Following our series of articles on smart contracts, we now turn our attention to smart contract audits. Previously, we tapped into what exactly smart contracts were. In fact, we defined them as “sets of digital code created to facilitate the transfer of assets.” We took a dive into their characteristics, caveats and limitations, and their physiology [1][2].

Now that we have introduced the subject of smart contracts, we want to continue by discussing the importance of audits.

What is an audit?

Before discussing smart contract audits, it is worth taking a step back and briefly defining what audits are in general. In traditional markets, audits are commonly known in a financial context; more specifically, they refer to the process of evaluating financial statements (those presented by companies to regulatory bodies). These aim to ensure a certain degree of adherence to the accounting rules of corresponding regions and countries [3]. 

Defining smart contract audits

A smart contract audit is similar to a financial audit in the sense that it is a methodical examination and analysis of a smart contract’s code used to interact with a cryptocurrency or blockchain. Basically, smart contract audits are used to prove that the code will work as intended. This process is conducted to discover errors, issues and security vulnerabilities in the code. The importance of smart contract audits is several-fold, and we will be further discussing these below. 

Generally, smart contract audits are necessary because most of the contracts deal with financial assets (cryptocurrencies), and can result in sizable losses if exploited by bad actors. Audits include rigorous analysis, and include automated formal verification, static analysis, and manual review.

Benefits 

Smart contract audits have a number of advantages. Overall, they provide pre-emptive measures to ensure robust security for unchangeable code.

• Avoid Errors. Auditing code before appending it to the blockchain can prevent potentially catastrophic vulnerabilities after launch. The double-edged sword of blockchain immutability will prohibit changing smart contract errors after broadcasting the smart contract to the network.

• Expert Review. Having dedicated professionals audit the code and help sort cognitive and behavioral biases that are born from auto-verification of code can make an enormous difference on the success of a blockchain project (and set of smart contracts).

• Easy Integration. Current tools are designed to integrate into heterogeneous development environments, in order to perform continuous security analysis.

• Automated verifications. Automatic checks can be set up in order to monitor security vulnerabilities as one writes and changes the code.

• Detailed Analytics Reports. Vulnerability reports with details and mitigation guidance will prepare a project to encounter virtually any attack vector.

Categories

Smart contract audits are a series of processes that check smart contracts. They focus on a variety of categories, including:

Centralization/Privilege	Mathematical Operations	Logical issues
Control flow	Volatile code	Data flow
Language specific	Coding style	Inconsistency
Magic numbers	Compiler error	Gas optimization

Why is it important to audit smart contracts?

By now you might have already thought of a series of use cases for smart contract audits. Being reactive and proactive don’t have to be mutually exclusive. Working on a “solve-as-you-go” basis to stop problems must be complemented by proactive problem seeking and solution design. Don’t just stop hacks, prevent them from happening and make sure that all funds are secured.

Hundreds of cases have struck the smart contract landscape in blockchain, resulting in damages all along the scale. With an estimated US$ 1B of assets stolen in 2018, this level of rigor is the only way to objectively show immunity against some of the most critical and frequent vulnerabilities. Just as the common phrase goes: “A chain is as strong as its weakest link,” the functionality of smart contracts is only as strong as its weakest link. In a fully decentralized world, this has even deeper implications, meaning no authorities to gain the community’s trust, and virtually no do-overs because of blockchain’s immutability.

The smart contract audit process

Similar to audits in the traditional finance space, there are a couple of main types of audits for smart contracts: external audits and internal audits. External audits involve impartial third-party revision of the smart contract, and is the most embraced approach when discussing trust in code. 

At Scalable, we break down the audit process into four stages:

1. Assessment. During assessment we review the architecture and source code, determine the estimated duration of the audit, and provide a custom quote. The duration depends on a number of factors, including the size of the codebase and its complexity.
2. Security Review. During this stage, we review the full codebase and documentation. Our expertise in compilers, consensus algorithms, blockchain node configurations and more allows us to efficiently audit entire dApps, wallets and protocols.
3. Reporting. After carrying out a thorough review, a security audit report is prepared, describing in detail the vulnerabilities found as well as recommendations to guard against potential attack vectors. These are categorized in accordance to security level and severity.
4. Collaborative Improvement Workshops. Complementary to the security audit report, we provide further assistance by organizing workshops that help implement the detailed recommendations within tight time frames, all in a collaborative manner.

Your SCALABLE Security Solution

Scalable Solutions provides smart contract security solutions to whomever needs it; no matter the size, underlying blockchain of choice, or project complexity.

Our tech, custodial and otherwise, has been, and is being used to custody, trade and move billions of dollars worth of cryptocurrencies. It has been subject to every known attack vector and has remained resilient. Scalable audits is the vehicle to broadcast our expertise to the chosen industry peers. Request a quote for your project today. 

 

 

 

Sources

[1] “Smart Contracts and Their Characteristics .” Resources, Scalable Solutions, 7 Apr. 2021, scalablesolutions.io/news/smart-contracts-and-their-characteristics/. 

[2] “How Are Smart Contracts Executed? .” Resources, Scalable Solutions, 13 May 2021, scalablesolutions.io/news/how-are-smart-contracts-executed/. 

[3] Tuovila, Alicia. What Is an Audit? Investopedia, 19 May 2021,  www.investopedia.com/terms/a/audit.asp

References

Mardlin, John. “How to Prepare for a Smart Contract Audit.” ConsenSys, 17 Sept. 2019, consensys.net/diligence/blog/2019/09/how-to-prepare-for-a-smart-contract-audit/. 

Introduction

With the growing adoption of digital assets, it is clear that those who control the marketplaces that enable their trade can reap substantial benefits and position themselves as the main beneficiaries of the technology. Establishing a digital asset exchange, however, is not an effortless task. 

In general, there are two ways one may set up a digital asset exchange. The first involves establishing experienced development, management, and operations teams, and then taking minimum a year to *hopefully* build a robust technological solution that is secure and scales efficiently. The second option entails collaborating with a white-label provider that can deliver not only the needed technology, but every other major service that is required for the endeavour to be successful [1]. 

White label exchanges

We previously introduced the concept of white-label and its use in the digital asset exchange industry. We are firm advocates of the use of robust, reliable white-label technology that can get an exchange up and running quickly and at a fraction of the cost of building one in house [2]. 

Creating an exchange from scratch is a complex (and almost always unforgiving) process with high requirements for security, performance, and flexibility. Having the option of outsourcing the project to specialized teams can help mitigate risk and ultimately define the future and success of it.

Benefits of white-label exchange technology

Some of the main benefits that can be found when utilizing white-label exchange technology include:

• Cost and time efficiency
• Tested technology
• Cloud-based systems that don’t require teams for upgrading
• Personalized requirements
• No need for technical expertise
• Multiple device access. 

Furthermore, it can prevent huge complications in the development phases and is a sure way to know your exchange is secure. But despite the mentioned benefits, we’d like to describe why we believe that choosing a white-label provider at random (or worse, considering only its cost) can often be as harmful and error-prone as making your own exchange.

Partnering with a third-party provider resembles trusting the architect to set the correct foundations for a house. Even if you are the best at decorating (front end user interface in our analogy) and are the best at marketing, you rely on the performance of your underlying base technology. A technology provider that has either inadequate security, low transaction speed, no liquidity, no KYC/AML modules, no robust support, or a combination of these, will inevitably cause structural problems – problems that the digital asset community doesn’t usually forgive.

White label exchange problem cases

The ultimate question is “how to choose the right technology partner?”

Sometimes the cheaper option ends up being the most expensive.

While white-label exchange fees  for setting up the exchange can range from values as low as US$5,000 to US$1,000,000 in the other extreme, a midpoint can be observed at approximately US$150,000. Although at first it might give the impression of being expensive, the truth is that a do-it-yourself scheme easily surpasses that number. In fact, bitHolla estimated that the building costs alone for this type of structure can range between US$500,000 to US$ 900,000, a number that does not factor in other business aspects such as legal, marketing, finance, compliance or HR. Atop this number, the time it takes to get the exchange up and running must be taken into account. Over a year is a realistic time frame for a do-it-yourself functioning exchange; a period that is in itself an opportunity cost, especially in a fast-moving industry like the digital assets one [3].     

But because an ample offer of white-label exchanges exists, one might be tempted to select the cheaper ones. Why would anyone invest US$150,000 with an existing US$10,000 alternative? Unsurprisingly, there are many reasons why. Low-range white-label exchanges can present a number of problems mainly categorized in security, liquidity, scalability, and compliance. Centralized exchanges are hacked almost everyday, they suffer outages due to poor scalability, are slow for tick-to-trade and processing transactions, and may very well not be compliant with regulatory requirements. Choosing to collaborate with a technology provider solely because of its price will inevitably cost you dearly.

SCALABLE Offering

At Scalable we take pride in providing an industry flagship range of products and services. Customizable, compliant and secure exchanges, with unrivalled matching engine and liquidity, sets us (and our clients) apart. The knowledge and quality of our team serves as a perfect example of quality-over-quantity; equipped to be flexible and help every client of ours thrive. We can provide a range of options for your exchange depending on your size and budget, without compromising on the quality of the services given. This ensures that as your exchange and its customer base grows, the technology can scale accordingly throughout. 

Make sure to subscribe as we develop each key topic mentioned here in articles to help you understand the intricacies of digital asset exchanges and the blockchain industry as a whole. 

Interested in building or upgrading your exchange? Schedule a demo here today. 

 

 

 

 

Resources

[1] “How to Set Up a Digital Asset Exchange.” Resources, Scalable Solutions, 6 Mar. 2020, scalablesolutions.io/news/how-to-set-up-a-digital-asset-exchange/. 

[2] “What Is a White Label Exchange? .” Resources, Scalable Solutions, 7 Jan. 2021, scalablesolutions.io/news/what-is-a-white-label-exchange/. 

[3] “The Definitive Guide To White-Label Crypto Exchange Solutions.” Medium, BitHolla, 7 Sept. 2020, medium.com/bitholla/the-definitive-guide-to-white-label-crypto-exchange-solutions-e0e55b319c76.

Sources

Tentser, Ishay. How to Choose the Right White Label Platform for Your CryptoExchange. Medium, 7 June 2018, medium.com/@ishay_13213/how-to-choose-the-right-white-label-platform-for-your-cryptoexchange-6f6ac7d9a41.  

“The Pros And Cons Of Using White-Label Crypto Exchange Software.” On Your Desks, 14 Dec. 2020, onyourdesks.com/pros-and-cons-white-label-crypto-exchange-software/. 

After having introduced the topic of smart contracts, their characteristics, and how they are executed, it is time to discuss the main challenges for smart contract adoption.

Even though smart contracts present an innovative solution to several inefficient and expensive processes, they are not without challenges. According to PriceWaterhouseCoopers [1], at least 10 challenges can be found when discussing smart contract adoption, which we will further expand upon.

There are two categories we will use to classify the main challenges smart contracts face for mainstream adoption: technical and social. Below we have aggregated the possible adoption challenges and discussed their merits. 

Social challenges to smart contract adoption 

• Adoption curve: Users, institutions, and other participants must overcome many different obstacles to transform the current transactional environment that has a regular, high-volume stream of records entering the system. Smart contract programming requires specific skill sets that call for interaction between business resources and distinct developers, security testers, and technical analysts, among others.

• Learning curve. Smart contract adoption requires the transformation of many existing roles. Lawyers must learn how to write computable code, and judges must learn how to interpret it, or rely on expert witnesses to testify to valid interpretations. Take our current traditional financial environment for example; while it may seem inefficient and plagued by intermediaries, achieving that process took societies a long time to get accustomed to. A similar fixed cost will be required before enjoying the full benefits of smart contracts.

• Reality of legal & regulatory environments. Regulations are among the least automated elements of the business ecosystem. Because of their nature, they are inflexible, too. Smart contracts may be the trigger to tackle this reality, but will require regulatory acceptance for this to happen, especially given varying rules across jurisdictions. 

• Complexity of institutional ecosystems. The installed base of technologies, processes, and procedures reflects many assumptions businesses need to revisit when considering how to build smart contract capabilities into specific business processes. This aspect is similar to the ‘learning curve’ point made above. 

• Competition. Smart contracts are just now becoming viable. Many other ways to codify agreements already exist and are used regularly. Similarly, peer-to-peer lending through software-as-a-service marketplace vendors, for example, is more mature and growing rapidly. 

• Governance-related issues. Questions around how governments should regulate such contracts, or how governments tax these SC transactions must be addressed, and new equilibriums will emerge as heterogeneous regulation and tax brackets are dispersed throughout the world.

• Operational issues and execution speed. Most blockchain consensus mechanisms allow linear (chronologically ordered) transaction processing. Because parallel processing isn’t supported, the process renders the blockchain slow [2], with the risks of having nodes being unable to finish computations on time. Transactions are then invalidated and the system is left “worthless”. This challenge is being addressed by a number of newly formed blockchains that can match traditional institutions’ transaction processing, like Solana, Ethereum 2.0, and others.

• People’s expectations. Differences between “hype” and actually providing education about the technology to the masses denotes an extra step before reaching full adoption; current smart contract landscape opens infinite possibilities, but making them a reality is going to prove a much harder task.

Technical challenges to smart contract adoption 

• Data privacy. There is a difference between anonymity and privacy. Data stored in blockchains are mostly public, though not directly associated with a person or organization. This can be done through sophisticated ways, but is considered to be an extra threat to regulators. 

• There is no way to guarantee the security of smart contract code. There are, however, companies that offer audit services (such as Scalable Solutions), which provide an extra layer of security and penetration testing that can help safeguard against cyber attacks. 

 

• The programming languages and the virtual machines still have a number of limitations, one of them being the non-composability between blockchains and block building.

Conclusion

For the wide adoption of smart contracts to take place, a number of both social and technical challenges must be addressed and overcome. Given more time and increasing integration of blockchain technology and regulatory clarity, the path to higher levels of smart contract adoption will become precise. 

At Scalable Solutions, we want to do our part in helping every institution that appreciates the potential of smart contracts to effectively navigate the smart contract environment and benefit from them. Whether you need a smart contract developed or audited, get in touch with us to discover how we can help. 

 

 

 

 

References

[1] “10 Challenges to the Adoption of Smart Contracts.” Blog PwC, PriceWaterhouseCoopers, 8 June 2018, blog.pwc.lu/smart-contracts-adoption-challenges/.

[2] This is usually the case for older, more established blockchains. New blockchains have been built with certain consensus mechanisms (like Proof-of-Stake) and allow for higher transaction throughput at any point in time. 

Sources

Zou, W., Lo, D., Kochhar, P. S., Le, X. B. D., Xia, X., Feng, Y., … & Xu, B. (2019). Smart contract development: Challenges and opportunities. IEEE Transactions on Software Engineering.

In one of our most recent entries, we have discussed what smart contracts are on a conceptual basis, their characteristics, and we dove a little deeper into what we should take into consideration in order to avoid possible smart contract vulnerabilities [1]. 

We now turn our attention to the technical aspects of smart contracts. Don’t worry, we will not be looking into daunting code directly. We will, however, take a deeper look into the anatomy of smart contracts and how smart contracts are executed within the blockchains they exist in.

The state

Before analyzing the anatomy of smart contracts, it is crucial to understand (at least theoretically), how the basis upon which smart contracts are created works. Smart contracts are programs executed by blockchain nodes independently, in order to record the last program state.

“A cryptocurrency behaves like a ‘normal’ currency because of the rules which govern what one can and cannot do to modify the ledger (or registry of transactions). A Bitcoin address, for example, cannot spend more Bitcoin than it has previously received.” But blockchains that allow further functionality than send/receive transactions (supporting smart contracts) need a system that can allow for more complex features [2].

Introducing state machines

The Ethereum state machine (EVM) [3] basically records a series of transactions and accounts [4] at definitive points in time. With the right inputs, a certain output is guaranteed.  Given a set of assumptions, any state at time ‘t+1’ equals the state in time ‘t’ plus the newly recorded transactions on the blockchain. That way, each independent node can separately execute the same transactions and arrive at the same new state. There is still broadcasting of transactions in newly mined blocks to the rest of the chain, but this provides an extra layer of security and decentralization, especially for cases in which transactions are cancelled.

What’s in smart contracts and how are they executed?

The vending machine

Following Nick Szabo (coiner of the concept of smart contracts back in 1996 [5]), we can think of smart contracts as a vending machine, one of the simplest transactions to be made. If the value of the money inserted is equal to the value of the selected item, the machine releases the product. Otherwise, it can display messages requesting extra funds, or return the surplus. This case would eliminate but one intermediary (the vendor), however when thinking big-picture, the functionalities of smart contracts are immense.

Getting techy

Smart contracts (SCs) are transactions sent to no one, but with bytecode as data (the code of the soon to be smart contract) that is automatically understood by the blockchains’ virtual machines as accepted code. SCs have their data assigned to a location (storage or memory), variables used to store specific data (like names, balances, etc.), and functions that utilize said variables and instructions as inputs, and turn it into outputs. 

Source: Kaleido

Are you still unsure what’s in a SC? Let us try to simplify it.

1. Once multiple parties identify a cooperative opportunity (business processes, asset swaps, transferral of rights and more) and the desired outcomes, smart contracts are initiated either by the parties involved or by the triggering of certain conditions (alike financial market indices). 
2. A computer program is written in a way that the process will automatically start when the conditional parameters are met. 
3. After a smart contract runs, all computers in the (blockchain’s) network update their ledgers to reflect the new state. And as we already know, once the record is verified and posted to the blockchain, it cannot be altered, but only appended.

Execution of smart contracts

So, when and where does the code of smart contracts run? That’s the tricky question. As we initially stated, smart contracts repeatedly run on several different blockchain nodes. The repeated validation is possible because smart contract transactions are deterministic. They may depend on factors such as the block number itself, current storage values for a contract, or the result of another smart contract’s computation, but that information is constant and can be recomputed perfectly by stepping through transactions from the start of the chain. However, the “official” execution point is the point at which the transaction occurs in the blockchain. 

Stay in touch as we continue to develop upon smart contracts and their uses, benefits and shortcomings. If you are planning on deploying a smart contract or already have, check out our Smart Contract Audit offerings.

 

 

 

 

 

References

[1] “Smart Contracts and Their Characteristics .” Scalable Solutions, Resources, 7 Apr. 2021, scalablesolutions.io/news/smart-contracts-and-their-characteristics/. 

[2] “Ethereum Virtual Machine (EVM).” Ethereum.org, ethereum.org/en/developers/docs/evm/#from-ledger-to-state-machine. 

[3] We use the Ethereum Virtual Machine as the example for every smart contract platform base machine. Plenty of resources to understand blockchain technology can also be found in the Ethereum developers documentation, and later extrapolated to many other smart contract platforms.

[4] There are two main types of “accounts” on Ethereum, Externally-owned accounts (or EOA, better known as user controlled accounts, and those deployed as smart contracts. In blockchain, we address “transactions” as cryptographically signed instructions from accounts. Transactions can be initiated only by EOA, but once initiated, it allows smart contracts to emit instructions to one another. 

[5] Szabo, Nick. Smart Contracts: Building Blocks for Digital Markets. 1996, www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html. 

Sources

Zhang, Jim. “What Are Smart Contracts and How Do They Work?” Blog, Resources, 1 Oct. 2019, www.kaleido.io/blockchain-blog/what-are-smart-contracts-and-how-do-they-work. 

Smart contracts (SC) are sets of digital code created to facilitate the transfer of assets (including non-digital assets). They originate as a way to reduce, or completely eliminate, the need for intermediaries in trustless third-party transactions.

In its simplest form, smart contracts are no different from regular contracts; namely, an agreement between two or more parties. Smart contracts utilize bits of computer code that rely on logic to be executed, and the transactions only happen when the conditions on the agreement are met. The most rudimentary way of understanding them is through if-else statement logic, most commonly known as conditional programming. Let us showcase this through an example.

Take Kim, a tenant who wants to enter into a rental agreement with a landlord, Park. One option would be for Kim and Park to enter into a traditional agreement. Usually, traditional rental agreements have many intermediaries that aim to ensure validity and enforceability of the contract; banks, brokers, lawyers and others may be included in the process. This agreement, however, doesn’t guarantee that either party will fulfil their obligations. Kim could send an advance payment for the reservation of the flat and Park could then deny Kim access to it, or Kim could stay in the property while refusing to pay. A smart contract would be a trustless alternative, which executes a command (like sending Kim the monthly flat code) only if a certain predetermined condition is met (Kim sending the predetermined rate to the SC, locking the funds in the SC as an insurance protocol). 

Source: GOB Platform [1]

Of course, this example is an oversimplification. Countless other inputs including insurance, contingencies, and others can be added to make the agreement more complex and take into account multiple scenarios. 

Characteristics of smart contracts

Most smart contract characteristics are derived from the underlying blockchain technology:

• Secure: Cryptography is used to secure contracts and stop people from altering records. While the technology is highly secure in most instances, there have been several cases where SC have been hacked and the funds deposited withdrawn [2].  
• Transparent: When running on public networks, anyone can see what the smart contract is and what it’s being used for.
• Free of third-parties: As we presented initially, smart contracts don’t need a middleman to be involved in the verification process. 
• Near real-time execution: Although dependent on the underlying networks’ throughput and congestion, smart contracts usually take place almost simultaneously for all parties, across participating computers, once the necessary criteria are satisfied.
• Autonomous and decentralized: SC’s work automatically, so you’re not having to wait for someone to push a button. Additionally, once deployed, they can’t be changed or controlled by any centralized party (like banks, brokers, or even by the network).
• Accurate: Because smart contracts are written in code, they don’t rely on the grey areas of a language and what words mean. This can pose an inconvenience, especially when grey areas that require flexible solutions exist.

Caveats and limitations of smart contracts 

Just as everything is not as it always seems, smart contracts are not always so smart. Their deterministic nature that can be regarded as a benefit, can also be a restriction to its inner workings. SC’s have several limitations that can slow down their adoption, and must be taken into account when developing them.

Built-in rules. Smart contracts are only as good as the rules, conditions, logic and scenarios built into them. This means that programming quality is crucial. A smart contract that includes only a handful of rules won’t be able to execute more comprehensive scenarios. The less it’s left to chance, the better the contract. Going back to our example, what if Park wanted to include a clause that allows him to check the flat before releasing the deposit back to Kim? 

Since a smart contract is a computer program, each term and condition of the contract needs to be coded. There is a possibility of misinterpretation and omission by the coder, which may lead to loopholes in the contract.

The next two most important characteristics of SC’s include the data input and security.

Data is fed into blockchains and used for smart contract execution from external sources, specifically data feeds and APIs. These real-time data feeds for blockchains are called “oracles” – they’re essentially the middleware between the data and the contract. Oracles can be software- or hardware-based. Imagine an insurance smart contract that releases payment if certain areas are hit by winds greater than 100 mph. The SC would fetch external data (in this case from an anemometer) and pay depending on the input (mph). Because at times there are few (or even one) data sources, this burdens the decentralization aspect, causing a central point of failure in the SC.

Bugs and errors in the code – Even though it’s recommended for a smart contract to be a hybrid between computer code and actual physical contract (worded), bugs and errors in code could lead to disputes and procedural difficulties related to identifying errors and the parties responsible for those. In June 2016, for example, a hacker exploited a vulnerability in the code of the Decentralized Autonomous Organization (DAO), which is a piece of smart contract built on Ethereum, and made away with 50 million Ether [3].

Trustless? – Because physical assets are regulated by the laws in the jurisdiction they are in, this creates an intrinsic problem in the linkage between property of a digital asset that represents a physical (real) asset, and the real asset. This implies a dependency on a third-party, somewhat stripping SC’s from their characteristic of “total” decentralization and trustlessness [4]. 

 

 

 

 

Resources

[1] “House Rental DApp of GOB Platform.” Medium, GOB Platform, 28 Feb. 2019, medium.com/gobplatform/house-rental-dapp-of-gob-platform-4c104a1c530b. 

[2] “3 Famous Smart Contract Hacks You Should Know.” Medium, Firmo Network, 29 Apr. 2018, medium.com/firmonetwork/3-famous-smart-contract-hacks-you-should-know-dffa6b934750. 

[3] Siegel, David. “The DAO Attack: Understanding What Happened.” CoinDesk, 17 Dec. 2020, www.coindesk.com/understanding-dao-hack-journalists. 

[4] Song, Jimmy. The Truth about Smart Contracts. Medium, 15 June 2018, jimmysong.medium.com/the-truth-about-smart-contracts-ae825271811f. 

Sources

Zhang, Jim. What Are Smart Contracts and How Do They Work? Kaleido, 1 Oct. 2019, www.kaleido.io/blockchain-blog/what-are-smart-contracts-and-how-do-they-work.