Getting wise on smart contract auditing: What you should know

• Updated

Smart contract auditors continue to proliferate. Are they really the best guard against scams?

Digital contract in futuristic blue, with security shield image                                 
Smart contracts are just one piece of the due diligence puzzle – Photo: Shutterstock
                                

Contents

On 14 November 2021, BLIZZ, token of the now-defunct yield aggregator Blizzard, tanked in value as members of the development team allegedly exploited contract vulnerabilities to make off with millions in supposedly locked liquidity, effectively rugging the entire project.

In a post mortem report about the hack, Blizzard stated that it was unable to implement fixes of acknowledged bugs “before alleged rogue insiders executed the attack on the vaults”.

Yet just one month earlier, Blizzard passed a Hacken audit with a “secured” rating, and zero critical or high-level issues were found. Two medium-level issues were logged, including the omission of “some parts of contract logic”. But the audit was deemed acceptable enough for Blizzard to advertise it across social media and its official website, giving the project an air of authenticity.

The Blizzard case is just one of many examples of audited projects turning out to either be scams or highly exploitable. This leads to questions about the robustness and legitimacy of the rapidly-proliferating smart contract auditing sector.

Screenshot of Blizzard’s website stating it was audited by Hacken
Audited by Hacken, Blizzard subsequently crashed – Credit: blizzard.network

In another example, Uranium Finance was one of the largest rug pulls to occur in 2021. Approximately $50m was reportedly stolen from the Binance-based market maker, with a Uranium report raising some suspicions that insiders may have been involved. Yet Uranium Finance boasted three separate independent audits. Once again, the event raises questions about the smart contract auditing process.

Given some of the reports, Currency.com has investigated this niche market to ask, what is smart contract auditing? Who are the leading players? And what is a smart contract audit platform’s purview? Let's find out.

Smart contract audits: Are they essential?

One of the main questions is how much faith a stakeholder should place in a smart contract audit. Ronghui Gu, a co-founder of the leading smart contract auditor CertiK and professor of computer science at Columbia University, believes the current approach is the best option. He says: “Smart contract auditing and blockchain security are essential services in the freer, fairer Web3 world we’re aiming to build. A meticulous smart contract audit is the best way to confirm the security of a project before it goes to launch.

“Personally, I would not be comfortable interacting with an unaudited platform… I think that establishing a norm of auditing as a prerequisite for all projects would go a long way to making [decentralised finance] DeFi a safer place to trade.”

CertiK does not set timelines for its audits, unlike some of its competitors, which offer swift turnaround times as a selling point.

According to Gu: “There are a number of auditing firms out there with great reputations. There are also several companies that exist merely to give a rubber stamp to projects so that they can say they have been audited without needing to actually go through the strict review that entails.”

What should the auditors check?

“The main job of an auditor is to find any errors or vulnerabilities that could cause a loss of funds and/or control of the project,” Gu says. One of the most common issues that auditors come across is also a major talking point in the cryptocurrency space as a whole: centralisation. Despite centralisation having some benefits from an operational perspective, “it also runs counter to the ethos of DeFi and often introduces single points of failure. Rug pulls often take advantage of these centralised privileges,” Gu says.

In one example, CertiK’s audit of ZodiacDAO’s code in December 2021 uncovered centralised privileges allowing the contract’s owner to mint an infinite amount of new tokens. Despite CertiK logging this major vulnerability in its report, it remained unresolved. ZodiacDAO was rugged a couple of weeks later, using the privileges reported by CertiK, explains Gu. Additionally, since the audit CertiK has reported the deactivation of ZodiacDAO’s Twitter account

While big issues like centralisation and liquidity lock-ups can be easy to spot, granular code errors and vulnerabilities are not so obvious. In one stark example of why developers should invest time and money in a proper audit, Gu says he saw a project lose $57m of user funds “after neglecting to add a single zero to the Uniswap code they had forked”.

How accurate are smart contract audits?

Assessing the other major rug pulls of 2021 using Coindesk’s data, reveals that many of the largest hacked and/or scam projects failed to undergo any observable audit. The Turkey-based exchange Thodex, which made international headlines after more than $2bn was stolen from investors, was by far the most significant rug pull of the year and just one example of a large-scale unaudited scam.

Bar chart illustrating the 15 biggest crypto scams of 2021
The 15 biggest crypto scams of 2021 – Credit: Coindesk.com via Chainalysis

Cross-referencing Coindesk’s top crypto scams of 2021 with the audit aggregator DeFi Yield’s database – and additional web searches – showed that of the 15 largest rug pulls, only three were subject to a credible audit. The most infamous scam of 2021, Squid Game (SQUID), was heavily flagged by auditor Paladin as containing numerous high and medium-risk issues in its smart contract, although numerous risks were seemingly resolved. Sadly, many investors did not take heed of these warnings; SQUID’s developers made off with $12m shortly after.

Extract from Paladin’s SQUID audit results highlighting the number of high, medium, low an information issues there were with the crypto
SQUID’s developers failed to change all high-risk issues – Credit: Paladinsec.co

Another smart contract auditor, Coinscope, reviewed SQUID and found no significant faults. Such contradictory findings raise serious questions about why the parameters used by different smart contract audit providers vary so significantly.

Extract from Coinscope's SQUID audit
Coinscope deemed SQUID a low-risk project – Credit: github.com/coinscope-co

Currency.com reached out to Coinscope via Telegram to discuss the matter. In response to our enquiry into the robustnes of the SQUID audit, administrator Michael, who professed to being the chief operating officer, said:  “I understand that a high score can be misleading for new investors. There are also a few common misconceptions about what an audit is and isn’t. 

“An audit report surfaces potential warnings about the smart contract and suggests remediations to project owners. The owner can choose to do these remediations or not do them and malicioucly exploit them later. In SQUID’s case, we have highlighted the function that can be exploited from the project owner and can harm investors. That function exists in other smart contracts as well, where it hasn’t been exploited and has been used to improve the functionality of the contract... That said, given how the score can be misinterpreted by the investors, we have since removed it and have made the warnings more visible and clear.”

Michael added that he often sees the same contract vulnerabilities as SQUID in many other smart contracts. “New investors will look into investing in those, just because the contract is audited,” he predicted.

Alarmingly, the two remaining rug pulls, the $22m StableMagnet project and the $2.5m Turtledex project, obtained positive smart contract audits with no major flags raised. Worryingly, the same auditor, Techrate, was responsible for both.

Consequently, Techrate’s legitimacy came under scrutiny, while DeFi Yield announced that Techrate audits would no longer be considered trustworthy. In fact, the legitimacy of the smart contract auditing procedure as a whole came under question.

Emiliano Bonassi, a co-founder of DeFi Italy, weighed in on the debate when he told Coin Telegraph in an interview: “I think that now, after all the hacks we’ve had, we basically understand that if you have two audits, three audits, it doesn’t mean you’re safe… This does not mean that audits have no value in this moment, but they are not silver bullets.”

At the time of writing, Techrate was approached for further information about its auditing procedure, but did not immediately respond to a request for comment. 

In addition, Hacken was approached too, but it also did not immediately respond with any comment.

Where does the responsibility lie?

Given the multitude of successfully-audited fraudulent projects out there, should the audits carry some of the blame? “This is a great question,” Gu said. “We’ve seen an explosion in the number of rug pulls recently, where the developers take off with their users’ deposits overnight. I don’t think it’s the auditor’s job to try to determine whether a project’s team is legitimate or not. That’s detective work, and we’re not police – we’re computer scientists. What we do is examine the code for known errors and vulnerabilities. We make no guarantees – we report our findings.”

Mark Basa, global brand and business manager at HOKK Finance, concurred. Basa told Currency.com: “That responsibility cannot be placed on the auditor. In most cases, the auditor is simply receiving project files without a complete explanation of the exact goals of the project. Responsibility for any fraudulent activities should always fall back on the developer of the contracts.” As well as CertiK, Basa recommended OpenZeppelin as a reputable smart contract audit platform.

Potential investors looking into a project should be careful not to take an audit as a stamp of approval. While an audit is a critical element of due diligence, Gu said: “If you see that a project has been audited and you take that as a green light to go ahead and invest in the platform, I think you’re missing a crucial step. You need to see exactly what it was that the auditor found.”

Just as investors have a responsibility to do extensive independent research on a cryptocurrency before investing, so too should they cast a critical eye on the auditors that are rubber-stamping the smart contracts. Currency.com suggests a thorough background check on the team and cross-referencing a cross-section of recently passed audits with recent rug pulls.

Are there alternatives?

“The truth is, no audit can completely discover any underlying bugs that may exist in a contract,” Basa told Currency.com. “It's why the importance of live, ongoing bug bounties have been so popular, as it incentivises intelligent individuals to explore a contract’s codebase to search for undiscovered exploits.”

Bug bounties are indeed becoming ubiquitous in the blockchain sector. But while they may help discover flaws in working smart contracts, they fail to address malicious intent in the early stages of a crypto project’s lifecycle.

Basa believes that more comprehensive databases of contract audits, allowing users to compare decentralised exchange token addresses, would benefit the due diligence process, but “the database would have to be decentralised by nature and be community-driven to ensure that there is no tampering with the audits”.

RugDoc is one platform providing independent, free, risk ratings of smart contracts. While it does not conduct comprehensive audits, contracts are screened for obvious “hard-rug” codes.

But perhaps educating stakeholders on the purview and scope of smart contract auditing is the key to sustaining these platforms' legitimacy. “There was a certain trend in the blockchain space that equated having an audit to being a perfect contract,” Basa said.

“When dealing with an auditor, especially a new or unreputable one, the actual scope of the audit may be very small. This leaves teams with a false sense of security that may have catastrophic consequences down the road.”

Michael from Coinscope concurred: “I want to strongly note that just because a contract is audited it’s not always safe. New investors should spend the time and read the audit report where it states clearly and simply what the risks are on each contract.”

For developers and investors alike, a proper smart chain audit by a reputable organisation remains the best way to assess how airtight a project’s code is. At the same time, they should be seen as just one tool in a broader due diligence arsenal.

FAQs

Smart contract audits assess a project’s code for weaknesses that could lead to rug pulls or other fraudulent activity. While audits should not be seen as a green light on a cryptocurrency, they are a vital element of a due diligence exercise.

It varies depending on the auditor and the code being audited. Some smaller outfits offer turnaround times of a few days, whereas a leader like CertiK refuses to give deadlines. Currency.com recommends using reputable smart contract auditors only.

Note: Currency.com is not affiliated with CertiK and this article is not an endorsement of its services. Ronghui Gu’s input was provided on a voluntary basis in response to questions posed by Currency.com.

Further reading

The material provided on this website is for information purposes only and should not be regarded as investment research or investment advice. Any opinion that may be provided on this page is a subjective point of view of the author and does not constitute a recommendation by Currency Com Bel LLC or its partners. We do not make any endorsements or warranty on the accuracy or completeness of the information that is provided on this page. By relying on the information on this page, you acknowledge that you are acting knowingly and independently and that you accept all the risks involved.
iPhone Image
Trade the world’s top tokenised stocks, indices, commodities and currencies with the help of crypto or fiat
iMac Image
Trade the world’s top tokenised stocks, indices, commodities and currencies with the help of crypto or fiat
iMac Image