Smart contracts are a self-executing piece of code, executable when certain predefined conditions are met. Ethereum enabled the birth of smart contracts. Since these contracts are based on blockchain technology, they cannot be changed once implemented.
Hence it is crucial to test them before deploying them accurately, and timely audits ensure the bug is fixed. In our previous articles, we have seen the DAO attack on the Ethereum platform due to which millions of dollars were lost. The Ethereum platform had to be hard forked to mitigate the loss henceforth.
Generally, audits are conducted to check for bug fixes. The audit is targeted in such a way to check for already known targets based on the experience of previous audits. Hence let us see below what kind of smart contract attacks there are.
Smart contract attacks
Race conditions are a case where events don’t occur in an intended order. It is often required to call external contracts in smart contracts, and thus the possibility of race conditions is very high.
This is a kind of race condition where one function is repeatedly called before the first function’s invocation is completed. This means making the first function recursive, the exact thing which happened in the DAO attack.
Transaction Ordering Dependence
This is yet another type of race condition where the manipulations can be done in terms of transaction orders. The transactions order can be manipulated and cheated at the expense of other users.
These are some of the types of smart contracts attacks. Let us see below the detailed step by step process of auditing a smart contract.
Steps to audit a smart contract
1️⃣ As in any audit process, the auditing company/group should clarify who they are and their authority to conduct the audit and procedures to be followed, if possible, from a legal perspective.
2️⃣ Audits are conducted on a deployed smart contract or a smart contract ready to be deployed in a blockchain. It is essential that a smart contract without any bugs is to be implemented.
3️⃣ A legal disclaimer, as such, the audit doesn’t provide any legal guarantee but fosters the discussion about the smart contracts bugs, if any, to fix them.
4️⃣ Attacks will be conducted as detailed above and see if they can be successfully implemented on the smart contract being audited.
5️⃣ Report the vulnerabilities and bugs if found any. Some may not seem like a potential threat right now, but they may turn out to be a serious flaw later; they have to be recognized and taken care of.
6️⃣ Contract complexity should be checked. Often complexity leads to mistakes, and the complex code should be thoroughly checked for any potential bugs.
7️⃣ Check how the contract responds to a bug or vulnerability. Contracts behavior in such times is essential to check if there will be any money loss, or the contract execution will stop showing potential issues is to be noted down.
8️⃣ All the security patches should be thoroughly updated so that all the libraries are up to date. The update should act like preventive maintenance.
The steps outlined above are very general in purpose in auditing a smart contract. Depending on the language we use for a smart contract, various steps can be followed. In any language used, these are the necessary steps one can follow before moving further with the in-depth analysis.