One of the fundamental technologies behind cryptocurrency is the self-executing smart contract. These pieces of code store the details of the execution of terms between parties in a transaction on the blockchain. There are both straightforward and complex smart contracts. Straightforward smart contracts are used only for simple transactions e.g. sending a currency from wallet A to B while complex smart contracts have multiple participants, conditions, and outcomes such as sending assets across chains.
Developers that create smart contracts sometimes unwittingly make mistakes and leave vulnerabilities that can be exploited, leaving the funds on a chain vulnerable to attacks. Due to this, the need for smart contract audits and therefore smart contract auditors have seen a massive increase.
Smart contracts audit is the process wherein an auditor reviews the code of a crypto or blockchain project – among other things – for security issues, bugs, and errors that could expose the system or its users. There are various projects, like Hacken, that offer blockchain cybersecurity services to tier one crypto projects to bolster their security.
Smart contract audit allows projects to address vulnerabilities in their code, including critical ones, that when exploited can result in a large volume of assets lost. According to Chainalysis, the level of cryptocurrency theft reached $3.2B in 2021, +516% vs 2020. In 2021, 49% of all crypto hacks were attributable to code exploits and flash loan attacks. According to Immunefi, there were almost 150 hacks recorded in 2021 (123 in 2020). Thus, close to 70 projects were compromised due to vulnerabilities or mistakes in smart contracts. In DeFi, 69% of all hacks were attributable to vulnerabilities in smart contracts. As a result of hacks, projects also experience reputational collapse and sharp price drops.
This tendency has created the need for consistent reviews of code to ensure the security of projects and their users’ funds.
Smart contract security audits are conducted using a set of standards and procedures.The smart contract audit process depends on the scope and size of the project. Generally, an auditor or team of auditors will follow a few standard steps:
The team will assess the project’s documentation to get a better understanding of the project and its intended use cases, architecture, and design. Collaboration between the auditor’s and project teams is essential so that auditors can gain a complete understanding of contract functions and an explanation of how the contracts should work together.
Check the project’s code against the standard list of vulnerabilities. Auditors launch a set of typical attacks against the project to see if any of the attacks could be successful. After this, the severity of vulnerabilities is determined and the project can realize whether there are any immediate points of concern that need to be addressed.
The audit team then conducts different kinds of tests to pinpoint bugs and errors in code. These tests can range from unit testing – targeted at certain functions – to integration testing, which is broader in terms of scope and volume of code. Usually, both automated and manual testing is used to check a project. If the audit team sees a large amount of failed tests, a temporary pause might be suggested if significant changes need to be made to the code-base.
Automated testing is conducted using special software to identify inputs and outputs of financial assets in the project. These tools make it easier for the team to monitor what happens in the workings of the project, making it easier for the auditing team to locate common hurdles. Some of the tools auditors generally use are Manticore, Solium, Smart Check, and others. Also by allowing software to do easy monotonous tests auditors can focus on more complex problems.
Manual testing is conducted when automated tools can no longer interpret the developer’s intentions. A quality auditing team will take in all of the specifications and then determine whether everything is working as intended. Upon detecting any bug, they will notify the development team and provide recommendations on how to fix the issues.
The primary focus is to verify security issues that are the biggest threat to the long-term implementation of smart contracts by manual review.
When the audit is complete, the auditing team provides a detailed report specifying all the checks that have been performed and the findings thereof. Collaboration with the development team can also be done so that they understand all detected issues and recommended patching approaches.
Smart contracts auditors review the code of a crypto project to ensure there are no vulnerabilities. Auditors need to have a deep understanding of how blockchain technology and coding work. Mainly because they need to interpret someone else’s code and know how the shortcomings can lead to vulnerabilities or entry points in smart contracts.
If you already know how to code then the next point is to start learning some blockchain and Solidity fundamentals. Future auditors should be asking themselves “How do blockchains and smart contracts work?” A good starting point is to read the Ethereum documentation and do courses on fundamental blockchain technology.
After gaining the necessary theoretical knowledge, those who want to start coding smart contracts in an environment can check out RemixIDE and OpenZeppelin. Becoming deeply knowledgeable about the most commonly used smart contracts and how they work is essential to the ability to find problems with them. Auditors should also be aware of the most prevalent vulnerabilities and methods to attack smart contracts. Some of these include reentrancy attacks, timestamp dependence, over-and underflow attacks, gas-related vulnerabilities, and costly loops.
At the end of the day, practice and experience are extremely important factors. There’s no better way to combine learning Solidity with learning about ETH security than solving CTFs (Capture The Flags). CTFs are security challenges where vulnerable code is presented and players need to write a smart contract to exploit the vulnerability. Also participating in Github and working on open source projects is a good way to learn and gain real experience in a development like environment.
An added benefit could be to learn some finance basics, as auditors regularly work with decentralized finance (DeFi) platforms that use a lot of traditional finance terms. Places like Khan Academy and Coursera can teach the basics and terminology for finance concepts. With the majority of smart contracts written in Solidity, most opt for this language, but as more chains come about it might be necessary to expand your repertoire of languages. For example, Cardano uses Haskel and Solana uses Rust and C++.
To gain some real experience one can start participating in bug bounties on Hackenproof or audit contests on Code4rena. Contests vary in size and scope, with some granting prizes of $70,000 for submitting the winning finding. Contestants can be anonymous, but many developers get jobs through winning bug bounties, and they also look good when adding them to a CV.
Some auditors don’t use any tools that directly perform vulnerability analysis. A well-recommended extension is the “Solidity Visual Developer” VSCode extension that highlights storage variables and function parameters.
However, some software packages that are used are :
Mythril, which can be used for detecting unit overflows and underflows. Another tool is Etherscrape, used here to scrape live Ethereum contracts for reentrancy bugs when send() is being used. There are also decentralized auditing platforms like Bountyone that bring together companies and freelance auditors when tools aren’t enough.
As the crypto industry experiences a massive growth spurt, new crypto-specific job sites have come around to connect talented individuals with the Web 3.0 world. After gaining the necessary skills (which isn’t a walk in the park) potential auditors can look on Web 3.0 specific job boards to find auditing jobs.
It is the biggest platform to find and post jobs in web 3.0, cryptocurrency, and blockchain companies. Since 2017 they’ve been the go-to hiring resource for over 2,000 leading cryptocurrency, DeFi, and NFT companies, such as Ethereum Foundation, ConsenSys, MetaMask, OKEx, Huobi, Parity Technologies, Argent wallet, Status.im, PayPal, GameStop, and others.
The platform is used by more than 1,000 crypto companies to find talents. It is trusted by BlockFi and Cardano Foundation.
This platform has been connecting people to the crypto industry since 2017 and has posted more than 8,000 job ads from over 1,000 companies.
Generally, hourly rates for auditors are determined according to their experience and complexity of the problem they solve, but it’s roughly:
Top Auditors: 250$-1000$/h
Companies like Chainlink Labs offer salaries between $100k and $150k per annum.
There is also the opportunity to make money by participating in bug bounties and industry competitions.
Can’t find too much info on auditor’s job and salary? Hacken will provide you with all necessary information.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.