It can unquestionably be stated that the increased adoption of smart contracts demands strong security guarantees. Unfortunately, it is challenging to create smart contracts that are free of security bugs. As a consequence, critical vulnerabilities in smart contracts are discovered and exploited every few months.
Significance of Smart Contract Security Audit
The rise of Decentralized Finance is inevitable. The DeFi market is growing at an incredibly exponential rate.
However, this year has quite clearly proved that it’s indispensable to consider the best security practices while developing the Smart Contract or building an entire Decentralized Application with so much at stake.
Most importantly, it’s high time for us to understand that Smart Contract Auditscan no more be neglected.
With a significant dependency on smart contracts, DeFi audits become crucial where a third party reviews every line of code and helps to identify the bugs and bottlenecks.
If left unaudited, the DeFi contracts may result in setbacks that include loss of funds and manipulation of the system. Sometimes, it may also lead to the shutdown of the company.
Therefore, it becomes necessary to check the team’s quality auditing your DeFi contract and get acquainted with their auditing process.
Vicious Smart Contract Vulnerabilities that can Wipe Out Millions
- External Calls — Although external calls have their own significance but are extremely risky since they can technically shift the control over execution to any malicious actor.
dForce, a decentralized finance protocol lost around $25 million in April 2020. The attack took place when LendFi, the lending app of dForce, was exploited because of an external call that led to a reentrancy attack.
Note: It is crucial to ensure that no state changes take places after an external call is made. Read more about external calls and their vicious side here.
2. Reentrancy Attack ( DAO Fiasco )
The Dao Hack on June 17, 2016. This was the hack where the attacker could steal 3.6 million ETH in the first few hours of the attack by sampling the reentering the contract again and again.
3. Price oracle Manipulation
The year 2020 witnessed some massive price oracle manipulation attacks. Renowned DeFi protocols like bZx hack, Harvest, Cheese Bank hack faced huge losses due to manipulation of price oracles.
While bZx lost $350,000 in the first attack(12 Feb 2020), it lost around $650,000 in the second attack(18 Feb 2020). On the other hand, Harvest finance lost approximately $24million due to an oracle manipulation attack using flash loans.
Read more about flash loan & oracle manipulation attacks here.
4. Ownership of the deployed contract
Parity Multisig wallet lost 150,000 ETH, which was around 30M USD back then.
5. Timestamp Dependence
Note: If the contract function can tolerate a 15-second drift in time, it is safe to use block.timestamp
6. Storage injection vulnerability in NEO Smart Contracts (which allows anyone to change the token’s total supply limit by transferring their tokens to an unspecified address.)
We at QuillAudits, try our best to keep us most up to date with the latest security practices. I am writing this blog to share our checklist and framework to audit every contract. This checklist can be applied to any smart contract, but we use other strategies to ensure smart contract’s security based on the contract’s business logic.
Imperative Checkpoints a Contract must go through
To ensure your code is easily followable by auditors, team members, automated tools, and the wider community, you should follow the style guide based on Solium’s standards. Having a set and automatically enforced style guide will additionally make it easier to spot the erroneous code.
1. Correct Functions Visibility:-
Functions in solidity can have four visibility specifiers:
private, with the
public being the default. State variables can be
internal being the default. Explicitly specifying the visibility of functions and state variables is a security best practice.
Absent specifiers can be dangerous, especially in the case of functions where the default is public accessibility. If such a function has critical logic, then it can be triggered from any external address to misuse the contract potentially. The first hack on the Parity multisign wallet exploited such missing function visibility specifiers leading to the attacker stealing $31M worth of Ether.
2. Data Storage:-
In solidity, data can be stored in memory which is non-persistent and less expensive, or in storage that is persistent and very expensive. While writing smart contracts, one should properly analyze where the data should be stored. By default state variables and local variables are stored in storage and function parameters are stored in memory.
3. Prevent overflow and underflow:-
An overflow is when a number gets incremented above its maximum value. Solidity can handle up to 256-bit numbers (up to ²²⁵⁶-1), so incrementing by 1 would result in 0.
Likewise, when the number is unsigned in the inverse case, decrementing will underflow the number, resulting in the maximum possible value.
Underflow and overflow can be prevented by using SafeMath library to perform math operations in smart contracts.
4. External Calls — Every external contract call is a risk:-
External calls to untrusted contracts can bring certain risks and errors. External calls may execute malicious code in that contract or any other contract that it depends upon. As such, every external call should be treated as a potential security risk. When it is not possible, or undesirable to remove external calls, use the recommendations.
5. Check for re-enterancy and ensure the state committed before the external call.
The Reentrancy attack, probably the most famous Ethereum vulnerability, surprised everyone when discovered for the first time. It was first unveiled during a multi-million dollar heist which led to a hard fork of Ethereum. Reentrancy occurs when external contract calls are allowed to make new calls to the calling contract before the initial execution is complete. For a function, this means that the contract state may change in the middle of its execution as a result of a call to an untrusted contract or the use of a low-level function with an external address.
Loss: estimated at 3.5M ETH (~50M USD at the time)
6. Don’t delegate the call to untrusted code.
delegatecall the function is used to call functions from other contracts as if they belong to the caller contract. Thus the caller may change the state of the calling address. This may be insecure.
7. Save Gas on smart contracts.
Saving gas is necessary to build an efficient smart contract. It is one of the main issues that the developers face because not all of them know how to do it correctly. Auditors at QuillAudits understand well which instructions consume more gas and how we can avoid or minimize them.
8. Timestamp Dependence
If the contract function can tolerate a 15-second drift in time, it is safe to use
9. Compiler warnings
All the compiler warnings are serious issue sometimes developer ignores warnings and deploys contract without considering them as a significant threat to their smart contract, we recommend necessary action to be taken to remove all the warnings.
10. Ownership of the deployed contract
It is very important to provide ownership to a contract at the time of deployment or a restriction to function calls else attacker may call those function or transfer ownership function before you or if you are required to give ownership of a contract later, most famous bug of this kind is oyster-pearl because ownership of smart contract was open attacker transfer ownership to himself and able to mint tokens of worth ~$300,000.
11. Oracle calls
Blockchains cannot access data outside their network. An oracle is a data feed provided by a third-party service designed for use in smart contracts on the blockchain.
Oracles are third-party services which are not part of the blockchain consensus mechanism. The main challenge with oracles is that people need to trust these sources of information.
12. Lock pragmas to specific compiler version:
pragma solidity ^0.4.4; this is bad pragma solidity 0.4.4; this is good
13. Security Tools
After manual and unit testing, your smart contract undergoes automation testing that is done using many open source security tools.
Static and Dynamic Analysis:
Linters and Formatters:
Linters improve the code quality.
We at QuillAudits use multiple in-house automated tools in addition to the tools listed, to secure your smart contract and to find whether your smart contract can fulfil your business requirements. apart from automated tools your smart contract code goes under multiple testing phases like static testing which is done manually by our expert audit team thereafter smart contract comes under unit testing which is done using truffle, the test suite is prepared for each and every function in your smart contract to know whether your function is capable of handling overflow, underflow condition, reflected variable in that function should maintain their value properly, then Solidity-coverage is used to know how much our test cases are penetrating your smart contract functions, final report after reviewed at multiple levels is delivered to the client including all the possible suggestions and severity issues raised during the audit.
Some recent Audit reports, Audited by QuillAudits are :
We welcome feedback on the procedures so we can keep iterating and improving.
Thanks for reading. Also, do check out our earlier blog posts.
QuillAudits is a secure smart contract audits platform designed by QuillHash
It is an auditing platform that rigorously analyzes and verifies smart contracts to check for security vulnerabilities through effective manual review with static and dynamic analysis tools, gas analysers as well as simulators. Moreover, the audit process also includes extensive unit testing as well as structural analysis.
We conduct both smart contract audits and penetration tests to find potential
security vulnerabilities which might harm the platform’s integrity.
For further discussion and queries on the same topic, join the discussion on
Telegram group of QuillHash —
To be up to date with our work, Join Our Community:-
Legendary Pelé NFT Set to Drop on Ethernity May 8
[Press Release – Los Angeles, California, 8th May, 2021]
Iconic Brazilian footballer Pelé will be immortalized in NFT form on May 8.
The legendary striker, named FIFA World Player of the Century, is getting the tokenized treatment with the release of a licensed aNFT – authenticated non-fungible token – exclusively on the Ethernity Chain at 12pm EST.
The digital presentation includes “THE KING OF FOOTBALL,” an immersive video tracing the player’s humble origins on the streets of Brazil to a packed stadium witnessing his brilliance. The eponymous “Pelé” aNFT, meanwhile, is represented by a hyper-realistic digital bronze bust of the star in his heyday.
As part of the Pelé aNFT collection, Ethernity will be releasing multi-pack trading cards that make a nod to the player’s Panini trading cards of the past.
Ethernity’s special digital trading cards include “Gilded Bicycle Pelé,” which showcases the player executing his signature bicycle kick. The limited edition cards will be part of the Ethernity Cards and Packs Collection launching this summer, 2021.
90% of aNFT sales will go to The Pelé Foundation, a charitable organization that strives to empower young people facing poverty around the world.
Ethernity’s recent Muhammad Ali aNFT auction, which raised over $550,000, also resulted in a significant donation being made to the Muhammad Ali Foundation.
Ethernity is exploring applications for non-fungible tokens (NFTs) within the context of art and philanthropy. It provides a way for celebrities and public figures to endorse digital artwork created by renowned artists. Anyone can purchase each limited edition artwork, with a portion of the proceeds going to charitable causes that the celebrity supports. Ethernity was founded by early Bitcoin investor and NFT innovator Nick Rose Ntertsas.
Learn more: http://ethernity.io/
Crypto Banter Will Give Away Over $500K To 10 Eligible Community Members
[Press Release – Cape Town, South Africa, 8th May, 2021]
Banter Bags is a unique project in the cryptocurrency world that aims to give back to its community. What initially started as a $10,000 community giveaway is now worth over $500.000. Ten eligible community members will be chosen randomly to receive their share of the spoils once the Crypto Banter Youtube channel surpasses 250,00 subscribers.
The Banter Bags Giveaway is an event created by Ran Neuner, host of CNBC Crypto Trader and founder of Crypto Banter on Youtube. The initial objective was to reward active participation in the community and generate more engagement with the daily streams but as the investments started to grow it became a mechanism to really change some community member lives.
Speaking of pre-market allocations, the Crypto banter team initially put $10,000 in a public Ethereum address. That money was then invested into allocations, with more investments occurring daily to diversify the portfolio further. Several key investments have noted spectacular returns, including Shopx, Aioz, Refineable and Occam. All of these pre-market allocations have gone up in value by a factor of 100 or more.
As the total value of the Banter Bags now exceeds $500,000, a golden opportunity is created for the community. Once the Youtube channel surpasses 250,000 subscribers, ten community members will earn a Banter Bag with the corresponding spoils. The only requirement to be eligible is to subscribe to Crypto Banter on YouTube and follow the Twitter account. Community members can amplify their chances by following @cryptomanran and @sheldon_sniper on Twitter, by liking/commenting on tweets, and engaging with the two daily streams.
The Crypto Banter team adds:
“It started off as a fun idea of giving $10000 to our community, and as we started to invest, we realized that the community loved the idea of investments in pre-market allocations that we previously off-limits for the average investor. With this in mind, we went all in using our influence to reward our community. It was supposed to be a cool $10,000 giveaway to reward the community, and it has landed up becoming an opportunity to change lives. The channel has exploded since we launched this initiative. We’re up by over 100% on every metric, we gained over 100k subscribers and got over 5m views in the last 28 days. More than that, our community has engaged more. They love the idea that we are giving back to them and that we may at any point change another life.”
Five winners have been randomly selected so far, all of which have an amazing story to share. One of the winners, who goes by the name of Irfan, lost his job and was struggling financially. With a pregnant wife expected to give birth in two months, being announced the winner of a Banter Bag triggered a life-changing event for Irfan. Anyone can go through a similar experience once the remaining Bags are given away to community members.
We also announced that one of the bags will be given to a charity and we are currently looking for a viable option.
About Crypto Banter
CRYPTO BANTER was founded by CNBC CRYPTO TRADER host Ran Neuner and is a LIVE STREAMING CRYPTO STATION. We bring you live streaming coverage of the global Crypto markets and give you a chance to call in, break the news, and banter with our guests and hosts. CRYPTO BANTER was created to bring the banter from Crypto Twitter and Telegram to a moderated, curated AV streaming medium. Think of its as a mix of CNBC, JOE ROGAN, and Talk radio for Crypto!
Follow Crypto Banter on YouTube
Follow Crypto Banter on Twitter
XRP, Dogecoin, Cardano Price analysis: 08 May
Volatility was shrinking in the XRP market and some rangebound movement was predicted moving forward. Buying resumed for Dogecoin as the price overturned $0.69 from resistance to support. Lastly, Cardano presented a few targets above $2 which could be toppled in the coming weeks.
At the time of writing, the world’s fifth-largest cryptocurrency – XRP was trading within a range of $1.63-$1.53. Bollinger Bands contracted and a volatile market that saw XRP rise from $1.31 to $1.75 was now coming to an end. This suggested some short-term sideways movement. On the other hand, OBV has been on an uptrend since late April and buying pressure has been steadily building up in the market.
If the $1.75-ceiling is toppled, XRP could shoot north of $1.96 and register a new local high. If the market takes a bearish path, $1.31-support could be under the spotlight.
Dogecoin jumped by 8% in the last 24-hours as the buying frenzy resumed after yesterday’s cooldown. According to the Awesome Oscillator, momentum was with the bulls and the bars switched to green once again. This was widely anticipated as Elon Musk’s Saturday Night Live appearance was now just a few hours away. RSI was also in bullish territory above 65. Even if the index moved in the overbought zone, it would be of little consequence as bullish sentiment alone could drive DOGE.
On the 4-hour timeframe, buyers flipped $0.69-resistance to a region of support. While volumes were yet to reach levels seen a few days ago, this could quickly change in the coming sessions. A bullish outcome could see DOGE rise above $0.80 before a pullback. Once a sell-off occurs, support lines to watch out for include $0.57 and $0.53.
Since early March, Cardano largely oscillated between the channel $1.48-$1.01. While a breakout did occur a couple of days ago, volumes were distant from levels seen during February. The technicals still highlighted a bullish market and a few Fibonacci levels were plotted on the daily timeframe.
MACD line maintained above the Signal line and its histogram noted a series of green bars. Supertrend Indicator continued to flash a buy signal which would switch to sell at $1.20. A few targets lay at 138.2% ($2.13) and 161.8% ($2.37) Fibonacci levels and these could be toppled in the coming weeks. Meanwhile, volumes must be observed for sharp price movement within the market.
Sign Up For Our Newsletter
Major Law Firm CMS Adds Stratis (STRAX) to its Legal Accelerator Program
eBay could add a crypto payment option, says CEO
Starcoll To Issue Limited Edition Star Wars Collectibles as NFTs
Pro traders buy the Bitcoin price dip while retail investors chase altcoins
Singapore’s largest bank posts tenfold crypto volume growth in Q1 2021
‘This ain’t no game’ as DOGE briefly flippens Nintendo and takes #4 spot from XRP
China’s Central Bank to Partner With Alibaba’s Ant Group on Digital Yuan
S&P launches cryptocurrency indexes, debuting with Bitcoin and Ether
WallStreetBets launches blockchain-powered app to decentralize indices
Bybit Launches Ether (ETH) Cloud Mining Service as Demand Booms
Bitcoin Miners Moving Away from China, F2Pool Observes
Bitcoin and Ethereum Indices Debut on S&P Dow Jones
40% intend to use crypto for payments in the next year: Mastercard survey
Here Is Why XRP Volume Has Recover Across Payment Corridors
eBay is Considering Adding Crypto Payments & NFT Sales
Another XRP lawsuit update: SEC accuses XRP Holders of ‘reciting’ Ripple’s litigation position
Bank of England Used as Bitcoin Advertising Board Stoking Inflationary Fears
‘DeFi may lead to a paradigm shift’ says Federal Reserve Bank paper
The Reason for Ethereum’s Recent Rally to ATH According to Changpeng Zhao
Bybit to Launch Cloud Mining to Democratize Ethereum Mining
Blockchain5 days ago
Mastercard adds 6 blockchain payments startups to accelerator program
Blockchain4 days ago
Major Law Firm CMS Adds Stratis (STRAX) to its Legal Accelerator Program
Blockchain1 week ago
100M euro digital bond was a CBDC test, says Banque de France
Blockchain1 week ago
Australian senate committee calls for national blockchain land registry
Blockchain1 week ago
The Crypto Weekly Recap: ETH Eyes $3000, Bitcoin Dominance at 33-Month Low
Blockchain1 week ago
Brett Lee and Sportsbet.io ‘bowl a Bitcoin’ as Community Supports Covid Crisis in India
Blockchain1 week ago
Biden’s capital gains tax plan to pull crypto down to earth from the moon?
Blockchain1 week ago
Experts debate Bitcoin climate footprint in latest Cointelegraph Crypto Duel