Smart contracts play a critical role in decentralized finance. Due to this, it’s important that they work as intended. To gain the trust of investors, DeFi platforms proudly show off audit badges on their website but what exactly is a smart contract audit? How does such an audit work and what does it say about the safety and reliability of a project? We will answer these questions in this article.
What are Smart Contract Audits #
During a smart contract audit, the code of smart contracts is examined for bugs, issues and vulnerabilities. Often audit institutions work methodically to analyze the code. These analyses are typically applied to multiple smart contracts within a DeFi protocol because smart contracts usually interact with each other.
Smart contract audits are essential prior to the launch of a new DApp because smart contracts are typically designed to manage large amounts of crypto assets, making it important that they function properly and are safe from exploits. A minor bug or vulnerability can result in major or even complete losses for investors.
In addition to security reasons, developers also use smart contract audits to gain the trust of potential new investors. An audited DeFi platform with an “Audited By” badge looks safer and more professional than a DeFi platform that has not been audited.
It is important to check the website of the smart contract audit institution to see whether a DeFi platform has actually been audited. Malicious DeFi platforms often use badges from audit institutions with the ultimate goal of stealing investors’ assets.
A few well-known smart contract audit institutions are:
How Smart Contract Audits are conducted #
Typically, audit institutions work via a certain system, which means that they perform the audit methodologically and within a certain period of time. They often work with both formal verification tools and a manual review by experts.
Formal verification is a specialized process to mathematically prove the security and correctness of smart contracts. By using formal verification, the smart contracts codes and algorithms can be proved or disproved in terms of their intended function.
Because formal verification tools make use of mathematical systems, they can calculate near-infinite scenarios. Whenever an error or bug is found, the tool can pinpoint the piece of code causing the bug and instantly propose a solution. Due to these capabilities, formal verification tools are much more powerful than error-prone human judgments. It should be noted that formal verification is only as good as the model it is based on, so such a review is no guarantee against exploits.
It differs per auditing institution how extensively smart contracts are checked. Audit institution Certik checks smart contracts for:
- Gas optimization
- Mathematical operations
- Logical issues
- Control flow
- Volatile Codes
- Data flow
- Language-specific issues
- Coding style
- Inconsistency
- Magic numbers
- Compile errors
Although each audit institution has its own procedures and analysis methods, a smart contract audit generally proceeds as follows:
- Agreement on a specification: By providing a specification and other associated documentation the audit team understand what the project’s architecture is and what the smart contracts codes should be doing. Auditors will also often ask for a “code freeze”, which requires that all the coding is finalized or in its final stage before conducting the audit.
- General testing: During this step, various tests are conducted that target individual functions or larger chunks of codes. By performing these general tests, the number of easily detectable bugs diminishes quickly. Typically, a line coverage of 90% per contract is achieved.
- Formal verification (automated analysis): This step covers the previously mentioned formal verification tools for smart contracts.
- Manual analysis: After the automated analysis, experts go through the entire contract manually in order to check if the contract contains any functions that are contrary to the specification, and to enhance detection of potential vulnerabilities.
- Audit report: Finally, the audit institution compiles a report with their findings. Ideally the project team and the audit institution will discuss the results and how to fix any vulnerabilities or bugs.
Smart contract audits vs RugDoc reviews #
It is important to know the difference between smart contract audits and RugDoc reviews. Smart contract audits mainly focus on whether a smart contract works as it should: is the coding style right, are there any major and minor bugs in the contract, how is the gas optimization, etc. It is important to realize that smart contract audits do not fully focus on exploits and hard rug functions within smart contract codes.
Rugdoc.io is not a smart contract audit institution and focuses solely on analysing the smart contracts of DeFi farms (e.g. Masterchefs) for hard rug potential.
Rugdoc mainly screens coding aspects such as:
- Masterchef ownership
- Time locks
- Transfer tax
- Anti-whale functions
- Locker contracts
- Harvest lockups
- Previously performed rug pull codes
Rugdoc doesn’t focus on aspects like bugs or gas optimization. Simply put, Rugdoc evaluates code on how able the resulting DeFi platform will be to perform a hard rug.
It is also important to realize that a smart contract audit says little about how secure a DeFi platform is: have the developers adjusted their smart contract codes after the audit? Is the team behind the platform publicly known? Did the developers swap their Masterchef contract with a malicious one? Regardless of these unanswered questions, the developers of the protocol will still be able to use the “Audited By” badge on their website.
Conclusión #
Smart contract audits play an important role in checking and analyzing smart contract codes. Thanks to smart contract audits, bugs and vulnerabilities can be fixed. It is good to remember that smart contract audits mainly focus on the performance and potential bugs of a smart contract.
We recommend that you use RugDoc.io for checking the reliability of projects. If you have a farm that you would like us to review, click on this link.