How To Audit a Smart Contract
A smart contract audit is a detailed analysis of smart contract code to preemptively identify security vulnerabilities and find solutions that prevent exploits by malicious actors, as well as remove inefficient coding practices.
Smart contract audits are used across the DeFi ecosystem to provide an in-depth review of a protocol’s code, helping identify bugs, inefficient code, and solutions to these issues. It’s mission-critical that smart contracts are tamper-proof, making audits a key part of any blockchain project’s security process.
Code audits are important for any application, but they’re especially important for decentralized applications (dApps) because the blockchains they built on top of are immutable. If a code vulnerability leads to the loss of user funds, these funds cannot be retrieved. Over $5B has been lost to hacks in DeFi to date.
In this article, we examine what a smart contract audit actually is, how to conduct one, common smart contract vulnerabilities to look out for, Solidity gas optimization strategies, popular audit tools, and more.
<div class="educational-divider sections-divider"></div>
What Is a Smart Contract Audit?
A smart contract audit involves a detailed analysis of a protocol’s smart contract code to identify security vulnerabilities, poor coding practices, and inefficient code before identifying solutions that resolve these issues. Audits help ensure the security, reliability, and performance of decentralized applications across Web3.
During a smart contract audit, a team of security experts will review the code, logic, architecture, and security measures of the application to identify any potential issues using both automated and manual processes. They specifically look for any areas of code that could be vulnerable to malicious attacks, as well as any areas for improvement.
Smart contract code will ultimately be deployed to a blockchain such as Avalanche, BNB Chain, or Ethereum. Once the contracts are live, they can be accessed by anyone—from end-users to malicious actors—which is why all vulnerabilities must be resolved before launching or updating a decentralized application.
Once the audit is completed, auditors release a summary report that provides details about their findings, how they were resolved, and any other issues along with a roadmap for resolving outstanding issues. After a comprehensive smart contract audit, projects can deploy their contracts with confidence that the integrity of the application is secure and user funds are protected.
<div class="educational-divider sections-divider"></div>
How To Audit a Smart Contract
Smart contract audits leverage a variety of techniques and tools to mitigate weak points and make protocols more robust.
Step 1. Collect Documentation
The project being audited must start a code freeze and provide auditors with technical documentation, including the codebase, whitepaper, architecture, and any other related material. The documentation should give auditors a high-level guide of what the code aims to achieve, its scope, and the exact implementation.
Step 2. Automated Testing
Also known as a formal verification engine, automated testing checks every possible state of a smart contract and raises alerts around issues that could undermine the contract’s functionality or security. Auditors may also conduct integration tests, unit tests on individual functions, and penetration testing that probes for security vulnerabilities.
Step 3. Manual Review
A team of security experts carefully examines each line of code, identifying errors and vulnerabilities. While automated tests work well for identifying bugs in the code, human engineers are more capable of detecting problems with the contract logic or architecture, poor coding practices that are technically correct and pass automated tests, gas optimization opportunities, and weak points for common attacks such as frontrunning.
Step 4. Classification of Contract Errors
Each error is classified according to the severity of the exploit it could enable:
- Critical — Impacts the safe functioning of a protocol.
- Major — Centralization and logical errors that can lead to a loss of user funds or protocol control.
- Medium — Affects the performance or reliability of the platform.
- Minor — Inefficient code that does not put the application’s security at risk.
- Informational — Related to style or industry best practices.
Step 5. Initial Report
Auditors draft an initial report that summarizes code flaws and other issues, along with feedback on how the project’s team can fix them. Some smart contract service providers have a team of experts that help fix each bug found. By resolving all issues, projects can ensure that their smart contracts are ready for deployment.
Step 6. Publish Final Audit Report
The auditor includes all findings in a detailed final report, with all issues being marked as either resolved or unresolved. This report is given to the project’s team and is often made public so that users and other stakeholders of a protocol have full transparency.
<div class="educational-divider sections-divider"></div>
Common Smart Contract Vulnerabilities
Here are common vulnerabilities that are part of current smart contract audit checklists.
Reentrancy Issues
A reentrancy attack can occur when a smart contract function calls an untrusted external contract, enabling that external contract to drain user funds or conduct other malicious actions by recursively calling the original contract.
Integer Overflow and Underflow
An integer overflow or underflow can occur when a smart contract performs an arithmetic operation that outputs a number that exceeds the current storage capacity, leading to incorrect calculations.
Frontrunning Opportunities
Poorly structured code can reveal information about future purchases by the dApp, which other users can frontrun in order to lock in a guaranteed profit at the expense of the protocol.
Replay Attack
Replay attacks occur when data is maliciously delayed or repeated in order to subvert the receiver, especially during a hard fork event where messages on the updated system are used to extract funds from the legacy system.
Random Number Vulnerability
If a dApp seeds a random number with a publicly known number, such as a block hash, it’s vulnerable to exploitation, which is why many protocols use on Chainlink VRF for randomness.
Function Visibility Errors
Functions intended to be private must be defined as private, as the default visibility property in Solidity is public. If public, anyone can call the function.
Centralization Risks
Centralization introduces single points of failure that can undermine the security of a protocol if a single private key or similar is compromised. Timelocks and granting privileges to DAOs are common techniques that deal with centralization risks.
Unlocked Compiler Version
There are a number of compiler versions for Solidity. dApps should lock the version of the compiler they use so that users cannot compile it with a different version, which could lead to different bytecode and unintended complications.
<div class="educational-divider sections-divider"></div>
Solidity Gas Optimization
Gas refers to the fees required to carry out specific operations on the Ethereum network. Gas optimization is the process of making smart contract code less expensive to execute, which becomes increasingly important as projects scale and require more gas to operate. It also helps protect against malicious misuse of a protocol.
Techniques for Solidity gas optimization include:
- Enabling the Solidity compiler optimizer, which minimizes the size of the code.
- Minimizing the amount of on-chain data required.
- Freeing up unused storage space.
<div class="educational-divider sections-divider"></div>
Smart Contract Audit Tools
Popular smart contract security audit tools include:
- Cyfrin Aderyn – An open-source Rust-based Solidity AST analyzer for automatically analyzing your codebase and finding vulnerabilities in an easy-to-digest format.
- Echidna – A Haskell program designed for fuzzing/property-based testing Ethereum smart contracts.
- Ethlint – Analyzes Solidity code for style and security issues and helps resolve them.
- Mythril – Security analysis tool for EVM bytecode that uses symbolic execution, SMT solving, and taint analysis to detect a variety of security vulnerabilities.
- MythX – Automatically scan for security vulnerabilities in Ethereum and other EVM-based blockchain smart contracts.
- Rattle – An EVM binary static analysis framework that uses a flow-sensitive analysis.
- Slither – Static analysis of Solidity source code for security vulnerabilities and best practices.
- Solgraph – Generates a DOT graph that visualizes function control flow and highlights potential security vulnerabilities.
- Scribble – Specification language and runtime verification tool that translates high-level specifications into Solidity code.
<div class="educational-divider sections-divider"></div>
FAQs
How much does a smart contract audit cost?
Smart contract audits typically cost $5,000 to $15,000, although this can be higher depending on code complexity and technical support requirements.
How to become a smart contract auditor?
Smart contract auditors must have a high-level understanding of software engineering, know a language specific to a specific blockchain environment such as Solidity for Ethereum, and understand key verticals like decentralized finance. Auditors typically earn between $100K and $250K, with some earning $400k+.
How to prepare for a smart contract audit?
Prepare for a smart contract audit by cleaning up the codebase, collecting all documentation, and then freezing the code. Learn more in this post from Hacken.
How long does it take to audit a smart contract?
The time to complete a smart contract security audit depends on the size and complexity of the code. While a simple token contract could be audited within 48 hours, a complete decentralized application could take multiple weeks to audit.
What’s involved in a professional audit process?
Watch Patrick Collins, co-founder of smart contract audit company Cyfrin, and security researcher Tincho walk through their exact auditing process that resulted in a $100,000 bug bounty payout, as well as Patrick’s bug bounty tutorial on top strategies for finding smart contract vulnerabilities.
How do I choose a smart contract auditor?
Feel free to reach out to our technical experts if you’re looking for an auditor recommendation.