January 21, 2020
Deployments of smart contracts onto the Ethereum blockchain are on the rise. Since late 2017, the number of successful calls to smart contracts has remained consistent at 1.2 million per day. It is imperative to ensure that these smart contracts, often holding important assets, are not exploited. At present, a contract audit before deployment is the best option available to identify subtle vulnerabilities and assessing the quality and security of code.
What is a smart contract audit?
A smart contract audit is an assessment of the secure development process. During the smart contract audit, developers have an opportunity to learn from Ethereum experts, identify gaps in their coding process, and denote underspecified areas of their systems.
What are the limitations of smart contract audits?
A smart contract audit cannot replace internal quality assurance, overcome excessive complexity or poor architecture, nor can it guarantee no bugs or vulnerabilities whatsoever.
What is the importance of auditing smart contracts ?
The DAO hack. No need to say more.
Learn how to prepare for a smart contract audit
Start with good documentation
Have a clear, concise, simple description of what you are building, and why you are building it. The documentation should include descriptions for the overall system and for each unique supporting smart contract.
it includes a specification of your system’s intended functionality. For each contract, it should describe the most important properties or behaviors that should be maintained. It should also describe the actions and states that should not be possible.
Clean up the code, make it easier to run
Be sure to run a linter on your code, fix any and all errors that come about. Address all warnings that the compiler produces. Remove any unneeded code. Address and remove any TODO or FIX me indicators, if this is the final audit before deploying to mainnet.
Freeze the code
It is imperative to freeze the code, halt development, and relay a specific git comment hash to begin the commencement of the audit. Any changes done after the audit begins will not be included in the audit. It is better to delay an audit than to add changes to the code afterwards.
To learn the steps to prepare for an audit, tune into ConsenSys Diligence’s webinar about Preparing for a Smart Contract Audit. This webinar is designed to help teams to understand and get the best results from the audit process. Be sure to stick around for the interactive Q&A session at the end!
Covered topics in the webinar:
- Getting the best results from the audit process
- Preparing your codebase for an audit
- Important next steps following a smart contract audit
John Mardlin, Security Engineer & Auditor
Brianna Montgomery, Business Development Lead
Steve Marx, Security Auditor