Smart contract audits are becoming more prominent as part of the DeFi sector. While they have always been integral, running automated and manual code checks is now a standard, in order to counter high-profile attacks that have been perpetrated against DeFi protocols over the last couple of years.
Each DeFi project is recommended to undergo one or more audits; the alternative is a possible hack, which means the product will be then viewed with great mistrust by customers. Audit companies are operating with increasing workflows to meet greater demand, developing tools to make the audit process more comprehensive and efficient.
Our company, INC4, has been in the blockchain development space for 10+ years. Consequently, we’ve seen areas of development change to respond to this dynamic market. Lately, we’ve been fielding a larger number of requests for smart contract audits, so we thought we’d answer some of the questions that are often put to us. Our CEO, Igor Stadnyk, took some time out of his busy schedule to share key insights on the topic of DeFi smart contract audits.
We are just now hearing more about DeFi smart contract audits. Are audits more critical than before, or are people just more aware of the risks?
We are hearing more about audits lately because the DeFi sector has massively increased in terms of trading volumes. There are more users, some of which come from an institutional background and are willing to put a greater amount of funds into certain protocols. As a result, hacks that were occuring before are becoming larger in scale, which generates more attention. Therefore, a high-quality audit is a market demand, both on the part of users and developers. Everyone wants a system to be trusted and beneficial for all parties. DeFi usage can not keep growing with insufficient user connectivity and/or poor safety.
Which security issues can be avoided as a result of a smart contract audit?
Simply put, a DeFi audit is a complex code evaluation by the experts to identify the possible vulnerabilities of smart contracts. Some threats that DApps face (e.g., denial-of-service attacks, signature replay attacks, front-running, reentrancy attacks) can be made much less likely when a code audit is done properly. Therefore, all the unforeseen risks of smart contract exploitations can be identified before the deployment of the project.
The main security issue we see is where bad actors are able to drain smart contracts of funds. Since smart contracts are a relatively new innovation, formal security standards are just starting to be developed. Over recent years, multiple auditing companies have gained momentum. For present-day protocols, getting help from auditing firms is essential to ensuring that DApps are safe to process and transact large amounts of cryptocurrencies.
Although the DeFi sector is becoming more established, different companies still use their own strategies for auditing platforms, sometimes through internal processes, and sometimes with external auditors. Clients should put more trust in external companies; however, at present, some protocols still prefer to abandon the audit procedure for one of the following reasons:
- Unawareness of a security audit’s value
- The time required for auditing
- The (perceived) lack of time to read and implement the recommendations of detailed audit reports.
As DeFi breeds more and more complex structures with interrelated components (compared to lego blocks, with cross-communication between chains), this gives us the chance to benefit from new structures in a creative manner. However, with innovation comes risk. It is critical to ensure that the latest protocols are audited with each iteration to protect both users and the protocol’s liquidity from possible hacks.
Which specialists do you have on your reviewing team?
Working with DeFi requires specialist expertise in the blockchain sector and previous experience in deploying such projects. These two aspects are critical when looking for a reviewing team.
The INC4 team involves a smart contract developer, an architect, and a security engineer.
We are confident that we can deliver high-quality audits and we have the track record to prove it. When conducting an audit we leverage:
- Experience gained from effectively completed blockchain projects
- Expertise in drawing up smart contracts
- Knowledgeable in-house IT specialists
- Rigorous security standards.
What are the steps that your team takes when auditing?
Following are the eight steps which INC4 takes to help you get the desired smart contract audit result — without any compliance discrepancies.
- Consistency check between the functionality of the contract and its description in the whitepaper and other supportive docs (like smart contract specifications). We also conduct an undocumented features check;
- Review against the standard list of vulnerabilities;
- Symbolic analysis of potential weak spots;
- Static analysis by automated tools;
- Manual code and code quality review;
- Gas usage analysis;
- Check of unit tests coverage;
- Report preparation.
Our agreement covers all aspects of an audit so that our clients never have to reach out to several DeFi service providers concurrently.
How much time does it take for the INC4 team to complete the full audit?
It depends on the complexity of the system. For example, it takes a month to complete the full audit for a system of medium difficulty.
What advice would you give to developers writing code?
The most sound advice we would like to give is — do not rush. The cost of an error in DeFi smart contracts is often the death of a project and its reputation. You have to be attentive at the design phase, in testing, and of course, at the audit phase.
What are the main criteria that DeFi product developers need to consider when choosing a good auditing team?
In addition to all that we mentioned above, reputation is also important; if a company is held in good esteem then you are more likely to get a quality audit.
Given the plethora of innovative protocols and more than $20 billion worth of different cryptocurrencies locked in DeFi, this sector has a bright future; however, there is still significant risk that cannot be downplayed. Don’t jeopardize your project by rushing through testing — instead, book a call with the INC4 team for a more detailed chat about audit capabilities.