It can unquestionably be stated that the increased adoption of smart contracts demands strong security guarantees. Unfortunately, it is challenging to create smart contracts that are free of security bugs. As a consequence, critical vulnerabilities in smart contracts are discovered and exploited every few months.
Significance of Smart Contract Security Audit
The rise of Decentralized Finance is inevitable. The DeFi market is growing at an incredibly exponential rate.
However, this year has quite clearly proved that it’s indispensable to consider the best security practices while developing the Smart Contract or building an entire Decentralized Application with so much at stake.
Most importantly, it’s high time for us to understand that Smart Contract Auditscan no more be neglected.
With a significant dependency on smart contracts, DeFi audits become crucial where a third party reviews every line of code and helps to identify the bugs and bottlenecks.
If left unaudited, the DeFi contracts may result in setbacks that include loss of funds and manipulation of the system. Sometimes, it may also lead to the shutdown of the company.
Therefore, it becomes necessary to check the team’s quality auditing your DeFi contract and get acquainted with their auditing process.
Vicious Smart Contract Vulnerabilities that can Wipe Out Millions
- External Calls — Although external calls have their own significance but are extremely risky since they can technically shift the control over execution to any malicious actor.
dForce, a decentralized finance protocol lost around $25 million in April 2020. The attack took place when LendFi, the lending app of dForce, was exploited because of an external call that led to a reentrancy attack.
Note: It is crucial to ensure that no state changes take places after an external call is made. Read more about external calls and their vicious side here.
2. Reentrancy Attack ( DAO Fiasco )
The Dao Hack on June 17, 2016. This was the hack where the attacker could steal 3.6 million ETH in the first few hours of the attack by sampling the reentering the contract again and again.
3. Price oracle Manipulation
The year 2020 witnessed some massive price oracle manipulation attacks. Renowned DeFi protocols like bZx hack, Harvest, Cheese Bank hack faced huge losses due to manipulation of price oracles.
While bZx lost $350,000 in the first attack(12 Feb 2020), it lost around $650,000 in the second attack(18 Feb 2020). On the other hand, Harvest finance lost approximately $24million due to an oracle manipulation attack using flash loans.
Read more about flash loan & oracle manipulation attacks here.
4. Ownership of the deployed contract
Parity Multisig wallet lost 150,000 ETH, which was around 30M USD back then.
5. Timestamp Dependence
Note: If the contract function can tolerate a 15-second drift in time, it is safe to use block.timestamp
6. Storage injection vulnerability in NEO Smart Contracts (which allows anyone to change the token’s total supply limit by transferring their tokens to an unspecified address.)
We at QuillAudits, try our best to keep us most up to date with the latest security practices. I am writing this blog to share our checklist and framework to audit every contract. This checklist can be applied to any smart contract, but we use other strategies to ensure smart contract’s security based on the contract’s business logic.
Imperative Checkpoints a Contract must go through
To ensure your code is easily followable by auditors, team members, automated tools, and the wider community, you should follow the style guide based on Solium’s standards. Having a set and automatically enforced style guide will additionally make it easier to spot the erroneous code.
1. Correct Functions Visibility:-
Functions in solidity can have four visibility specifiers:
private, with the
public being the default. State variables can be
internal being the default. Explicitly specifying the visibility of functions and state variables is a security best practice.
Absent specifiers can be dangerous, especially in the case of functions where the default is public accessibility. If such a function has critical logic, then it can be triggered from any external address to misuse the contract potentially. The first hack on the Parity multisign wallet exploited such missing function visibility specifiers leading to the attacker stealing $31M worth of Ether.
2. Data Storage:-
In solidity, data can be stored in memory which is non-persistent and less expensive, or in storage that is persistent and very expensive. While writing smart contracts, one should properly analyze where the data should be stored. By default state variables and local variables are stored in storage and function parameters are stored in memory.
3. Prevent overflow and underflow:-
An overflow is when a number gets incremented above its maximum value. Solidity can handle up to 256-bit numbers (up to ²²⁵⁶-1), so incrementing by 1 would result in 0.
Likewise, when the number is unsigned in the inverse case, decrementing will underflow the number, resulting in the maximum possible value.
Underflow and overflow can be prevented by using SafeMath library to perform math operations in smart contracts.
4. External Calls — Every external contract call is a risk:-
External calls to untrusted contracts can bring certain risks and errors. External calls may execute malicious code in that contract or any other contract that it depends upon. As such, every external call should be treated as a potential security risk. When it is not possible, or undesirable to remove external calls, use the recommendations.
5. Check for re-enterancy and ensure the state committed before the external call.
The Reentrancy attack, probably the most famous Ethereum vulnerability, surprised everyone when discovered for the first time. It was first unveiled during a multi-million dollar heist which led to a hard fork of Ethereum. Reentrancy occurs when external contract calls are allowed to make new calls to the calling contract before the initial execution is complete. For a function, this means that the contract state may change in the middle of its execution as a result of a call to an untrusted contract or the use of a low-level function with an external address.
Loss: estimated at 3.5M ETH (~50M USD at the time)
6. Don’t delegate the call to untrusted code.
delegatecall the function is used to call functions from other contracts as if they belong to the caller contract. Thus the caller may change the state of the calling address. This may be insecure.
7. Save Gas on smart contracts.
Saving gas is necessary to build an efficient smart contract. It is one of the main issues that the developers face because not all of them know how to do it correctly. Auditors at QuillAudits understand well which instructions consume more gas and how we can avoid or minimize them.
8. Timestamp Dependence
If the contract function can tolerate a 15-second drift in time, it is safe to use
9. Compiler warnings
All the compiler warnings are serious issue sometimes developer ignores warnings and deploys contract without considering them as a significant threat to their smart contract, we recommend necessary action to be taken to remove all the warnings.
10. Ownership of the deployed contract
It is very important to provide ownership to a contract at the time of deployment or a restriction to function calls else attacker may call those function or transfer ownership function before you or if you are required to give ownership of a contract later, most famous bug of this kind is oyster-pearl because ownership of smart contract was open attacker transfer ownership to himself and able to mint tokens of worth ~$300,000.
11. Oracle calls
Blockchains cannot access data outside their network. An oracle is a data feed provided by a third-party service designed for use in smart contracts on the blockchain.
Oracles are third-party services which are not part of the blockchain consensus mechanism. The main challenge with oracles is that people need to trust these sources of information.
12. Lock pragmas to specific compiler version:
pragma solidity ^0.4.4; this is bad pragma solidity 0.4.4; this is good
13. Security Tools
After manual and unit testing, your smart contract undergoes automation testing that is done using many open source security tools.
Static and Dynamic Analysis:
Linters and Formatters:
Linters improve the code quality.
We at QuillAudits use multiple in-house automated tools in addition to the tools listed, to secure your smart contract and to find whether your smart contract can fulfil your business requirements. apart from automated tools your smart contract code goes under multiple testing phases like static testing which is done manually by our expert audit team thereafter smart contract comes under unit testing which is done using truffle, the test suite is prepared for each and every function in your smart contract to know whether your function is capable of handling overflow, underflow condition, reflected variable in that function should maintain their value properly, then Solidity-coverage is used to know how much our test cases are penetrating your smart contract functions, final report after reviewed at multiple levels is delivered to the client including all the possible suggestions and severity issues raised during the audit.
Some recent Audit reports, Audited by QuillAudits are :
We welcome feedback on the procedures so we can keep iterating and improving.
Thanks for reading. Also, do check out our earlier blog posts.
QuillAudits is a secure smart contract audits platform designed by QuillHash
It is an auditing platform that rigorously analyzes and verifies smart contracts to check for security vulnerabilities through effective manual review with static and dynamic analysis tools, gas analysers as well as simulators. Moreover, the audit process also includes extensive unit testing as well as structural analysis.
We conduct both smart contract audits and penetration tests to find potential
security vulnerabilities which might harm the platform’s integrity.
For further discussion and queries on the same topic, join the discussion on
Telegram group of QuillHash —
To be up to date with our work, Join Our Community:-
Cardano Multi-Asset ‘Mary’ Update Launches to Mainnet
Late on Monday, March 1, Cardano announced the successful upgrade of the network stating that it is a key milestone in its ongoing rollout.
It added that the update introduces core Goguen features of native token functionality and multi-asset support. Goguen is a major upgrade stage on the Cardano roadmap which introduces smart contracts and the ability to build dApps.
— Input Output (@InputOutputHK) March 1, 2021
Multi-Asset Mary For Native Tokens
According to an IOHK blog post, native tokens will bring multi-asset support to Cardano, allowing users to create uniquely defined custom tokens and carry out transactions with them directly on the blockchain.
The ‘Mary’ upgrade enables the ledger’s accounting infrastructure to process not only ADA transactions but those that simultaneously carry several asset types. It added that native support grants distinct advantages for developers as there is no need to create smart contracts to handle custom token creation or transactions.
Developers and now create tokens on Cardano for everything from NFTs to tokenized stocks or commodities, and according to Token Tool, there are already over 1,400 of them. It appears that they are just being created for experimental purposes at the moment as most of them do not have a purpose.
The blog post explained that, unlike Ethereum’s ERC-20 standard, tracking and accounting of custom tokens on Cardano is supported by the ledger natively:
“Because native tokens do not require smart contracts to transfer their value, users will be able to send, receive, and burn their tokens without paying the transaction fees required for a smart contract or adding event-handling logic to track transactions.”
ADA Price Update
ADA has surged in price in the run-up to the upgrade, so much so that it has usurped Binance Coin and taken the third spot on the market cap charts according to CoinGecko.
At the time of press, ADA was still correcting with a 2.4% decline on the day to $1.22. Its all-time high came on Feb. 27 when the token topped $1.45 briefly. Over the past 30 days, Cardano has made a whopping 240% and since the same time last year when it was priced at a lowly $0.05, it has surged over 2,500%.
There are 32 billion tokens circulating out of a maximum supply of 45 billion giving the asset a market cap of $38.8 billion at current prices.
Miami Mayor dismisses Treasury Secretary Yellen’s criticism of Bitcoin
Over the past few weeks and months, Miami and Mayor Francis Suarez have been working towards positioning the city as the country’s premier crypto-hub. “We want to be one of the most crypto-forward and technological cities in the country,” Suarez had said in a recent interview, with the comments coming on the back of reports which claimed that Miami was considering putting 1% of its treasury reserves into Bitcoin.
In fact, a few weeks ago, the city official had also claimed that Miami was looking at crypto-regulations in the state of Wyoming and Wisconsin, among others, to take a step towards enabling crypto-payments.
Mayor Suarez is in the news again today after he responded to Treasury Secretary Janet Yellen’s comments on Bitcoin, the world’s largest cryptocurrency. Speaking to the media at the recent NYT DealBook Conference, Yellen claimed that Bitcoin is an “extremely inefficient way of conducting transactions.” Further, the Treasury Secretary also raised serious questions about Bitcoin’s use for illicit finance and its energy consumption.
Yellen’s remarks, however, didn’t come as a surprise to Miami’s Mayor.
“It doesn’t surprise me at all that a Treasury secretary would find a decentralized potential currency to be hostile to a currency that they control.”
According to Suarez,
“For people who invest in Bitcoin, the allure is precisely that: It’s not backed by a central government. So it’s not manipulatable by the central government.”
During the said interview, Suarez also shot down questions about the risk associated with the world’s largest cryptocurrency. When asked about investing in an asset class that has long been known for its volatility, the Mayor remarked that Bitcoin is an asset class that is still being studied, and not something Miami is jumping right into. “Bitcoin is worth studying and worth looking at,” he concluded.
While Mayor Suarez’s bullish comments on Bitcoin aren’t a surprise, it is worth highlighting that his latest comments were a direct response to statements made by the United States’ Treasury Secretary, a development that highlights the gulf that is appearing between local officials and the country’s biggest financial decision-makers.
Sign Up For Our Newsletter
Nigeria’s Vice President makes a surprising case for Cryptocurrencies
A contradictory statement has recently been made by Nigeria’s Vice president Prof. Yemi Osinbajo, concerning the recently imposed Cryptocurrency ban by the country’s Central bank. The Vice President explained at the CBN bankers committee economic summit, that digital currencies are an inevitable part of the country’s economy.
Prof. Osibanjo makes a fair case for digital currencies
He reckoned that as opposed to banning Cryptocurrencies entirely, employing care and prudence could favor the technological developments that are byproducts of the emergence of digital currencies.
“We must act with knowledge and not with fear, we must ensure that we are in a position to benefit and in a position to prevent any of the adverse side effects or any of the criminal acts that may arise as a consequence of adopting or taking any of these options.” He explained.
Taking to Twitter to share the aforementioned keynote speech at the summit, he went on to emphasize the impending innovative shift that the country would make when digital currencies dominate the financial market.
As he puts it :
“Cryptocurrencies in the coming years will challenge traditional banking, including reserve banking, in ways that we cannot yet imagine, so we need to be prepared for that seismic shift.”
Nigerians respond to the government’s “theatrics”
The Crypto-community in Nigeria has responded to the Vice President’s speech in sarcastic unison, as they await a turnaround of events to carry out the job of clearing their doubts. Similar theories have sprung up, following the country’s Cryptocurrency ban, in which banks were prohibited from partnering with Cryptocurrency firms to process payments.
Many have suggested that the government’s decision to ban Cryptocurrency is birthed out of the fear of the decentralized nature of digital currencies, which were efficient for the ‘EndSars’ protesters to bypass bank restrictions and continue with their march against police brutality.
Nigerians cling to P2p trading to help combat government policies
It remains to be seen what the future holds for the country, whose younger citizens have helped to boost and profit from the booming industry of Cryptocurrency investment and trading, among other Crypto-related activities from their end.
In the meantime, for Cryptocurrency trading platforms like Buycoins, the show must go on. Users of the platform have since returned to their roots as the platform employs a third-party app to facilitate peer-to-peer trading.
Even though this could potentially affect the speed at which transaction is processed, Nigerians have reaffirmed that sticking to the available option is still less risky than storing their money in a traditional bank.
Gemini collaborates with The Giving Block and others, adds donations option
NextGen Blockchain Platforms Self-Organize to Win Government Contracts
Google Finance adds dedicated ‘crypto’ tab featuring Bitcoin, Ether, Litecoin
What Coinbase Going Public Could Do For Crypto
Crypto Investment Fund to Sell $750M in Bitcoin for Cardano and Polkadot
This was avoidable – The lost Bitcoin fortunes
Economist warns of dystopia if ‘Bitcoin Aristocrats’ become reality
Why Mark Cuban is looking forward to Ethereum’s use cases
Coinbase public listing filing details 2020 revenue, major a16z stake
Korean Government To Levy Taxes On Bitcoin Capital Gains Starting 2022
XRP, STEEM, Enjin Price Analysis: 27 February
Inverse Finance seizes tokens, ships code: Launches stablecoin lending protocol
NBA Top Shot leads NFT explosion with $230M in sales
Polkadot, Cosmos, Algorand Price Analysis: 28 February
How KuCoin Shares (KCS) Can Create a Stream of Passive Income
‘Bitcoin could reach $1 million or $1, and may do both of those’
Here are 6 DEX tokens that have seen exponential growth in 2021
6 Questions for Kain Warwick of Synthetix
3 reasons why Reef Finance, Bridge Mutual and Morpheus Network are rallying
Litecoin, Monero, Dash Price Analysis: 28 February
Blockchain1 week ago
Ankr adds Eth2 futures (fETH) to its staking system
Blockchain5 days ago
Gemini collaborates with The Giving Block and others, adds donations option
Blockchain1 week ago
Ripple now registered as a Wyoming business
Blockchain1 week ago
Peter Schiff Now Discusses Bitcoin More Often Than His Beloved Gold
Blockchain1 week ago
Former BoE, BoC Governor Mark Carney joins Stripe board of directors
Blockchain1 week ago
Are Bitcoin’s long-term hodlers entering the seller’s market?
Blockchain1 week ago
Elon Musk Explains to Peter Schiff What Money Is
Blockchain6 days ago
Optimized Ethereum Mining Settings for Nvidia RTX 3060 Ti, RTX 3070, RTX 3080 and RTX 3090 GPUs