How to audit Smart Contract

image Source: Dzone

Mentioned below are some of the smart contract attacks:

1. Reentrancy

This attack occurs when the attacker takes away funds from the target by calling the target’s withdraw function recursively and the same happened in the case of DAO attack.

Solution:

Reentrancy attacks occur because of two specific smart contract vulnerabilities. The first is when a contract’s state is updated after funds are sent. Due to the inability to update the contract state before sending funds, the function can be interrupted in the mid of computation and the contract can be deceived into assuming that funds have not been sent.

2. Cross-Function Race Condition

As mentioned in the Reentrancy attack section, the inability to correctly update the contract state resulted in the stolen funds. This issue, combined with external calls is the potential for a cross-function race condition.

Solution:

Finish all internal work first before you call external functions and avoid making external calls. Ensure to use a mutex when it is impossible to prevent external calls. When external calls seem unavoidable, make external call functions as “untrusted.”

3. Underflow

You should remember that uint8 can only take values between 0 to 255. The Ethereum Virtual Machine was designed to use 256 bits as the number of bits processed by the CPU in one go. If someone goes over this range, the figure needs to be reset to the bottom range, i.e., ²²⁵⁶ + 1 = 0.

Solution:

To avoid the issue of underflow condition, check if the updated integer is within the byte range. You can add a parameter check in your code that might act as a last line of defense. The first line of function withdraw () looks for adequate funds while the second line detects overflow and third checks for underflow condition.

Here are some of the necessary checks that should be undertaken with any smart contract:

Correct visibility of functions:

Solidity’s functions have four types of visibility specifiers: external, public, private or internal with the public being the default. On the other hand, state variables can be internal or private, public with internal being the default. Specifying the state variables and visibility of functions is the best security practice.

Prevent overflow and underflow:

When a number gets increased above its maximum value, it is defined as an overflow. Solidity can manage up to 256-bit numbers, therefore incrementing by 1 would lead to the result as 0.

Data Storage:

Data can be stored in non-persistent and less expensive memory or in a storage that is highly expensive and persistent in Solidity. You should carefully analyze where the data should be stored while writing smart contracts. Local variables and state variables are kept in storage, while function parameters are stored in memory by default.

Check for reenterancy and ensure state committed before the external call:

The reenterancy attack is one of the famous Ethereum vulnerabilities and it was unveiled during a multi-million dollar heist that resulted in a hard fork of Ethereum.

Save gas on smart contracts:

Saving gas is essential for building an efficient smart contract. Since not all developers know how to save the gas efficiently, it is one of the significant issues faced by the developers. It is essential to understand how to minimize the gas or to avoid it.

Compiler warnings

Compiler warnings are serious concerns that developers sometimes ignore and deploy contracts without considering them. It is recommended to take necessary action to be taken to eliminate all these warnings.

Smart Contract Audit Tools

A thorough and comprehensive audit can include test alongside use cases and documentation. While auditing the smart contracts, one should also consider behavior driven development practices but with an emphasis on security instead of functionality.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
LeewayHertz

LeewayHertz

413 Followers

Fullstack software and web3 development company building custom software solutions, dApps, metaverse platforms, etc. https://www.leewayhertz.com