When security becomes a priority
“Build unstoppable application” is the first sentence readable on the Ethereum project’s official website . A smart contract is a computer program on the Blockchain that runs exactly as programmed, and its algorithm cannot be modified over time, as would be with a standard application.
This is the very principle of this technology. It guarantees that the published code will be forever worthy of belief: “code is law” as some Ethereum purists say. It is this system of thought that makes it possible to decentralize trust.
We do not program a smart contract as we program a standard application. No security update, no patch will be applied, contrary to a traditional application, to correct a possible problem. Many programming strategies today no longer take into account this type of critical factor. Indeed, all software come to update regularly on our machines! Moreover, today’s programs are too complex to be able to guarantee no errors or critical flaws.
However, once detected by a person (researcher, pirate, amateur), the latter can be exploited quickly. Transactions, once published, can not be changed. Any such exploitation will result in a total loss of confidence on the smart contract and the company / developer who created it.
What are the Audits for?
It is in this context of applications that the audit is a critical part of the solution. The purpose of an audit is to review the source code of a smart contract to find any potential vulnerabilities, examine and study the design patterns and confirm that it follows industry best practices, and suggest fixes for any vulnerabilities found. We then perform a thorough analysis of the code so that we can concretely describe the behavior of the smart contract in the face of all eventualities .
This involves both analyzing the expected behavior against the specifications and looking for potential security vulnerabilities in the code.
Unlike standard developments where many different algorithms can achieve the same result, coding in Solidity requires following specific development rules to adopt “secure” algorithms. They concern, for example, recursive algorithms or other smart contracts . Moreover, certain notions do not exist (or are very complex to put in place) in Solidity, like chance.
A confidential document is delivered to the company that ordered the audit. Inside there are expressed problem points, which can be of different levels of severity. It also puts the programming strategies for debate, explaining the different possible solutions and the arguments for / against each.
The company can then apply fixes suggested in the audit if any, apply any improvement suggestions and order a remediation audit. These fixes can be applied by the developers who wrote the smart contract, they can also be applied by the auditing company on request.
A public document can also be ordered on request which allows, on behalf of the auditing company , to certify its audit to the public.
There is no recognized international certification standard for the quality of auditors. Anyone can offer smart contract auditing.
In this document the expected functioning of the presented code, and any discovered security flaws are explained. This report may allow someone who is not familiar with the programming language and technicalities, or who does not have the source code to get more confidence and trust in the project.
It is advisable to have your smart contract audited by several different audit firms, in order to receive several opinions on the code and thus be sure to minimize the number of flaws that have not yet been discovered.
The public certification is given for the code of the specific application sent by the client. Changing the code invalidates the public certification. In order to know precisely the certified code, the commit number of GitHub or a hash of the source code can be presented.
What solutions does Blockchain Consilium offer?
Blockchain Consilium offers smart contract code audit in Solidity. Our developers are able to give you all the deliverables.
What are the prices for an Audit?
The prices of the audits are not regulated. It is left free for each company to proceed with its calculation. It nevertheless depends heavily on a few factors:
- The reputation of the company
- The complexity of the algorithm
- The number of lines in the smart contract
At Blockchain Consilium, the calculated price is very strongly related to the complexity of the algorithm and the quality of the code. If the latter is not “clean”, to understand: not indented, not commented, badly named, very compact, the price of the audit will be much more expensive than a readable and documented code.
The more complex a smart contract , the more the number of possible faults and the difficulty of reading increase.
Do not hesitate to contact us for a quote on a Blockchain Consilium audit.
Visit Us on blockchainconsilium