of the audit: the review of all the team’s findings. There should be a list of every bug or concern found, detailed descriptions of the problem, and, most likely, some suggestions for fixing it. Issues are sorted into categories of severity, usually along the lines of minor, moderate and critical. Minor problems usually won’t put funds at risk but should be addressed. Critical issues imply an imminent threat to assets and must be fixed immediately.
Bugs found may also be ranked by how likely they are to be exploited. This is because some exploits may be devastating but difficult to pull off. Others may be fairly easy but don’t really break anything. Giving multiple parameters for assessing threats offers developers the best optics on what to address first.
Even if the descriptions of the bugs discovered are too technical, a plain English summary should outline the biggest findings and summarize the project’s health. While the detailed breakdown is more for the development team, this section will be the easiest for most users to understand and should be enough to help you decide how trustworthy a service is.
What audits often find
There’s no shortage of things that can go wrong with a platform or asset run by smart contracts. Vulnerabilities can vary wildly and be rather complex, but some common culprits exist. For example, smart contracts allowing the owner to mint or burn tokens must be used carefully. If this function isn’t implemented correctly, the possibility of an attacker using it to create or destroy millions of assets is very much on the table. Fortunately, earlier this year, this exact type of vulnerability was identified on Binance’s BNB chain before an attacker could exploit it.
Then there can be flaws in the way that transactions are verified. Nomad Bridge famously suffered an exploit created by a routine upgrade that allowed anyone to rebroadcast old transactions but simply swap in their own address. This led to a loss of over US$150 million from Nomad, not by a single attacker, but by many different users because the exploit was incredibly easy to replicate.
The examples go on, but you should now understand the importance of what security audits bring to smart contract platforms and blockchain protocols. They protect developers and users alike, as long as they are performed by trusted third parties. This is how the industry will ensure that the rest of 2023 and beyond don’t continue to see the ongoing trend that previous years have begun, and crypto can earn a better reputation in the public’s eyes.