Crypto projects must understand the risks inherent in smart contracts—operational, implementation, and design flaws—which, if exploited, can compromise or destroy a project. Recent data underscores the importance of auditing: nearly 10% of all Web3 losses in Q3 2024 resulted from smart contract exploits, totaling $42.3 million. At the same time, 90% of all hacked projects never had any form of audit.
Since smart contracts are immutable once deployed, even a single flaw can lead to severe consequences, including asset loss. For instance, $1.2 million was stolen within a minute of deployment in the Vow Token exploit, and attackers combined a flash loan and price manipulation to extract $1.5 million from a reentrancy vulnerability in the Minterest hack.
Hacken’s smart contract auditing process, refined through thousands of audits since 2017, ensures developers write secure code, conduct thorough testing, and implement best practices.
A smart contract audit is a comprehensive review of the code, logic, architecture, and security measures implemented in a smart contract. The process is structured to identify and address any potential security vulnerabilities, logical errors, or inefficiencies before deployment to the mainnet.
With over 2,000 audits completed, the Hacken team has leveraged seven years of experience battling hackers to develop an effective methodology for smart contract code review and security analysis, applicable across various languages and platforms. Here’s a brief breakdown of our auditing process:
Good preparation saves both time and money. To ensure you gain the most from your audit, you should consider the following steps:
Proper preparation is crucial for the success of a crypto project. Comprehensive documentation, often overlooked, is essential for effective development, testing, and review. Even if your project isn’t ready for a professional audit, having these measures in place helps with internal reviews, bug bounties, and maintaining a productive development environment.
Functional requirements ensure that the contract performs its intended functions, providing clear guidelines for development.
Clear and comprehensive functional requirements are essential for understanding the app and verifying its functionality. While your smart contract code may be secure, it might not align with your intended goals. This is another reason why it’s beneficial to get an external opinion to ensure the application functions as intended. Having as many functional details as possible helps check whether your smart contract code works as intended. Here are a few additional examples of well-defined functional requirements:
A comprehensive technical overview plays a vital role in audit preparation. Ideally, your technical description should cover the following areas:
This information aids code navigation, especially when your smart contracts are complex and interrelated. Again, it’s important to note that documenting vital aspects of your code is beneficial even if you have no plans to engage external security researchers.
We consistently encourage our clients to configure a development environment for their projects. Tools like Truffle or Hardhat make this task easier. This step brings many advantages:
Skipping the setup of a dedicated development environment would be a missed opportunity.
Your smart contract code must include unit tests, as thorough testing is crucial for security and helps save resources.
We suggest striving for 100% test coverage, with both positive and negative scenarios. Furthermore, we encourage the development of multi-user tests to evaluate the system’s resilience against potential DoS attacks. Another step is to run simulations with multiple concurrent users to ensure that their operations remain isolated unless designed to interact.
Unit tests can detect security vulnerabilities even before initiating your crypto audit. Projects that include tests significantly reduce audit time and cost, allowing auditors to focus on more complex issues.
Follow official code style guides and formatting before audits. It will improve readability, expedite bug-fix verification, and reduce the risk of missing errors. It’s a practical approach that saves both time and resources.
Follow @hackenclub on 𝕏 (Twitter)
Now, let’s get to the main part: the process of auditing your smart contracts.
At Hacken, we’ve refined our methodology over the years and recommend the following steps to catch all errors:
The initial phase of our audit aims to spot any problem areas needing attention before the in-depth review begins. In the pre-audit stage, we peruse your provided repository, ensuring a comprehensive audit scope. The pre-auditor evaluates the development environment for any potential compilation problems, executes the provided tests, and verifies both the functional and non-functional requirements.
Smart Contract Audit Tools
For Solidity smart contracts:
For Rust smart contracts:
Moreover, we run several in-house security analysis programs, details of which we don’t disclose, but with the aforementioned tools, you can achieve substantial results.
At the end of this stage, we provide you with a preliminary report, giving you the chance to make any last-minute modifications before the official audit commences.
Let the audit begin! Our aim at this stage is to equip you with validated insights that guide your decision-making process on the necessary modifications for enhanced code security.
Finding & documenting issues. In the exhaustive line-by-line review – independently conducted by a pair of skilled auditors – we meticulously examine each segment of your code for all possible vulnerabilities, including:
At this point, we manually check the code against all critical aspects common to smart contract programming languages. The table lists some of the checked items.
Item | Description |
Default Visibility | Functions and state variables visibility should be explicitly set. |
Integer Overflow and Underflow | All math operations should be safe from overflows and underflows if unchecked math is used. |
Outdated Compiler Version | A recent version of the respective compiler (Solidity or Rust) is recommended. |
Access Control & Authorization | All crucial functions should be protected to prevent ownership takeover. |
Assets integrity | Funds are protected and cannot be withdrawn without proper permissions or be locked in the contract. |
Data Consistency | Smart contract data should be consistent all over the data flow. |
It’s essential to recognize that issues are not identical. For this reason, we utilize more than 50 language-specific parameters for EVM (Solidity, Vyper, Yul) and Rust-based contracts (Solana, Near, CosmWas).
Testing. In addition, we thoroughly assess the test coverage. If we identify any gaps, no matter how small, we develop and implement additional cases to accommodate all potential positive and negative scenarios.
Bear in mind that some problems can only be replicated with incorrect configurations of dependent contracts. Accordingly, our auditors intentionally devise such configurations and run associated tests.
Each issue is classified as either Passed, Failed, or Not Related.
This crucial stage of the audit process truly showcases the merits of our unique methodology. Until this point, our auditors have been conducting their examinations independently, allowing for unbiased scrutiny and in-depth exploration of the code from their respective perspectives.
Now, these auditors come together, bringing their individual insights and discoveries into a joint discussion under the guidance of a lead auditor. The team cross-examines identified issues, fostering a well-rounded understanding of your project’s vulnerabilities.
Moreover, the team compiles an internal document spotlighting the key aspects and possible weak spots of your project, in tandem with a detailed advisory report suggesting recommended measures.
The lead auditor thoroughly reviews all the materials to ensure they are complete, accurate, and accurately represent the collective audit findings. After this final check, the consolidated audit report is delivered to you, serving as a robust assessment of your project’s security.
Testing, Fuzzing and Gas Optimization
As a final step in our process, every audit we conduct includes fuzz testing and invariant testing, alongside extensive unit tests. This comprehensive approach features static, dynamic, fuzz, stress, mutation, and invariant testing, as well as gas optimization steps.
After an intensive cross-review of the findings, our team collectively formulates a detailed final report covering crucial issues, vulnerabilities, and executed tests. Essentially, the report presents a comprehensive review of the audit, empowering you with verified information to bolster your smart contract’s security and dependability.
External users. The final audit report is also an invaluable resource for external stakeholders such as your community and investors.
Some security companies may employ a streamlined workforce, where only 1-2 employees handle all responsibilities. Although this may cut labor costs, it compromises consistent quality and places an undue load.
At Hacken, we take a focused approach with specialists dedicated to specific areas of expertise, maximizing efficiency and allowing them to concentrate on resolving the most critical issues. Every audit is led by a Lead Auditor, providing top-tier expertise throughout the process. Additionally, our Delivery Manager serves as your dedicated point of contact, facilitating seamless communication and addressing all your needs and concerns.
Our specialized teams cover all major smart contract languages and blockchain networks, ensuring comprehensive and precise audits tailored to your project.
Undoubtedly, this method demands a higher investment in human resources, but over time we have found that the long-term benefits for both us and our clients are worthwhile.
Your audit is complete, but defending against hacks doesn’t stop there. In the post-audit security phase, Hacken offers solutions to enhance post-deployment security. Extractor continuously monitors your smart contract for potential threats, ensuring real-time detection and response. DualDefense provides an additional layer of protection at no additional cost, with a 30-day crowdsourced audit by independent security researchers. Together, these services ensure your project remains secure even after deployment.
At Hacken, we emphasize the absolute necessity of regular smart contract audits. With the immutable nature of blockchain applications, an undiscovered flaw in your smart contract can spell lasting issues.
Proactive audits help identify such vulnerabilities early, enabling you to secure your applications effectively and reliably.
Here’s a brief overview of our audit process for any blockchain:
Join us in our mission to make Web3 a safer space, one audit at a time!
Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.
Table of contents
Tell us about your project
14 min read
Discover
10 min read
Discover
13 min read
Discover