paint-brush
Security Audits, Essential yet Neglected!by@parthagarwal_70183
291 reads

Security Audits, Essential yet Neglected!

by Parth AgarwalDecember 3rd, 2018
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

“<a href="https://hackernoon.com/tagged/blockchain" target="_blank">Blockchain</a> <a href="https://hackernoon.com/tagged/technology" target="_blank">technology</a> is no more Nascent”, rather, its immense potential is being realised by governments and enterprises all around the globe. Traditional businesses from fields like healthcare, agriculture, finance and transportation have already integrated blockchain in their supply chains, and made business records secure and immutable. The adoption of cryptocurrencies by governments of Ohio and Florida further strengthens my point.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Security Audits, Essential yet Neglected!
Parth Agarwal HackerNoon profile picture

Image Ref. — Quill Audits

Blockchain technology is no more Nascent”, rather, its immense potential is being realised by governments and enterprises all around the globe. Traditional businesses from fields like healthcare, agriculture, finance and transportation have already integrated blockchain in their supply chains, and made business records secure and immutable. The adoption of cryptocurrencies by governments of Ohio and Florida further strengthens my point.

As we adopt something new in our lives, critics too, find their way to creep in. Rather than giving facts on the how blockchain use cases have transformed a business process, media reports have highlighted the cases where millions of dollars were stolen from a blockchain ecosystem-

  1. DAO Hack — $150 Million Stolen
  2. Parity — $300 Million Lost
  3. POWH — 2000 Ether Stolen
  4. Spankchain — $40,000 Stolen

DAO failure was caused due to “Recursive Call bug” which also happened with Spankchain ICO, (Image Ref. — Samuel Falkon)

These are only a few instances where huge monetary losses occurred in blockchain ecosystem, and have been highlighted in the mainstream media. Blockchain is being promoted as the “next big thing in Cyber-Security” and to achieve this vision, the blockchain community needs to be tamper proof and adopt a ZERO TOLERANCE POLICY. Let’s get to the root of the problem, why did these hacks occur ?

The more Smart Contracts used in the Blockchain platform, the greater is the danger.

“Bugs”

Smart Contracts are the blocks that form the network of Blockhain. These Blocks are responsible for the transfer of millions of dollars (or sometimes assets worth millions, for Security tokens) in the blockchain network. The Smart Contracts are coded by Developers, who are humans and sometimes unknowingly leave out some bugs in their development which are not caught during final testing.

Hackers take advantage of these bugs to attack the network and embezzle the funds flowing in the network.

“Audit Process”

For auditing a Smart Contract, auditors follow a 4-step process-

  1. Gathering Specifications — for an audit process to be thorough, not only the bugs present need to be identified, but also the functionalities that are absent in the Smart Contract. This is a crucial step — an efficient auditor team ensures that the Smart Contract should work along the functionalities mentioned in the Whitepaper.
  2. Manual Testing A scrutiny of each line of the code. The idea here is to present the code in front of as many eyes as possible, so that no errors remain unidentified.
  3. Unit Testing — Here the auditor gets to the smallest unit in the code, by implementing Unit test cases for each function present in the Smart contract.
  4. Automatic Analysis — This step utilises the tools already developed tools by the blockchain community. Based on the nature of Smart contract, there are various tools that auditors use, some common ones are Mythril, Smart Check, Remix, Solhint.

Use of solidity-coverage tool is also recommended. This tool runs a process and checks how many functions have been covered by the Unit test cases. This process identifies sections of the code that are not tested, or might need more testing.

During the process of an audit, the auditor should also find if the Smart Contract is “truly decentralised”. Some Smart Contracts unknowingly give too much power to the owners- Burning of tokens, longer locking period, freezing of investor money.

“Coming back to the Critics”

Any hack resulting in monetary losses, creates a distorted image of the overall Blockchain ecosystem leading the general public (who are eager to step in this revolution) take a step back and consider this revolutionary technology still immature. To envision a future with blockchain dominate ecosystem, a structured audit across all blockchains needs to be followed.

Whenever I take an exam, I always believe that I have passed with flying colors, but an external audit of my examination paper gives a result otherwise!

“Summary”

Smart Contracts Auditing is not an easy task and obviously a single development team CANNOT catch all the bugs during the development process. I recommend audits from different auditors — Not only are you making the project secure, ensuring investors of a haven for their money, but also contributing in making the Blockchain ecosystem to be invincible.

Some of the top Smart Contract Auditors, based on the analysis of audit reports published on their respective blogs -

  1. Zeppelin Solutions
  2. Hosho
  3. Quill Audits
  4. Decenter
  5. Quantstamp

References —

  1. https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7
  2. https://medium.com/quillhash/quillaudits-smart-contracts-audit-check-list-d65a305ec1a3
  3. https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee
  4. https://callisto.network/blog/post/why-do-we-need-smart-contract-auditing/


Security - Hacker Noon_Read writing about Security in Hacker Noon. how hackers start their afternoons._hackernoon.com

Let’s discuss more on Blockchain Security, ping me on my telegram handle — @parth_agarwal !