Blog

Why Do We Need Smart Contract Auditing?

Why Do We Need Smart Contract Auditing?

Not all smart contracts are “smart” like we think they are.  Smart contracts, like the ERC-20 token standard, contained digital assets of over $4 billion USD by early 2018.  These assets are not always as secure as we would like them to be, as is exhibited by multiple high-profile hacks.  This puts a significant burden on the crypto community, particularly for new investors that buy the hype without performing adequate due diligence.  Unfortunately, whenever hacks occur or vulnerabilities are discovered, the media tends to only report on these negative aspects of smart contracts, as opposed to their capabilities or what they can accomplish.

I will mention few attacks in this article and why I believe we should have smart contract auditing.

The biggest smart contract hack happened approximately two years ago, known as the DAO attack.  The DAO was a decentralized venture capital fund where investments were based on votes by the community.  The DAO was hacked by exploiting a combination of vulnerabilities in the DAO smart contract.  I will spare you the details of how the DAO was hacked, as this has already been covered extensively elsewhere.

In summary, the DAO hacker stole a total of 3.6 million Ether (Ethereum).  At the time of the theft, the approximate value of 3.6 million Ether was $50 million USD.  Based on today’s market value, this amounts to roughly $2.1 billion USD.  As a result of the attack, Etheruem forked and thus, Ethereum Classic was born, which has been billed as the true Ethereum blockchain.

More recently, a bug known as Parity “ooops I accidentally killed it” was discovered.  Parity was a major vulnerability and happened very recently, occurring only 12 months ago.  With this simple delete, $300 million in assets were frozen.  At this point in time, there is still no solution to recover the frozen funds.  Parity was initially pushing for a hard fork, but now seems to be relenting due to community uproar.

Last but not least the POWH coin: the self-sustaining pyramid scheme that paid its early users a dividend of 10%.  Speaking of pyramid schemes, the developers introduced an even more enticing version of their contract (PoWH Coin Shadow) which had a 20% dividend and  collapsed shortly after launch, resulting in the loss of several hundred Ether.

Immediately afterward, a White Hat hacker found another vulnerability in the original POWH Coin smart contract and posted it in the Discord, resulting in a total loss of 2,000 Ether.  The hacker exploited an unsigned integer underflow, thereby enabling the hackers to withdraw an infinite number of POWH’s tokens.  This attack happened only five months ago.

I have only mentioned three attacks above, but there are hundreds of other hacks and bugs in smart contracts and cryptocurrency in general.  Smart contract attacks and bugs such as these can create a distorted image of the crypto space, leading investors, users, regulators and the general public to conclude that it is immature for investment and dangerous.  At the moment, 90% of ICOs are still using the Ethereum chain.  However, new protocols and token standards are coming to the market in the near future, increasing the demand for a structured auditing process of smart contracts across different chains.

Given the exponential growth of digital assets and their application in every imaginable aspect of enterprise, the need for smart contract security is only going to increase.  This is particularly true in sensitive sectors such as aviation and banking, where smart contract security isn’t optional.  Vulnerabilities with smart contracts in these sectors can endanger not only investors, but entire economies.

The more smart contracts are deployed across different platforms, the bigger the danger.  Consumers should demand that the smart contract/currency they are investing in has been audited.

We have identified smart contract security as core tenet of crypto’s advance, which is why we formed the Callisto auditing team.  We believe that our audits will help prevent attacks like the ones described above by providing a solution where developers can easily and affordably verify the security of their smart contracts.

The user or developer simply requests an audit of their smart contract via our GitHub page.  Once the auditing is complete, the results will be published: here is an example of a completed audit report.

Come verify your smart contracts with us!

Topics:Learning