In 2020, decentralized exchanges (DEXs) were nearly on fire following the DeFi boom. The total value locked in DeFi soared from $650 million in January 2020 to $15.5 billion by the end of same year, demonstrating an increase of 2,400%. In this current situation, smart contracts are gaining its attention in various industries as they are considered as the backbone of DeFi. The Market Research Future estimated that the global smart contract market size will hit maximum $300 million USD by 2023 with CAGR of 32%.
A smart contract is a decentralized application that is capable of self-executing agreements between bilateral/multilateral parties when certain pre-defined conditions are met. Simply speaking, smart contracts work like vending machines. Vending machines are designed so that 1) if the user inserts money into the machine, and 2) the selected item is in-stock, then 3) the item comes out of the vending machine. Here, 1 and 2 can be seen as the pre-defined conditions of the smart contract; if all conditions are met, then 3 will be executed.
First introduced with the launch of Ethereum, smart contracts are now used in a wide range of fields including exchange of monetary values (e.g. shares and bonds), real estate contracts, legal bodies agreement, and many more. Main features of smart contracts are that they eliminate the need for a middleman and are immutable. The latter implies that once the smart contract is deployed, there is no way it can ever be modified. Looking at a slight different perspective, this poses a serious problem that malicious hackers can look for vulnerabilities within the code and seize assets locked in the smart contract.
This article highlights the importance of smart contract auditing, a process of reviewing the smart contract, documenting any flaws/capabilities for future bugs, and finding any coding errors that could expose the users to risks. We also take a look at different audit companies and see the general process of how smart contract audits are conducted.
The DAO Hack
In May 2016, The DAO organization faced a devastating accident where its smart contract was hacked, with over $70 million worth of funds exploited. The DAO was a governance model for crowd investment that operates without any centralized authority. Instead, rules of interaction for The DAO are set by instructions residing on the blockchain. First, smart contracts are written by a group of people that run the organization. Next, investors add funds (ETH) to the pool and receive DAI tokens in exchange (100 DAI for each Ether deposited). Holders of DAI are given the rights to vote during the selection of projects that would be funded. Once the funding period is over, The DAO begins to operate and investors make proposals to different projects and vote on which projects will be eligible for funding. The pool of funds amounted to $150 million from more than 11,000 investors.
Unfortunately, an attacker found a vulnerability within the smart contract code and managed to collect 3.6 million Ether into a “child DAO” account that has the same structure as The DAO. The price of ether dropped from over $20 to under $13 in the same day. At the time, safety design patterns for Solidity Smart Contracts had not yet been developed and the method of conducting a proper technical audit had not been standardized. The DAO hack ended up being the most infamous smart contract exploit, highlighting the importance of smart contract audits.
So How Do Smart Contract Auditing Work?
Smart contract auditing is a technical assessment of code by ethical computer hackers known as the “White Hats”. White Hats perform code tests and write a report based on the analysis. This gives a change for contract developers to identify any potential bugs or vulnerabilities before the smart contract is deployed. Smart contract audit process varies among companies; according to SecureLayer7, the general audit procedure includes the following steps:
First, the auditors review and complete the background check on the smart contract. Discussion session with the contract developers is held to gain a comprehensive analysis.
Next, a threat profile of the contract is prepared along with review plan that will be used to go about with the audit process.
3. Test Run & Analysis
Based on the plan generated and the threat profile made available, the audit process begins with a hybrid approach. Initially, the static assessment of the contract is performed with the automated tools present for a complete smart contract audit. Then, the dynamic assessment is carried out by manually attacking every member stated in the threat profile and providing a review for the specific vulnerability. The dynamic assessment begins at the component level and then moves up finally assessing the program as a whole.
Once the analysis process is completed, a complete list of all vulnerability in the smart contract is included in the final evaluation report, along with the detailed remediation measures.
Luniverse Blockchain and Audit Firms
The Luniverse Blockchain has partnered with three leading smart contract audit firms, SOOHO, CertiK, and Quantstamp. Among these companies, the Luniverse blockchain successfully completed audits from SOOHO and CertiK . We will take a look at each company and see the different features offered by each auditing process.
SOOHO provides a comprehensive, automated DB-based security compliance platform. not only it can audit smart contracts, but it also allows customers to flag compliance issues, automatically generate reports, track the geographical locations of transactions, and audit transactions in real time.
URL : https://sooho.io
The Luniverse main token successfully passed auditing by CertiK. Main features of CertiK include the followings:
1. Layer-based decomposition approach
2. Pluggable proof engine
3. Machine-checkable proof objects
4. Certified DApp libraries
5. Smart labeling
URL : https://certik.io
Quantstamp has developed a decentralized security network for smart contract auditing. With this solution, users can perform automated smart contract security review on a global network of decentralized security nodes. Quantstamp uses proof-of-audit method that validates protocol for security audits, and rewards participants with Quantstamp Protocol tokens (QSP) when they compute resources which might be used for checking smart contracts run by validator nodes. Additionally, the platform provides expert security audits for clients blockchain projects and a 24/7 security monitoring software tool.
URL : https://quantstamp.com
The fact that blockchains are safe does not mean that their applications are also secure. As the number of decentralized applications (DApps) is growing exponentially, smart contracts make security audits a necessity. Auditing is particularly important for organizers who wish to attract a large number of investors (e.g. ICO) to ensure that all assets are safely secured. Inefficiency, misconduct and security flaws turn out to be very costly in the implementation of smart contracts over blockchain. The procedure is neither easy nor quick. Therefore, smart contract-based projects should manage both time and budget in order to protect its assets from any external threat.