A smart contract audit is a security check done by cybersecurity professionals meant to ensure that the on-chain code behind a smart contract is devoid of bugs or security vulnerabilities.
A smart contract audit is an extensive methodical examination and analysis of a smart contract’s code that is used to interact with a cryptocurrency or blockchain. This process is conducted to discover errors, issues and security vulnerabilities in the code in order to suggest improvements and ways to fix them. Generally, smart contract audits are necessary, because most of the contracts deal with financial assets and/or valuable items.
Such checks are complex, as smart contracts often interact with each other and any integrations with third-party systems can also result in making the system vulnerable. Because of this, the checks are often expanded to other smart contracts involved in any interactions, and even those that the ones it interacts with are interacting with. Such checks usually include both running tests and manual code analysis.
Smart contracts often manage huge quantities of funds and a single bug or vulnerability can result in great losses. More precisely, the users and stakeholders of the decentralized application in question could lose all the assets that are part of the ecosystem.
The recommendations made by the auditors are conveyed in advance to the project team and their actions in response are noted in the final report. It is considered a mark of authenticity and integrity for the project. For that reason, teams are keen on getting an audit to win user confidence and raise the project’s credibility. These audits are typically carried out in several steps.
The initial step is the team and the auditing group agreeing on the scope and specifications of the audit. It means that the design, purpose, architecture and other details of the smart contract are given to the auditors. Next is the testing phase, where the auditors test the individual functions (unit tests) and then larger parts (integration tests).
Automated bug detection and analysis tools are also used to look for commonly known vulnerabilities in the contracts. Finally, auditors manually inspect the code to understand the developer’s intentions and interpret the findings in that context. Finally, the report is issued with the findings and the applied fixes by the team.
The importance of smart code audits can be gauged by the fact that the Ethereum chain split in 2016 was because of a code vulnerability exploited by an attacker, putting millions of dollars of funds at risk. A “recursive call bug” allowed the attacker to drain the "DAO" democratized hedge fund millions of dollars worth of ETH. The subsequent actions by the community over whether to forcibly return the funds caused disagreements and a hard fork.
Smart code audits are increasingly important in the burgeoning DeFi industry, where bug-filled smart contracts are often rushed out to meet investor demand. This has led to a number of costly hacks in 2020 totalling millions, most notably Harvest, Yam Finance, bZx, Balancer and Eminence.