Do you really need to audit your smart contracts? A non technical Perspective:

What are Smart Contracts?

A contract can be understood as an agreement that a promise will be kept between two parties. It includes a service from one party and a return service or a monetary payment from the counterparty. Any disputes would be settled by law enforcement authorities acting as third party arbitrageurs.

The elements of a contract are as follows:

· An Offer

· An acceptance

· Intention to create a legal relationship

· Monetary consideration

Smart contracts also imply the same meaning except it is enforced by a computer code. “The code is law” is the motto behind a smart contract, meaning, they would not require any third party intervention at all. The comprehensive job of a third party including mediating and settlements can be done by the code in a completely trustless manner. Vectors such as human error, bias, data manipulation and so on can be mitigated if we give the control to a well defined code, which is further powered by blockchain.

We have to note that any automation would require a multiverse of trial and errors before it achieves a perfection, or to be precise ‘near perfection’. We have seen the evolution of robots from doing simple math calculations to be artificially intelligent. A similar pattern can be seen in the case of smart contracts as well. One important ingredient that differentiates humans from computers is the ‘cognitive ability’. Computers function on algorithms rather than morals. The algorithms function merely on ‘if-that — then-this’ conditions that naturally occur to humans situation wise. On the other hand, these conditions are ‘programmed’ into the computers, and the efficiency of carrying out the automation completely relies on the number of such conditions and respective responses added to the code. And for humans, the creators, it sounds almost impossible to imagine all such situations that may arise in a mutual agreement, that is a contract, and hence a possibility of missing out certain aspects and perspectives while writing the automated contract. These vulnerabilities can be taken advantage of by any malicious actor and manipulate the contract in his/her favor. We do have the ability to rectify the vulnerabilities as they are discovered, but by then, funds may have already been lost.

The reference can be seen in the case of Decentralized Finance. While it gained tremendous popularity, the vulnerabilities have already resulted in huge losses dealing in millions of dollars.

Some of the known attacks are:

· The DAO attack or the famous ‘reentrancy’ attack which resulted in a loss of 3.6 million Ether

· Parity multi sig attacks that once led to a loss of 150,000 Ether and on another instance, a freezing of funds that were locked inside the contract permanently.

· Timestamp dependency and Front-running attacks which are indirect form of attacks

· A series of ‘Oracle’ manipulations that created an imbalance in the exchange prices of different cryptocurrencies for considerable amounts of time. This gap was enough to steal millions of funds again.

· The latest trend of attacks invoked by flash loans, a revolutionary concept in DeFi, that let the takers acquire huge amounts of loan without providing any collateral. More information in the link below.

https://blog.quillhash.com/2021/01/12/flash-loan-attack-explained-part1-defi-in-out/

. The lesser emphasized ‘Denial of service’ attacks manipulated by professional (malicious)users, which revert back the requests made altogether that affects an average user. Again, a form of an indirect attack.

These are some of the known vulnerabilities and at the time of writing. Many such attack vectors have been rectified, and yet 2020 has seen a series of worst hacks in history. It only suggests us that these vulnerabilities have ever since existed, but only cashed upon when the time was ripe. The only way to protect smart contracts is to increase the security. And a reliable third party audit is the need of the hour.

What is an Audit?

An audit is a comprehensive security inspection of a code that verifies every line in the code, precisely to find any vulnerability and also to prove that the contract shows the desired behavior according to the specifications. It is like testing a newly built bridge before it is opened to the public. Since the smart contracts are self executing, it is essential to find the flaws before it is publicly released.

Usually the verification is done both manually and automatically by using different tools, basically to check each function individually and also how they behave collectively. Then the contract is tested on a simulative environment where white hat hackers try their hacking abilities to penetrate through. This way, the original author will be getting different opinions from professionals regarding the robustness of the code and any suggestions shall be made to rectify the code before it gets deployed on the mainstream network. So ultimately getting a third party audit is like a collective team work that ensures maximum potential for the success of a project.

The steps involved in a security audit of a smart contract are:

1. Establishing the smart contract’s purpose: It involves gathering of specifications, generally outlined in the ‘whitepaper’ of the project. It helps the auditors understand the intended behavior of the project and nothing more or less. The unit test cases written by the developers at the time of compiling the code are to be specified here.
2. Preliminary Review: The provided codebase is reviewed to make sure it is well structured before it is subjected to a series of automated testing tools.
3. Automated Testing: Next will be an automated testing using different tools and libraries to make sure there are no syntactical or runtime errors in the smart contract. ‘Static analysis’ is a process of testing done without running the smart contract on a blockchain. This makes sure that the smart contract adheres to the specific standards and also highlights the known vulnerabilities and other bugs present in the code.
   Some of the tools used in static analysis are:
   -Mythril
   -Slither
   -Securify
   -SmartCheck
   The purpose of static analysis is to find the errors before the contract is ready to run on a blockchain. And therefore it is not to be considered as a complete security analysis.
   Next comes some dynamic analysis of the code and as anyone can guess, the testing is done on a running condition. That means it is to check how the smart contract performs on a blockchain by taking input of dummy values in a simulated environment. Fuzz testing and formal verification fall under this category.
   Some of the dynamic analysis tools are:
   -Echidna
   -Manticore
   -SFuzz
4. Unit testing: All the unit test cases are put to use in this step to provide a detailed report on the responses given by the contract at the end.
5. Manual testing: Line by line inspection is done by professional individuals in a very careful manner to find any vulnerability that the automated tools may have missed.
6. Initial Audit Report: An initial audit report detailing all the critical, major and minor bugs identified, along with the recommendations from the experts on how to solve or minimize the effects will be provided. Then the developers will get some time to refactor the code based on the suggestions before they send it back for another review which includes all the above steps repeated again. This is to check whether or not the bugs mentioned in the initial report are fixed.
7. Final report: The final report is then submitted to the developers highlighting the remaining issues that are open as well as the fixed bugs.

It should be noted that an audit does not mean a guarantee that the smart contracts are impenetrable; instead it fosters a discussion ground to take the best security measures that ensure maximum safety from the attackers.

With that being said, there is always a scope for improvement in this area. In addition to the security audit, a constant surveillance service that monitors the activities on the deployed contract is recommended. It ensures that unusual activities are being sent to scrutiny before any mishap takes place.

This is the first of many more posts to come from me. Please do the honor of giving your valuable feedback and comment any suggestions as you’d like. Until then Adios my people!!