Smart Contract Audit Guide

How to audit a smart contract

To teach you how to conduct an audit, I will audit a contract that I wrote myself. This way you can see real-world audits that you can perform yourself.

Now you may ask: What exactly does smart contract auditing mean?

Smart contract auditing is the process of carefully studying the code. In this case, it refers to the discovery of bugs, smart contract audit services vulnerabilities, and risks before the Solidity contract is deployed to the Ethereum mainnet and used; because once published, these codes cannot be modified. . This definition is for discussion purposes only.

Please note that an audit is not a legal document to verify code security. No one can be 100% sure that the code will not make mistakes or create vulnerabilities in the future. This is just to make sure your code has been expertly edited and is basically safe.

Analyze the possible improvements, mainly to know the risks and vulnerabilities of ether that can harm users.

Ok, now let’s take a look at the structure of a smart contract audit report:

Disclaimer: Here I would say that the audit is not a legally binding document, it does not guarantee anything. This is just a discussion paper.

Audit overview and good features: Quickly see the smart contracts that will be audited and find good practices.

Contract Attacks: In this section, you will discuss contract attacks and their consequences. This is just to verify that it is really safe.

Serious vulnerabilities found in the contract: Critical issues that can seriously damage the integrity of the contract. Those serious problems that would allow attackers to steal ether.

Moderate vulnerabilities found in the contract: Those loopholes that can damage the contract but have limited damage. For example, a bug that allows people to modify random variables.

Low severity vulnerabilities: These issues do not actually harm the contract and may already exist in the deployed version of the contract.

Line- by-line commentary: In this part, smart contract audit you will analyze the most important lines with possible improvements.

Audit Summary: Your opinions on the contract and the final conclusion on the audit.

Keep this description of the structure in a safe place. This is all you need to do to securely audit the smart contract. It will really help you find those vulnerabilities that are hard to find.

I suggest you start with point 7 “line by line comment”, because when you analyze the contract line by line, you will find the most important issues, you will see what is missing and what should be modified or improved.

In the next article, I will show you a disclaimer, which you can use as the first step of the audit. You can watch from point 1 to the end.

Below I will show you the results of the completed audit using this structure, which I did for a contract I wrote myself. You will also see in point 3 an introduction to the most important possible attacks on smart contracts.

1. Disclaimer

The audit will not make a statement or guarantee about the usability of the code, the security of the code, the applicability of the business model, the regulatory system of the business model, or any other description of the applicability of the contract, and the behavior of the contract in a free state. of mistakes. The audit document is for discussion purposes only.

Generating random numbers on the blockchain is a very difficult subject, because one of the core values ​​of Ethereum is predictability, and its goal is to ensure that there are no undefined values.

Translator’s note:

The reason it is difficult to generate random numbers on the blockchain is that no matter what algorithm is used, a timestamp is required as a “seed” to generate random numbers (because the timestamp is the only value in the field of computer science that can theoretically guarantee “no duplication”); and obtaining a timestamp in a smart contract can only be done by a certain node (miner). This means that the timestamp obtained in the contract is determined by the local time of the node’s (miner’s) computer executing your code; therefore, the credibility of this node (miner) becomes the biggest issue. In theory, this local time can be spoofed by malicious programs, so this method is considered “unsafe”. Common practice is to use an off-chain third-party service, like Oraclize used here, to get random numbers. Because Oraclize is a basic utility that will not “forge” specific contracts, it can be considered “relatively safe”.

Because Oraclize can generate random numbers off-chain, bsc smart contract audit it is considered good practice to use it to generate believable numbers. Implement modifiers and a callback function to check if the information comes from a trusted entity.

The purpose of this smart contract is to participate in a random lottery, where people make bets between 1 and 9. When 10 people make a bet, the prize is automatically distributed to the winner. Each user has a minimum bet.

Each player can only place one bet in each game, and only when the number of participants reaches the required number will the winning number be generated.

excellent features

This contract provides a number of good functional codes:

Use Oraclize to generate a secure random number and check it in the callback.

The modifier checks the game ending conditions and blocks key features until the rewards are distributed.

Please check further to verify that the use of the gamble feature is appropriate.

The winning number is safely generated only when the number of bets reaches the maximum condition.