What a smart contract audit is, and how to conduct one

What is a smart contract audit?

Because smart contracts play important roles in executing business logic -- often autonomously -- and contain critical data, security is paramount. Once a smart contract is on a blockchain, it is accessible by anyone. Any flaws, therefore, are also accessible by anyone.

A smart contract audit evaluates a smart contract's code. These audits can be automated or performed manually. Most importantly, they should be completed prior to putting a smart contract on a blockchain. Audits examine smart contract code from multiple perspectives to do the following:

• Pinpoint coding errors, flaws and subpar code.
• Identify security vulnerabilities.
• Measure reliability and performance.
• Prevent security attacks.
• Identify logic error.
• Find issues with storage, data, memory, environments, logs and other metrics.

Successful smart contract audits remediate any issues they might uncover. Organizations that identify and remediate flaws before contracts are deployed can be more confident that they are reliable and safe.

Why is a smart contract audit needed?

Once a smart contract is deployed on blockchain, it cannot be changed. Issues as small as a coding error could lead to security vulnerabilities, breaches and financial losses. Following are reasons why audits are necessary:

• Security confirmation and validation. Vulnerabilities, such as reentrancy attacks and unchecked external calls, are identified and addressed to prevent exploitation.
• Minimize financial losses. Flawed and unaudited smart contracts have cost companies billions of dollars from breaches and other incursions.
• Code integrity validation. Audits ensure and confirm that contracts will perform correctly using best practices.
• Compliance. Depending on where they are put on blockchain, local jurisdictions could require smart contracts to meet security and other requirements.
• Credibility and trust confirmation. Audit results verify that smart contracts are secure, boosting investor and user confidence and trust.

Who performs smart contract audits?

Smart contract auditing requires special expertise that differs from general IT or system and organizational control audits. IT departments and internal audit departments can conduct their own smart contract examinations, but expert coding and logic skills are key prerequisites.

Because many organizations do not have this expertise in-house -- or because they want a third party to do the work -- they can hire smart contract audit specialists. These companies have the experience and knowledge, as well as the specialized software, to properly analyze a contract's code in detail to identify potential problems.

How to perform a smart contract audit

The exact steps of a smart contract audit will vary from contract to contract. In general, smart contract steps include the following:

1. Define the audit and secure management approval. This includes the scope and objectives of the audit. Obtain management approval before the audit commences.
2. Identify the audit team. Assuming employees have the proper coding and analytic skills, audit team members can come from internal audit and IT departments. Otherwise, use an external smart contract auditing firm. Teams can also include both internal and external resources.
3. Collect evidence. This includes documentation that describes the smart contract, its purpose and activities, how it was designed and developed, how it operates when executing, testing results and other relevant documents. Access to the code is essential.
4. Freeze code. Once evidence has been collected and access to code is available, enact a freeze on all code changes. This prevents any changes from affecting the integrity and accuracy of the code analysis and the overall audit.
5. Perform automated code analyses. This step is where the actual field work begins. Launch automated tools to examine code for anomalies and suspicious code that might suggest security vulnerabilities. These tools can examine many different criteria. Results might indicate further analysis is needed. It might also be useful to conduct penetration tests to identify potential security flaws.
6. Perform manual code analyses. Once the automated tools have finished, manually examine lines of code to find issues the tools might have missed. Refer to smart contract documentation to determine if the code, as written, will execute as it was designed. A manual review, in combination with automated testing, produces the best results.

6. Remediate any identified issues. Resolve any issues once the code analysis is complete. This is especially important to ensure the code is correct and secure. Test the remediated code to verify it works correctly before it is deployed.
7. Prepare and deliver a smart contract audit report. The report, including recommendations, should include all the evidence gathered, the results of code analyses, remediation and testing, and any other activities. If more post-audit work is needed, determine when those activities must be completed and document those decisions.
   
   

How much does a smart contract audit cost?

The cost of a smart contract audit is based on several factors, including the complexity of the contract, the number of lines of code to be audited, the reputation of the audit firm and the turnaround time required. Following is a general breakdown of fees, based on Informa TechTarget internet research:

• Simple contracts (fewer than 1,000 lines of code): $3,000 to $10,000.
• Medium complexity contracts (1000-5,000 lines of code): $10,000 to $50,000.
• Highly complex contracts (5,000-plus lines of code), such as decentralized financial protocols or custom decentralized exchanges: $50,000 to $100,000-plus.

Top-tier audit firms could charge premium rates, and expedited audits often come at a higher cost. If a specific quote is needed, firms such as CertiK and Quantstamp provide pricing details based on project requirements.

Smart contract audit tools and audit firms

The following are lists of smart contract audit tools and audit firms as identified from Informa TechTarget internet research.

Smart contract auditing requires special expertise that differs from general IT or system and organizational control audits.

Smart contract audit tools

• Manticore. Symbolic execution-based tool for smart contract security.
• Mythril. Symbolic execution-based security analysis tool that detects security issues in Ethereum-based smart contracts.
• MythX. Cloud-based security analysis tool.
• Scribble. Specification language and runtime tool that translates high-level specifications into Solidity code.
• Securify v2.0. Verification tool for Solidity contracts.
• Slither. Static analysis tool for Solidity and Vyper contracts.
• SmartCheck. Analysis tool for detecting bugs in Solidity-based smart contract code.

Smart contract audit firms

• CertiK. Provides Web3 smart contract auditing.
• ConsenSys Diligence. Provides smart contract security and audit services.
• Cyfrin. Provides smart contract auditing and research.
• Hacken.io. Provides smart contract auditing services.
• KPMG. Provides smart contract auditing.
• QuillAudits. Provides smart contract auditing.
• Solidified. Provides smart contract auditing.

How to select a smart contract audit tool

When evaluating and selecting a smart contract audit tool, consider the following factors:

• Security features. Tools should offer vulnerability detection, formal verification and fuzz testing.
• Blockchain support. The tool should support the blockchain platform being used -- for example, Ethereum, Solana and Polkadot.
• Automated vs. manual auditing. Based on audit needs, consider tools that provide automated scanning. Nonautomated tools require manual review by trained professionals.
• Support community. Tools with an active user community might be more reliable and easier to fix.
• Financials. Consider free tools vs. others that require a subscription or one-time payment.

The impact of AI on smart contract auditing

 Here are some ways AI is changing smart contract auditing.

Positive impacts

• Enhanced vulnerability detection. Automated AI-based tools scan smart contracts for security flaws and other issues much more rapidly than manual audits.
• Code review using natural language processing. AI examines contract documentation and maps it to the actual code, ensuring compliance.
• Security via machine learning. Machine learning helps improve risk assessments and security issues by using AI's ability to learn from past audits and assessments.
• Formal verification improvements. The accuracy of mathematical proofs used for smart contract logic validation can identify suspicious behavior.

Potential risks

• False positives and negatives. Human expertise is needed in situations where AI incorrectly identifies harmless code as a security risk.
• Suspicious exploits. Attackers could create malicious contracts using AI to bypass security screens.
• Automation vs. human expertise. AI speeds up the audit process, but organizations might still need to bring in experts who can analyze complex security issues.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.