This article aims to provide insight into decentralized finance (DeFi) audits and their efficacy. If you are unfamiliar with DeFi, consider reading our introductory article on DeFi. You might also want to read our articles on cryptocurrency, blockchain, and smart contracts before reading this article.
The smart contract code underpinning any DeFi project is vulnerable to hacks, ranging from token and market attacks to exploitative bots. A smart contract security audit is thus necessary to search for potential security exploits, bugs, and reentrancy attacks. Some of the most notorious examples of smart contract attacks include the Ethereum DAO hack and Parity’s multi-signature wallet hack.
Ethereum DAO was a decentralized autonomous organization (DAO) aimed at democratizing the way Ethereum‘s projects were funded. In 2016, it raised more than US$150M by its third week from its token sale. However, even before the sale’s conclusion, a hacker exploited a fallback function in the code exposed to reentrancy. The attack resulted in a US$55M loss, and Ethereum had to perform a hard fork to recover some of the stolen funds.
In 2017, Parity created multi-signature software wallets for users to manage Ether (ETH) tokens. The multi-signature wallets required more than one private key before the funds stored could be approved for transfers. A hacker exploited the delegate call and fallback function in Parity’s smart contract library code, blocking funds from more than 500 wallets holding a total of 150K ETH worth US$30M at the time. Thus, projects must ensure their smart contract code is sound through careful auditing to defend against malicious actors.
What Is An Audit?
A smart contract audit is a review by a third party of its source code. Developers who build DeFi decentralized applications (dApps) employ auditing firms to examine the code and recommend the best practices in smart contract logic. Projects will typically publish the audit reports to the public for greater transparency. Moreover, projects can boost their reliability by employing a reputable auditing firm.
What Happens During An Audit?
The auditing process begins with code analysis, where auditors scrutinize every line for various cybersecurity vulnerabilities, including reentrancy, reordering, short address, and replay attacks. Following this, auditors conduct a performance validation by executing the contract to check if it fulfils the agreements made by the project developers. Auditors also test the code for variables, determining whether the contract can handle all possible variations that might arise after its implementation. For example, auditors can change the execution conditions or even add a third party to the contract to ensure that the contract will always perform a desirable outcome.
Some auditing firms provide an audit score alongside a report. For example, CertiK and Hacken respectively provide “security” and “cybersecurity” scores for each audited project. Both companies also routinely rank projects with the best audit scores, as seen from CertiK’s Web3 Security Leaderboard and Hacken’s Top 100 Exchanges (as of February 2022).
Shortcomings of Current Auditing Methods
Too Expensive
Smart contract auditing firms charge around US$5K to US$15K on average, depending on the complexity of the code. High auditing costs may be daunting to smaller projects with limited funding, leaving them no choice but to opt for less comprehensive audit reports or skip out on the process entirely.
Time-Intensive
The time taken for a smart contract audit depends on the size and complexity of the project. For simple tokens, the process may take a few days. However, for dApps with elaborate tokenomics, the waiting time may extend to around a week. The entire process may take up to a month for a more comprehensive audit that rules out backdoors. Many developers thus opt for an interim report rather than a full security audit. However, this leaves the project vulnerable to undiscovered bugs at its release.
Reports Are Difficult to Understand
History has proven that audited DeFi projects are not spared from malicious attacks, such as the reentrancy attacks on Uniswap and Lendf.me in 2020. Users must thus do your own research (DYOR) and carefully examine auditing reports before investing in a project. However, the technical jargon used in reports makes it difficult for everyday users to assess the security of a project.
The Future of DeFi Audits
These limitations have led many DeFi projects to leave their smart contract code unaudited, risking security attacks. However, auditing firms are attempting to address these issues. For example, ConsenSys Diligence publishes digestible audit reports with color-coded text for greater clarity. Other firms like Solidproof strive to reduce the lengthy duration of the auditing process. Solidproof uses an automated auditing tool with pre-installed parameters programmed to look for errors to bolster efficiency.
Although many auditing firms continue to suffer from shortcomings, audits play a vital role in ensuring the security of the DeFi space. As DeFi promotes an open-source financial ecosystem, doors are open for anyone with the necessary knowledge to join the DeFi auditing industry. Users can also protect themselves by interacting with projects that meet a certain security threshold before committing their funds. That said, audits do not always guarantee a project’s legitimacy and security. Users should thus exercise their due diligence by doing their own research.
At Treehouse, we want to empower people to confidently navigate DeFi, and this includes helping users with understanding and assessing risk properly. In case you missed it, check out our recommended list of risk-related pieces!
- How to Make Sense of Metrics in DeFi
- DeFi Risks: What You Need to Know
- How to Manage Your Defi Risks With This Framework
- Introducing Price Risk and Basic Trading Strategies
- Flash Loans and Flash Loan Attacks? What Are They and How to Prevent Them?
- A Look Back at Past Crypto Winters
- How to Measure Your Price Risk in DeFi
- Diversify Your Portfolio to Manage Your DeFi Price Risk
- How to Manage DeFi Price Risk by Setting Stop Losses
- How to Reduce DeFi Price With Delta Neutral Strategies
- How to Minimize DeFi Price Risk: Options Are an Option
Disclaimer
This publication is provided for informational and entertainment purposes only. Nothing contained in this publication constitutes financial advice, trading advice, or any other advice, nor does it constitute an offer to buy or sell securities or any other assets or participate in any particular trading strategy. This publication does not take into account your personal investment objectives, financial situation, or needs. Treehouse does not warrant that the information provided in this publication is up-to-date or accurate.
Hyperion by Treehouse reimagines workflows for digital asset traders and investors looking for actionable market and portfolio data. Contact us if you are interested! Otherwise, check out Treehouse Academy, Insights, and Treehouse Daily for in-depth research.
