Audit of smart contracts

Analysis and verification of specifications and source code of smart contracts

Your smart contracts may contain hidden vulnerabilities that could result in loss of money or interruption of business operations. In the world of blockchain, even small security issues negatively affect reputation and investment decisions.

Secure your blockchain solutions, fix costly bugs, optimise your code, and give assurance to your users and investors. As a result, you will boost the trust of the blockchain community in your projects and ensure their stable growth.

Our certified experts analyse the security of your smart contracts line by line, finding their vulnerabilities and other weaknesses. We develop guidelines that protect your smart contracts and your business.

Read the introduction to the security of smart contracts. Find out more about the problems we solve, the methods and tools we use, and the results we deliver.

Free Audit


The problems with smart contracts

  1. Inconsistency between specification and implementation.
  2. Deficiencies in design, logic and access control.
  3. Arithmetic overflow operations (integer overflow and underflow).
  4. Reentrancy attacks, code injection attacks, and Denial of Service attack.
  5. Exceeded limits on bytecode and gas usage.
  6. Miner attacks on timestamp and transaction ordering, transaction-ordering dependence (TOD).
  7. Race conditions, other known attacks, and access control violations.
?
More about vulnerabilities
  • Common and platform-specific vulnerabilities:
  • Incorrect standard implementation
  • Integer Overflow and Underflow
  • Callstack Depth Attack
  • Timestamp Dependency
  • Block Properties Dependency
  • Multisig Bug
  • Transaction-Ordering Dependency
  • Function Call Vulnerabilities
  • Business Security
  • Event Security 
  • Reentrancy
  • PRNG Vulnerabilities
  • DoS Vulnerabilities
  • Fake Deposit
  • Token Vesting Implementation
  • Exceptional Reachable State
  • and other (100+ vulnerabilities)
  • Common vulnerabilities of coding in Solidity and other languages:
  • Extra gas consumption
  • Implicit visibility level
  • Costly loop
  • External to public visibility level
  • Deprecated items
  • Fallback usage
  • Overriding variables
  • Redundant code
  • and other
Изображение - Аудит смарт-контрактов

What projects require a Smart Contract Audit?

Smart contract audits are essential for any project that utilises smart contracts to automate the execution and enforcement of contractual agreements on blockchain networks. These projects encompass decentralised exchanges, NFT marketplaces, automated market makers, yield farming protocols, and various other project types.

When is a smart contract audit necessary?

A smart contract audit becomes necessary when there is a need to evaluate the security and functionality of a smart contract. There are several conditions or prerequisites that make a smart contract audit imperative, including:

1
Prior to Deployment
A smart contract audit is often conducted before deploying the contract on the blockchain network. This ensures that the contract is secure and free from vulnerabilities that could be exploited by attackers.
2
Post Deployment
A smart contract audit can also be conducted after the contract has been deployed on the blockchain network. This assesses the security and functionality of the contract in a live environment and identifies any issues that may have arisen since deployment.
3
Change in Requirements
A smart contract audit may be necessary when there are changes in the requirements or specifications of the contract. This ensures that the changes do not introduce security vulnerabilities or disrupt the functionality of the contract.
4
Security Concerns
A smart contract audit may be necessary when there are concerns about the security of the contract. This could be in response to a security breach, the discovery of a vulnerability, or suspected malicious activity.
5
Compliance Requirements
A smart contract audit may be necessary to comply with regulatory or industry standards. For instance, financial institutions may need to conduct a smart contract audit to adhere to security and privacy regulations.
GET A FREE CONSULTATION

Benefits of H-X Smart Contract Audit

H-X Smart Contract Audit offers several benefits, including:

  • Security Assurance: The audit helps identify potential security risks and vulnerabilities in smart contracts, ensuring the integrity and security of the platform and its users.
  • Compliance: The audit ensures that the smart contract code complies with relevant regulations and standards.
  • Reputation Protection: A successful audit enhances the reputation of the project and its developers, fostering user trust and confidence in the platform.
  • Cost Savings: Early identification and mitigation of potential security risks help avoid costly security breaches and legal issues in the future.

Requirements for auditors of smart contracts 

  1. The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
  2. The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
  3. The tests are conducted by a team of specialists with more than 17 years of experience in different IT security domains; CISSP, OSCP, CISA, and CEH certification holders.
  4. The code analysis review follows the best practices: Solidity Style Guide, Ethereum Smart Contract Security Best Practices, Smart Contract Security Verification Standard (SCSVS).
  5. Classification of vulnerabilities corresponds to DASP Top 10, SWC Registry and CWE/SANS Top 25.
GET A QUOTE

Audit stages

  1. Documentation check.
  2. Detailed analysis of the smart contract code, functionality and logic of its operation, cryptography, third-party modules, and library structure.
  3. Analysis of specific cases: Web security, Social security, Token/smart-contract OSINT, Signs of Risk, Signs of Confidence.
  4. Manual search for weaknesses in functions, development of attack vectors, writing tests for their implementation.
  5. Automatic scanning of source files for inconsistencies with smart contract security best practices.
  6. Checking scan results, identifying false positives, tools and real vulnerabilities that can affect the security of the application.
  7. Development of recommendations to eliminate the found deficiencies and risk assessment.
  8. Checking the implementation of recommendations.
  9. A public certificate issued for the successfully completed audit.

We audit smart contracts on these platforms

?
Extended list of platforms that we support
  • aelf, Aeron, Aeternity, AION, Algorand, Ambrosus, Aptos, Arbitrum, Arcona, Ardor, Ark, Asure, Auctus, Augur, Aurum, Avalanche, BILLCRYPT, Bithemoth, Block Collider, BNB Smart Chain (BEP20), BnkToTheFuture, Cardano, Casper, Celo, Centrality, ConsenSys Quorum, Cortex, Cosmos, COTI, Cronos, CyberMiles, Disciplina, Enigma, Enjin Coin, Enkronos, EOS, Ethereum (ERC-20, ERC-4626), Fantom, Fluence, Funfair, Gimli, Gnosis, GoByte, GXChain, Harmony, HECO, Hifi Finance, HoloChain, ICON, IExec, Ignis, IOStoken, JUST, Kadena, Klaytn, Komodo, Liquid.com, Lisk, Loom Network, Loopring, Maker, Metaverse ETP, Moonbeam, Morpheus Network, NAV Coin, Near, Nebulas, NEM, Neo, NIX, Nuls, NXT, Ontology, Optimism, OpuLabs, Phoenix Global, Polkadot, Polygon, Qtum, QuarkChain, Quorum, RChain, Request Network, Solana, Stellar, Sui, Swarm city, Syscoin, Tezos, Theta, TON, Tron (TRC-20), Vechain, Verge, Wanchain, Waves, XDC, Zilliqa, etc.

Our tools

Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Hardhat, Ganache, Mist, solhint, mythx, manticore, etc.


What does Smart Contract Audit Report include

Project deliverables include the Report on Audit of Smart Contract:

  1. Executive summary
  2. Project approach
    • Rules of Engagement
    • Description of security audit methodology
    • Scope description
  3. Findings and recommendations
  4. Workflow of security audit
  5. Further information on findings and detailed recommendations
  6. Conclusion
  7. Risk Mitigation Recommendations.

After you fix the shortcomings of your smart contract, we do the retest for free and issue a security certificate that guarantees the reliability of your smart contract and significantly increases the total value of your project.

Service summary

⏳ Duration of project

On average, 2 or 3 weeks. Audit of a large or complex contract can take even months.

🎁 Can it be free or have a testing period?

Use our automated service scau.pro for superficial security audit of smart contracts.

💼 What type of business needs it?

Finance, supply chain, healthcare, gaming, real estate, government, and any business that uses smart contracts as a critical component of their operations.

💡 When is this service needed?

Before or after deployment, when there is a change in requirements, security concerns, or compliance requirements.

📈 Your profit

Reduced financial risks, improved reliability, confidence, compliance, reputation, financial value, and competitive advantage.

⚙️ Our methods and tools

Manual code review, automated tools, penetration testing, smart contract test suites, and blockchain analytics.

📑 Deliverables

Executive summary, a detailed report, recommendations for improvements, retest, and certificate.

GET A QUOTE

Check out our additional services and business cases. Send the form below to request a smart contract audit. Get a free consultation.

FAQ

A smart contract audit is a process of reviewing and analyzing the code of a smart contract to identify potential vulnerabilities, security flaws, and other issues that could compromise its functionality or the security of the assets involved. Smart contracts are self-executing contracts with the terms of the agreement between buyer and seller being directly written into lines of code, so any mistake or bug in the code can lead to significant financial loss or other negative consequences.

During a smart contract audit, security experts review the smart contract's codebase line by line, looking for potential weaknesses or bugs that could be exploited by attackers. They analyze the contract's logic, functionality, and input/output data to ensure that it operates as intended, and to identify any potential security risks that could arise from its execution. Once the audit is complete, the findings are documented and reported back to the contract's developers, who can then make necessary changes to improve the contract's security and functionality.

The cost of a smart contract audit can vary widely depending on several factors, including the complexity of the contract's code, the depth and scope of the audit, and the experience and reputation of the audit firm or individual.

Some auditors charge a flat fee for their services, while others charge hourly rates. Generally, a basic audit of a simple smart contract may cost a few thousand dollars, while more complex contracts with advanced features or functionality may cost tens of thousands or even hundreds of thousands of dollars to audit.

It's important to note that while the cost of a smart contract audit may seem high, it is a critical investment in ensuring the security and integrity of the contract and the assets involved. Failing to conduct a thorough audit can leave the contract and its users vulnerable to costly and damaging security breaches or other issues.

Auditing a smart contract requires a methodical and thorough approach to ensure that all potential vulnerabilities and security risks are identified and addressed. Here are some general steps that can be taken when auditing a smart contract:

  • Define the scope and objectives of the audit. Establish the scope of the audit, including the parts of the smart contract to be reviewed and the specific objectives of the audit.
  • Review the smart contract's code. Conduct a line-by-line review of the code to identify any potential security vulnerabilities, errors, or inefficiencies. This includes analyzing the contract's functions, inputs, and outputs to ensure that they behave as expected.
  • Verify the contract's logic and functionality. Verify that the smart contract's logic and functionality align with its intended purpose and that all conditions and outcomes are accounted for.
  • Test the contract's performance. Conduct performance testing to ensure that the contract performs as expected under different scenarios, including high traffic volumes and varying network conditions.
  • Conduct a security analysis. Conduct a thorough security analysis of the smart contract, including vulnerability assessments and penetration testing, to identify potential security risks and determine the level of risk exposure.
  • Document and report findings. Document all findings and report them to the contract's developers, along with recommendations for improvements and remediation steps.
  • Follow up. Follow up with the contract's developers to ensure that any identified issues are resolved and that the contract's security and functionality are improved.

The duration of a smart contract audit can vary depending on several factors, such as the complexity of the contract, the scope and depth of the audit, the experience of the auditor, and the availability of resources.

A simple smart contract audit can take anywhere from a few days to a couple of weeks, while a more complex smart contract audit can take several weeks or even months to complete. In some cases, additional testing and remediation may be required, which can extend the audit timeline.

The auditing process involves several stages, including an initial analysis of the contract's code, a review of the contract's functionality, and security assessments, among others. Each stage requires careful consideration, analysis, and documentation, which can contribute to the overall duration of the audit.

To ensure that the audit is conducted thoroughly and effectively, it's important to engage experienced and reputable auditors who can provide accurate timelines based on the specific requirements of the smart contract audit.

Smart contract audits are essential for several reasons, including:

  • Ensuring the contract's functionality. Smart contract audits help ensure that the contract's code is free of errors and that its logic and functionality align with its intended purpose. This helps to avoid potential issues such as incorrect contract execution or unexpected behavior.
  • Identifying security vulnerabilities. Smart contract audits can identify potential security vulnerabilities and other risks that could lead to financial loss or other negative consequences. By conducting a thorough security analysis, auditors can help ensure that the contract is secure and that users' assets are protected.
  • Building trust. Auditing a smart contract demonstrates a commitment to transparency and accountability, which can help build trust with users and other stakeholders. This is especially important in decentralized systems where trust is paramount.
  • Compliance with regulations. Depending on the jurisdiction, certain regulations may require smart contract audits to ensure compliance with specific legal requirements or standards.
  • Improving code quality. Smart contract audits can also help identify opportunities to improve code quality and optimize contract performance. This can help improve the contract's functionality, efficiency, and overall performance.

Business cases of projects we completed

Audit of smart contracts and blockchain
Business Automation
Information security incident response and investigation
Managed security and compliance (ISO 27001, etc.)
Security analysis of software source code
Security assessment: audits and penetration tests
Security Operations Center cases