Professional Documents
Culture Documents
September 2022
Prepared By :
Cyberscope Team
01.
Introduction
02.
The Problem -
CONTENTS
Cryptocurrency Hacks
03.
What Is a Smart Contract
Audit
04.
The Benefits of a Smart
Contract Audit
05.
How To Do a Smart
Contract Audit
06.
Common Vulnerabilities
07.
Free Smart Contract Audit
Tools
08.
Smart Contract Audit
Costs
09.
Conclusion
Introduction
$500M
$250M
$0M
le
ox
k
ec
or
or
ho
tG
w
ch
m
et
et
M
in
or
N
Co
W
ly
n
ni
Po
Ro
Cryptocurrency hacks have been on the rise this year. $1.9 billion
worth of cryptocurrency has been stolen in hacks of services,
compared to just under $1.2 billion at the same point in 2021.
There are usually two main parties that are interested in smart
contract audits, investors and blockchain developers.
For developers, on the other hand, a smart contract audit will help
them identify potential issues in the code that they might have
missed. An experienced auditor will identify quickly potential flaws
in the business logic and vulnerabilities and help them fix them
before taking the project live.
How To Do a Smart
Contract Audit
Generally, smart contract security audits are performed by cyber
security firms that are specialised in finding code vulnerabilities.
That said, if you are well-versed in programming languages like
solidity or rust, there are certain checks you can perform by
yourself before consulting with an expert.
Before deeping into the code, the first thing you need to do is to
define the scope of your audit. There are many aspects to smart
contract audits from checking the business logic, analysing
transaction costs or gas, performance review and checking for
vulnerabilities. Defining your audit scope will help you come up
with a test plan and a strategy on how you will audit the smart
contract.
Once you have come up with your test strategy, you will need to
start thinking about what tools to use to make your life easier.
Some smart contracts can be quite large and dynamic to be
monited effectively manually. In some cases, even after a project
goes live, you need a system to continually monitor the
transactions and inform the participants immediately if something
fishy is discovered. Here are some popular tools auditors use as
part of their process: Slither, Securify, SmartCheck, Oyente, Mythril,
MythX, Remix plugins and more.
After identifying the right tools for you, it’s time to get to work. The
tools above will give some initial findings that they might be able
to detect like suicidal functions or reentrancy vulnerabilities, but
it’s up to you, the auditor, to go line-by-line and check for further
vulnerabilities or optimisations that can be made.
Common
Vulnerabilities 1
Lack of Verification Checks
One of the most common issues seen in smart contracts is the
lack of verification of the function parameters. Certain operations
need to have necessary checks in order to be valid and most of the
times developers forget or omit to add these checks to their code.
Re-entrancy Attacks
A reentrancy attack happens when a function in the smart
contract calls another external one in an untrusted contract. Then
the untrusted contract that is being calls makes a recursive call
back to the original function in an attempt to drain the funds of
the initial contract.
When the contract fails to update its state before sending funds,
the attacker can continuously call the withdraw function to drain
the smart contract’s funds. At the time of this writing the most
recent re-entrancy attack was on the Fei Protocol. In April 2022, it
became the victim of a $80 million hack that was made possible
by its use of third-party code containing re-entrancy
vulnerabilities.
Common
Vulnerabilities 2
Gas Optimization
Not a vulnerability per see, but gas analysis during smart contract
audits is an important aspect of the process. Blockchain networks
need to use ‘gas’ to cover the costs of transactions. Gas prices may
vary depending on the complexity and the length of the smart
contract. So it goes without saying that you should always check
your code for any unused functions. A good example of that is the
SafeMath library. If you only use the uint256, add a function for the
operations you need and then remove the rest from the contract.
Incorrect Calculations
Another common vulnerability with smart contracts is incorrect
calculations. This vulnerability, also referred as arithmetic
underflow or overflow, means that if some calculations are left
uncheck the result that the calculation will product will be a
number outside the range of the data type that stores them are
performed. For example a uint8 variable, can only store integers
between 0 and 255. Trying to store any value higher than 255 into a
uint8 will result in zero. This can cause problems when performing
calculations causing your smart contract to malfunction.
Mint/Blacklist Functions
Finally, we couldn’t leave outside common functions like the mint
token function and the blacklist function. These functions might
be used maliciously by the project owner to turn the contract into
a ‘honeypot’, meaning no-one can sell any tokens. If you find these
functions in the smart contract of a token you are looking to invest
in be very cautious and make sure you understand why they exist.
Free Smart Contract
Audit Tools
If you are not familiar with programming and you are looking to
review a smart contract without an audit report there are a few
free tools you can use.
Then you get to see a full report from the smart contract analysis,
as well as some key indicators like if the contract ownership is
present or renounced, if the contract is a proxy and if there is an
audit or KYC attached to that contract amongst others. Finally, you
can see the similarity of the code of your contract versus popular
forks. This will help you understand if it’s minted from a specific
platform and how unique it is.
Safescan
The final analysis report shows all the related findings to the user
in order to help him understand some of the wallet's past history.
It is a great tool to help investors check the past transactions of
the project team to make sure there are not any suspicious
activities.
Smart Contract Audit
Costs
A smart contract audit can set you back from a few hundred
dollars to a few hundred thousand depending on the complexity
of your smart contract. Auditors will usually give you a
personalised quote based on your contract complexity, the
number of lines of code and the business logic behind it.
Contact Us
@coinscope_admin
contact@cyberscope.io