An organization that intends to undertake a project in the crypto field is often faced with a new world of technologies that have never been used directly before and may underestimate specific aspects that are proper to projects in this field. In traditional projects, there are always organizational audits, but in this case, it’s very important to audit also the software that is then put on the blockchain. The reason is that insecure software can lead to vulnerability, opening the door to hacker attacks that can do very significant damage given the fact that these solutions usually manage assets with very significant economic values. A 3rd party audit is also considered a sign of authenticity and integrity of the project itself, it gives its users trust and reliability in the project. The demonstration of this risk has already been observed in various hacking incidents in recent years.
Blockchain hack cases
One striking example happened recently, in August 2021: blockchain site Poly Network reported that hackers had exploited a vulnerability in its system and stolen thousands of digital tokens worth $600 million. Poly Network then conducted a technical investigation and discovered that the hacker had exploited a vulnerability in calls between smart contracts.
– In 2017, a vulnerability in a smart contract in Parity Multisig Wallet version 1.5+ allowed a hacker to steal over $30 million.
– Another major case was the 2016 Ethereum DAO hack. The “Distributed Autonomous Organization” (DAO) smart contract had a bug, and hackers exploited it to steal $70 million worth of Ether (ETH). It took a complex, lengthy and controversial effort to recover and restore the funds.
What is a smart contract?
Smart contracts are specialized programs stored on a blockchain and are typically used to automate the execution of an agreement so that all counterparties can be certain of the outcome without the need to trust each other or any intermediaries. A smart contract guarantees that its execution will exactly match the logic that was originally coded into it. And after the execution of that logic, the final state on the network will remain immutable.
Ethereum’s blockchain is the most widely used platform for implementing smart contracts. Being programmable, the platform allows its users to implement processes of various complexity. The code for these contracts is stored in the blockchain and executed by the Ethereum Virtual Machine (EVM) – the core of this blockchain platform.
Unfortunately, however, the proper execution of a smart contract’s code cannot guarantee its complete security. In fact, analyses done on existing smart contracts have shown that a significant portion of them are actually vulnerable.
There are a number of known vulnerabilities related to smart contracts and they are particularly critical because:
- Most smart contracts deal with financial assets and therefore can manage assets of considerable value.
- It is not possible to modify smart contracts after publishing them
- Changes in the state of the blockchain generated by faulty or fraudulent contract transactions cannot be undone due to the immutable nature of the blockchain.
Writing a fully secure smart contract is complex. In addition, the contract’s code requires extensive verification before being published on the network. The main reason for these vulnerabilities to happen is that most developers are still not familiar with blockchain platforms coding. Blockchain development projects are in fact software development projects, so methodologies must be applied to ensure software quality including robust verification and validation processes.
Smart Contract Audit
In these types of projects, it is necessary to conduct external audits to validate the solution and identify any vulnerabilities before they are discovered and exploited by hacking professionals. These types of audits are based on the fact that typical vulnerabilities fall into certain known categories and therefore can be verified by platform experts in a structured and systematic way, possibly using special software tools. It is necessary to proceed with a thorough and detailed study of the smart contract code, design, and interaction with third-party components to identify implementation vulnerabilities and business logic flaws. Similarly, the application source code must be manually inspected in order to identify security weaknesses, show their impact, and provide recommendations for improving product security.
An entrepreneur or manager planning to launch a blockchain project should include an audit of the blockchain code in their project plan so as to limit as much as possible the risk of incorrect or vulnerable code being published on the blockchain and prevent hacking attacks. Monetum is highly aware of this, that’s why our products are audited by specialized third parties. We highly recommend this practice for the safety of both clients and companies.