Dmitry Mishunin founder & CEO at HashEx Blockchain Security.
In my last article, I wrote about smart contracts and why they’re gaining popularity as a way to execute agreements, both inside and outside of Web3. For those unfamiliar, smart contracts are like any other agreement, only written in blockchain. They dictate certain actions and their outcome. However, because they are self-executing (no need for intermediaries such as lawyers) and immutable, they provide a level of security, certainty and expedience that standard pen-and-paper contracts simply cannot offer.
But there’s a catch: For these contracts to work effectively, yielding the outcomes that all involved parties expect, every feature must function properly and deliver the intended outcome. Any error in the code can lead to a slew of unfortunate consequences. For instance, since smart contracts often deal with finances, errors can lead to losses of funds on the part of one or both parties. In addition, because they’re written in blockchain and exist in Web3, smart contracts must be protected from malfunctions, external attacks, and abuse of power from developers. These contracts are open to the public; hundreds of eyes can easily dissent them, which can unfortunately simplify the work for hackers and other malfeasants.
This is why smart contracts need to be audited before their execution—to protect everyone’s assets and keep the code from being tampered with or otherwise malfunctioning. Getting your smart contract past an audit is kind of like FDA approval—it’s a sign of a quality agreement that won’t be dangerous to either party.
One caveat: Just as there are problems against which FDA approval cannot protect (such as allergies to a drug, or tainted food), no audit can guarantee that everything will be 100% perfect, or that you will never face hackers or other attacks. After all, it could be programmed incorrectly. The language of smart contracts is not a human language. And a programmer, interpreting a client (like a lawyer, for instance), might translate it incorrectly or imprecisely. The point of the audit is for the smart contract to undergo a thorough process of checking and testing to rule out as many potential errors and vulnerabilities as possible.
A High-Stakes Task
In the broadest possible explanation, we conduct an audit by taking the code alongside documentation, studying it and then assigning a team to review the code. We use automated tools and additional manual audits to achieve the best results. Errors happen for various reasons such as negligence, lack of knowledge or experience in writing smart contracts, and sometimes even intent to provide a low-quality service. Audits help protect users from all these pitfalls, even if they can’t build a full digital bubble around a person’s finances.
We also try to root out the potential for external attacks. Unfortunately, there are always plenty of those. Hackers don’t just rehash old and tried hacking methods; they come up with new and inventive tactics. Our job is to recognize these malicious attempts and respond to them by coming up with mechanisms to protect smart contracts from invasion.
When it comes to money, everything is high stakes. It doesn’t really matter how much money people invest in a project—it can be $100 or $100,000—a loss is a loss. The goal of the smart contract audit process is to offer the best protection against loss.
It’s important to note that not every team is willing to correct the errors in the contract after receiving an audit report. In such cases, an auditor’s job is to inform users of potential risks, which a quality audit report does, and make recommendations that we hope these teams will follow eventually.
For an ethical auditor, the interests of the end user take precedence over the client’s interests. At times, clients request certain information to be concealed from the public, fearing reactions to public disclosure. They often argue that they are paying for the service, hence their word is law. However, an ethical auditor prioritizes the end user above all else.
Determining An Audit’s Value And Validity
It’s crucial to assess risks sensibly. For instance, if the overall project risk amounts to $10,000, there’s no sense in commissioning an audit for $100,000. However, if the project is worth hundreds of millions, an audit costing a million dollars is entirely reasonable.
Some companies and projects are hasty; they just want to receive a PDF that says that they have no issues. They’d pay $100 for it and proceed happily to their project’s launch. Demand gives way to supply—and scammers are happy to cater to companies and teams that don’t feel they have time or need for due diligence. This is also why many auditors these days just run the code through an automated tool and print you a report that doesn’t necessarily reflect the real state of your contract. (Reports like this are kind of like a fake ID—they say everything’s fine and kosher, but that has no bearing on reality.) These bargain-basement auditors are unfortunately common in our industry, and the results of their sloppy work lead to unsafe contracts that lose money for involved parties.
A serious professional audit, depending on the size of the contract, can take from 50 to 100 hours. Bluntly, this isn’t the kind of job that costs $100, like paying some teenager to mow your lawn one afternoon. We recommend asking a potential auditor what methods are used in the process and exactly what tests will be performed. And, just like in any other market, a brand holds weight. The most well-known companies are always present in the media.
Ultimately, the value of an audit is reflected in its quality and thoroughness. It has to be detailed and present all the issues that are possible to detect. A strong and thorough audit report will explain any problems and provide recommendations for optimization.
Credibility And Personalization
In our industry, word of mouth is key. Clients who are happy with the service they received—who noted that their auditors did not just take the money and sign off on a project, but rather, detected and helped them to rectify vulnerabilities that could have cost them money—are far more likely to recommend that auditor to peers. If you are in the market for an auditor, this type of personal endorsement is what you should be looking for.
Ultimately, as in any other business, a great auditor is adept at learning the client’s needs and finding common ground and common language. They are open to spending time discussing the project and their role in it, and answering questions, in order to help the client understand how it all works. (Some auditors only discuss the actual report with the client, which we feel deprives them of a chance to understand the process and have their concerns taken seriously upfront.) By engendering that level of understanding and trust, a great contract auditor helps business move along seamlessly and profitably for everyone involved.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here