WHITEPAPER

Smart Contract Audit:

Securing your Blockchain Project

September 2022

Prepared By :
Cyberscope Team
 01.
Introduction

02.
The Problem -
CONTENTS
Cryptocurrency Hacks

03.
What Is a Smart Contract
Audit

04.
The Benefits of a Smart
Contract Audit

05.
How To Do a Smart
Contract Audit

06.
Common Vulnerabilities

07.
Free Smart Contract Audit
Tools

08.
Smart Contract Audit
Costs

09.
Conclusion
Introduction

Cryptocurrencies have been one of the most discussed and

controversial innovations of the past decade. Blockchain
technology, that is powering cryptocurrencies has seen many uses
in the past years from payments to supply-chain management
and many more.

One of the most important aspects of blockchain is smart

contracts. It’s what makes blockchain technology go beyond a
simple virtual currency and allows terms to be executed as part of
a transaction. It goes without saying that making sure that all the
terms (or code) that are included in the smart contract need be
flawless in order to make sure that the transaction is not exploited
by malicious actors. And that’s where smart contract audits come
in. ​In this whitepaper, we’ll give you a complete overview of what
are smart contract audits, how they work, why they are needed
and some free tools that will help you with your smart contracts.
The Problem -
Cryprocurrency Hacks
Biggest Cryptocurrency Hacks
$750M

$500M

$250M

$0M
le

ox

k
ec

or

or
ho

tG

w
ch
m

et

et
M

in
or

N
Co
W

ly

n
ni
Po

Ro

Cryptocurrency hacks have been on the rise this year. $1.9 billion
worth of cryptocurrency has been stolen in hacks of services,
compared to just under $1.2 billion at the same point in 2021.

These cryptocurrency hacks range from simple scams to

complex code exploits of large exchanges that are investing
millions in cyber security. It seems like news of a hack or scam is
released at least once every two weeks. And while most
cryptocurrency users and companies are careful and take data
safety seriously, not everyone is so diligent. That's why smart
contract audits have rises so much in popularity and necessity
recently.
What is a Smart
Contract Audit?

A smart contract audit is a process during which a smart contract

is thoroughly analysed and reviewed for any potential
vulnerabilities. The auditor will review the business logic and the
code of the contract and will make sure that there are not any
flaws that can be exploited.

Smart contract audits will usually include a report that will be

shared with the relevant parties (usually investors and the
developers of the contract) detailing all suggested improvements
to address any performance and security issues.

The auditors typically work closely with the developers of the

smart contract to make sure all potential vulnerabilities are
addressed. It is at this stage that the final report will be made
public to the investors of the project to decide whether they want
to invest in the project or not.
The Benefits of a Smart
Contract Audit
With cryptocurrency scams reaching all-time highs and the most
recent one (at the time of writing this) reaching a whopping
$614M it is imperative for everyone interacting with smart
contracts to make sure they are properly audited.​

There are usually two main parties that are interested in smart
contract audits, investors and blockchain developers.

For investors, it is a crucial part of their research process

(commonly referred to as DYOR). They want to make sure the
project they will invest in is free of any potential exploits and the
developers have taken all the suggested actions suggested by the
auditors. It is not uncommon for developers to purposely create a
malicious smart contract in order to take advantage of investors. If
you are thinking of investing in a new cryptocurrency make sure
it’s properly audited and read thoroughly the audit report to make
sure your investment is safe.

For developers, on the other hand, a smart contract audit will help
them identify potential issues in the code that they might have
missed. An experienced auditor will identify quickly potential flaws
in the business logic and vulnerabilities and help them fix them
before taking the project live.
How To Do a Smart
Contract Audit
Generally, smart contract security audits are performed by cyber
security firms that are specialised in finding code vulnerabilities.
That said, if you are well-versed in programming languages like
solidity or rust, there are certain checks you can perform by
yourself before consulting with an expert.

Before deeping into the code, the first thing you need to do is to
define the scope of your audit. There are many aspects to smart
contract audits from checking the business logic, analysing
transaction costs or gas, performance review and checking for
vulnerabilities. Defining your audit scope will help you come up
with a test plan and a strategy on how you will audit the smart
contract.

Once you have come up with your test strategy, you will need to
start thinking about what tools to use to make your life easier.
Some smart contracts can be quite large and dynamic to be
monited effectively manually. In some cases, even after a project
goes live, you need a system to continually monitor the
transactions and inform the participants immediately if something
fishy is discovered. Here are some popular tools auditors use as
part of their process: Slither, Securify, SmartCheck, Oyente, Mythril,
MythX, Remix plugins and more.

After identifying the right tools for you, it’s time to get to work. The
tools above will give some initial findings that they might be able
to detect like suicidal functions or reentrancy vulnerabilities, but
it’s up to you, the auditor, to go line-by-line and check for further
vulnerabilities or optimisations that can be made.
Common
Vulnerabilities 1
Lack of Verification Checks
One of the most common issues seen in smart contracts is the
lack of verification of the function parameters. Certain operations
need to have necessary checks in order to be valid and most of the
times developers forget or omit to add these checks to their code.

A common case of such vulnerability might include missing

checks to see if an unauthorised user has enough balance to
perform a specific operation. Another good example is access
control, where only certain types of users should be allowed to call
a certain function, but this verification is never done or if you leave
a certain function as public instead of “OnlyOwner”. This is the
simplest and yet most common form of exploits that you will see
in new smart contracts.

Re-entrancy Attacks
A reentrancy attack happens when a function in the smart
contract calls another external one in an untrusted contract. Then
the untrusted contract that is being calls makes a recursive call
back to the original function in an attempt to drain the funds of
the initial contract.​

When the contract fails to update its state before sending funds,
the attacker can continuously call the withdraw function to drain
the smart contract’s funds. At the time of this writing the most
recent re-entrancy attack was on the Fei Protocol. In April 2022, it
became the victim of a $80 million hack that was made possible
by its use of third-party code containing re-entrancy
vulnerabilities.​
Common
Vulnerabilities 2
Gas Optimization
Not a vulnerability per see, but gas analysis during smart contract
audits is an important aspect of the process. Blockchain networks
need to use ‘gas’ to cover the costs of transactions. Gas prices may
vary depending on the complexity and the length of the smart
contract. So it goes without saying that you should always check
your code for any unused functions. A good example of that is the
SafeMath library. If you only use the uint256, add a function for the
operations you need and then remove the rest from the contract.

Incorrect Calculations​
Another common vulnerability with smart contracts is incorrect
calculations. This vulnerability, also referred as arithmetic
underflow or overflow, means that if some calculations are left
uncheck the result that the calculation will product will be a
number outside the range of the data type that stores them are
performed. For example a uint8 variable, can only store integers
between 0 and 255. Trying to store any value higher than 255 into a
uint8 will result in zero. This can cause problems when performing
calculations causing your smart contract to malfunction.​

Mint/Blacklist Functions
Finally, we couldn’t leave outside common functions like the mint
token function and the blacklist function. These functions might
be used maliciously by the project owner to turn the contract into
a ‘honeypot’, meaning no-one can sell any tokens. If you find these
functions in the smart contract of a token you are looking to invest
in be very cautious and make sure you understand why they exist.​
Free Smart Contract
Audit Tools

If you are not familiar with programming and you are looking to
review a smart contract without an audit report there are a few
free tools you can use.

These tools have been developed by Cyberscope team to give

investors and project owners a quick report they can use to
evaluate a new crypto project.

The tools are by no means a replacement of a thorough audit by

an experienced engineer, but will help investors and developers a
chance to make more informed decisions about their investments
or smart contracts accordingly.
Cyberscan

Cyberscan is a convenient tool that helps investors to quickly gain

insight into a given cryptocurrency token. The tool is very simple
and easy to use, all you need to do is paste the smart contract
address to the related field, click on the blockchain network from
the dropdown, and press Search.

Then you get to see a full report from the smart contract analysis,
as well as some key indicators like if the contract ownership is
present or renounced, if the contract is a proxy and if there is an
audit or KYC attached to that contract amongst others. Finally, you
can see the similarity of the code of your contract versus popular
forks. This will help you understand if it’s minted from a specific
platform and how unique it is.
Safescan

Safescan is an AML (Anti Money Laundering) and KYC tool for

wallets. The software is very easy to use, all you do is fill the
address in the form and click “Search”. The tool will then start
processing and running background checks on the address
provided. It will review all the transactions of the address and how
it interacted with various suspicious other wallets, then cross-
reference it with CEX hot wallets, popular bridges, tornado cash,
and other similar money laundering applications. Safescan also
cross-checks the given wallet with a database that contains more
than 30k blacklisted and suspicious wallets.

The final analysis report shows all the related findings to the user
in order to help him understand some of the wallet's past history.
It is a great tool to help investors check the past transactions of
the project team to make sure there are not any suspicious
activities.
Smart Contract Audit
Costs

A smart contract audit can set you back from a few hundred
dollars to a few hundred thousand depending on the complexity
of your smart contract. Auditors will usually give you a
personalised quote based on your contract complexity, the
number of lines of code and the business logic behind it.

Albeit it might appear expensive to new project owners, a smart

contract audit should be considered an investment rather than a
cost. Smart contract audits will attract more investors to the
project and make sure the funds that are involved in the
transactions are safe. A lot of new cryptocurrency projects are
aware of this and use the audits as the pillar to their marketing
strategy helping them attract investors early on, as they are able
to assure them that the contract will be SAFU.
Conclusion
In this whitepaper we covered all the aspects that you need to be
aware of about smart contract security audits. It’s become
apparent that they add a new form of assurance that the code will
work as intended before it is deployed, which protects investors
and other stakeholders. The service improves the trust in smart
contracts that have traditionally been surrounded by distrust
because of breaches in security and hacks.

If you are considering utilizing a smart contract auditor for your

ICO or future project, you’ll want to be sure to fully understand the
scope of their audit, how much it costs and what to expect from
the audit process itself.

Contact Us
@coinscope_admin

contact@cyberscope.io