This article aims to provide insight into decentralized finance (DeFi) audits and their efficacy. If you are unfamiliar with DeFi, consider reading our introductory article on DeFi. You might also want to read our articles on cryptocurrency, blockchain, and smart contracts before reading this article.
The smart contract code underpinning any DeFi project is vulnerable to hacks, ranging from token and market attacks to exploitative bots. A smart contract security audit is thus necessary to search for potential security exploits, bugs, and reentrancy attacks. Some of the most notorious examples of smart contract attacks include the Ethereum DAO hack and Parity’s multi-signature wallet hack.
DAO was a decentralized autonomous organization (DAO) that aimed to democratize the way Ethereum’s projects were funded. In 2016, it raised more than US$150 million by its third week from its token sale. However, even before the sale’s conclusion, a hacker exploited a fallback function in the code exposed to reentrancy. The attack resulted in a US$55 million loss, and Ethereum had to perform a hard fork to recover some of the stolen funds.
In 2017, Parity created multi-signature software wallets for users to manage Ether (ETH) tokens. The multi-signature wallets required more than one private key before the funds stored could be approved for transfers. A hacker exploited the delegate call and fallback function in Parity’s smart contract library code, blocking funds from more than 500 wallets holding a total of 150,000 ETH worth US$30 million at the time. Thus, projects must ensure their smart contract code is sound through careful auditing to defend against malicious actors.
What Is an Audit?
A smart contract audit is a review by a third party of its source code. Developers who build DeFi decentralized applications (dApps) employ auditing firms to examine the code and recommend the best practices in smart contract logic. Projects will typically publish the audit reports to the public for greater transparency. Moreover, projects can boost their reliability by employing a reputable auditing firm.
What Happens During an Audit?
The auditing process begins with code analysis, where auditors scrutinize every line for various cybersecurity vulnerabilities, including reentrancy, reordering, short address, and replay attacks. Following this, auditors conduct a performance validation by executing the contract to check if it fulfils the agreements made by the project developers. Auditors also test the code for variables, determining whether the contract can handle all possible variations that might arise after its implementation. For example, auditors can change the execution conditions or even add a third party to the contract to ensure that the contract will always perform a desirable outcome.
Some auditing firms provide an audit score alongside a report. For example, CertiK and Hacken respectively provide “security” and “cybersecurity” scores for each audited project. Both companies also routinely rank projects with the best audit scores, as seen from CertiK’s Web3 Security Leaderboard and Hacken’s Top 100 Exchanges (as of February 2022).
Shortcomings of Current Auditing Methods
Smart contract auditing firms charge around US$5,000 to US$15,000 on average, depending on the complexity of the code. High auditing costs may be daunting to smaller projects with limited funding, leaving them no choice but to opt for less comprehensive audit reports or skip out on the process entirely.
The time taken for a smart contract audit depends on the size and complexity of the project. For simple tokens, the process may take a few days. However, for dApps with elaborate tokenomics, the waiting time may extend to around a week. The entire process may take up to a month for a more comprehensive audit that rules out backdoors. Many developers thus opt for an interim report rather than a full security audit. However, this leaves the project vulnerable to undiscovered bugs at its release.
Reports Are Difficult to Understand
History has proven that audited DeFi projects are not spared from malicious attacks, such as the reentrancy attacks on Uniswap and Lendf.me in 2020. Users must thus do your own research (DYOR) and carefully examine auditing reports before investing in a project. However, the technical jargon used in reports makes it difficult for everyday users to assess the security of a project.
The Future of DeFi Audits
These limitations have led many DeFi projects to leave their smart contract code unaudited, risking security attacks. However, auditing firms are attempting to address these issues. For example, ConsenSys Diligence publishes digestible audit reports with color-coded text for greater clarity. Other firms like Solidproof strive to reduce the lengthy duration of the auditing process. Solidproof uses an automated auditing tool with pre-installed parameters programmed to look for errors to bolster efficiency.
Although many auditing firms continue to suffer from shortcomings, audits play a vital role in ensuring the security of the DeFi space. As DeFi promotes an open-source financial ecosystem, doors are open for anyone with the necessary knowledge to join the DeFi auditing industry. Users can also protect themselves by interacting with projects that meet a certain security threshold before committing their funds. That said, audits do not always guarantee a project’s legitimacy and security. Users should thus exercise their due diligence by doing their own research.
At Treehouse, we want to empower people to confidently navigate DeFi, and this includes helping users with understanding and assessing risk properly. In case you missed it, check out our recommended list of risk-related pieces!
- How to Make Sense of Metrics in DeFi
- DeFi Risks: What You Need to Know
- How to Manage Your Defi Risks With This Framework
New to DeFi? If you found this useful, check out our other Learn DeFi articles to dive deeper into the wonderful world of DeFi! Alternatively, browse our Insights section to read more in-depth analyses on the DeFi space. You can also try out our flagship product, Harvest, to get a comprehensive analysis of your DeFi assets. Lastly, subscribe to newsletter updates in the box below!