The idea of auditing often conjures up images of external parties interfering in the affairs of smaller businesses and to check that regulations are being followed or that taxes are being paid. This type of external intrusiveness is the last thing that any fan of decentralization would be excited to hear goes on with blockchains. However, auditing is not just about checking compliance with government regulations, it is also about checking for any security threats; something all financial bodies are at risk of, even decentralized ones.
What Is a Blockchain Audit?
A blockchain audit is a check carried out by professional auditors to identify any vulnerabilities and bugs in a blockchain. Auditors will go through the blockchain’s code with specialized software to perform a systematic and structured code review to detect and categorize possible threats.
To carry out an audit, a large amount of groundwork must first be carried out. Before conducting an audit, the auditing company or individual auditor must have a deep understanding of the blockchain’s architecture and use-cases, as well as the key components of the system being targeted; only then can the auditing process be started. In addition, depending on the project itself and the audit ordered, the auditors may need to look through some or all of a project’s ecosystem, including:
How Long Does a Crypto Audit Take?
Project size and complexity define the time needed to complete an audit, so audits can be expensive and take some time. To answer the questions of: “how long do audits take?” and “how much do audits cost?,” we can visit the website of professional cryptocurrency auditor, Hacken. According to them, an audit can take anywhere between 1-2 days, to weeks or even months. The cost, meanwhile, can range from 8,000 EUR (Around $9,200) to 30,000 EUR (around $34,600).
Why Do Blockchains Need Auditing?
Blockchains record thousands of financial transactions daily and the more established ones, such as Bitcoin, Ethereum, and Solana, are famous for having robust security systems without being centralized. However, hacks have happened and they are always a looming threat. Moreover, if big enough, a hack could threaten the whole industry’s viability, since without faith in blockchain security, investors will go elsewhere.
The Mt. Gox exchange hack in 2014 was one of the first to highlight the need for auditing in crypto. This crypto hack targeted Bitcoin (BTC) through one of the biggest exchanges on the market, handling up to 70% of BTC’s trading volume at the time. Being the early days of crypto, blockchains still had a long way to go, and this hack was made possible by a lack of coding security, whereby coders could accidentally overwrite each other’s code. Additionally, the exchange is said to have presented untested software to its customers on multiple occasions. The hack resulted in the loss of 850,000 BTC, the equivalent of $460 million at the time, as well as the bankruptcy and subsequent folding of the Mt. Gox exchange.
2014 may seem some time ago and individuals may be tempted to say that blockchain technology is now secure enough and does not require auditing. This is not the case, however, as demonstrated by other more recent and successful hacks on BTC:
- The Bitfinex exchange hack in 2016, resulting in the loss of 120,000 BTC.
- The NiceHash hack in 2017, resulting in the loss of 4,736 BTC.
In 2018, hackers struck again in what was at the time, the biggest crypto hack in history, losing over $500 million worth of NEM tokens in the CoinCheck hack. This hack happened because of a shortage of employees and ineffective security measures, which shows the importance of using audits to flag any risks; allowing programmers to tighten security for times when there are less personnel.
Auditing and security in crypto and blockchain technology are fields that are continuously changing and working to become better. This is a work in progress, however, as shown by two more recent crypto hacks:
- The 2021 PolyNetwork hack, resulting in a loss of $612 million in multiple cryptocurrencies.
- The 2020 2gether hack, resulting in a loss of 1.1 million EUR (around $1.3 million).
What Types of Audits Exist for Blockchains?
Blockchain and smart contract auditing is evolving, creating new and efficient ways to find bugs and security threats. In addition, where to find auditors is changing — where before, developers and programmers would carry out auditing manually, now, an increasing number of options are appearing. There are a few key reasons for this:
- Growth: The crypto industry is rapidly expanding, with new decentralized finance (DeFi) platforms coming into existence every day. With blockchains expanding at breakneck speed, finding a faster and more efficient way to audit is becoming a priority.
- Trust: Developers and entrepreneurs are looking for ways to launch their project with the utmost confidence, and having a reputable auditor sign off on a blockchain or smart contract helps instill faith in investors.
- Money: Auditing is specialized work and with the demand ever-increasing, businesses are realizing how lucrative it can be.
3 Main Forms of Blockchain Auditing
With these points in mind, blockchain auditing now comes in three main forms, though in a short time, new methods may arise:
- Manual auditing: The original form of auditing on blockchains, this is carried out by programmers and developers. It can be quite lucrative, with some claiming that good auditors can make turnovers of up to $300,000 a year by auditing smart contracts.
- Auditing companies: With auditing in crypto and blockchain technology being so lucrative, it is only normal that specialized companies start to appear. These companies count with security teams to do the groundwork, programmers and specialized software, as well as follow-up work. However, these companies are centralized and charge high fees, so it depends on the developers of the blockchains and DeFi platforms as to whether this is something they want to incorporate into their project. It must be said, however, that as most blockchains are open-source code, hiring centralized parties to conduct audits should not impact blockchain security.
- Auditing software: In an effort to offer more cost-effective yet efficient solutions, players including Microsoft are running to develop software capable of running audits across platforms, smart contracts, cryptos, and blockchains. This type of auditing software, such as Microsoft’s VeriSol, allows “…to iterate more quickly because of the automatic and continuous checking, and it allows us to catch bugs faster without having to worry about potentially affecting customers.”
How to Audit a Blockchain?
To audit a blockchain, an auditor must follow a certain structure. If the auditor or auditing software begins work without setting a target or goal, not only will it be ineffective, but it will also waste resources, including money and time.
The reality is that despite software being developed to carry out audits, manual auditing is still a huge part of the process and should not be ignored. To carry out a full audit, blockchain developers and security professionals will utilize static code analysis tools and follow the following steps:
- Define the goal: This will usually be to identify threats or security risks in the code, however, it can also be narrowed down to certain areas or functionalities within the blockchain. An appropriate action plan can also be defined here.
- Analyze and study the target system: To carry out an audit on a blockchain, smart contract, platform, or crypto, it is important to first understand its functionality, components, and data. The auditor must study past cases and track down different versions of the code to differentiate between previously audited versions and the current version.
- Identifying security risks: This is where auditing begins to get underway. It is particularly important to review a blockchain’s nodes and application programming interfaces (APIs). These elements often communicate between private and public networks and can be a place to locate a hole where a hacker could gain entry.
- Threat modeling: This is considered the key part of a blockchain audit. Threat modeling can reveal data spoofing and tampering, which leads to the detection of distributed denial-of-service (DDoS) attacks and data manipulation.
- Exploitation and improvement: When a security risk is found, an auditor will exploit it, seeing how far they can go and if anything is able to stop them. This way, they are able not only to identify a security risk, but the many others beyond it. Once all threats are found and the auditor can go no further, they will flag it and fix it. This is a great way to fix security risks, but also to train software to delve deeper and detect further issues.
How to Become a Blockchain and Smart Contract Auditor
It is estimated that in 2020 alone, over $100 million was lost to hackers through smart contract hacks alone, and as smart contracts increase in number, that figure is likely to climb higher. For this reason, and the financial rewards, many developers are beginning to carry out work as an auditor. However, this type of work requires knowledge and skills:
- Blockchain development: Since there are so many blockchains, the information involved in blockchain development is vast. Luckily, alongside having the foundation knowledge that applies to all blockchains, there is one blockchain that is worth studying more than the rest, especially for smart contract auditors: Ethereum. Most smart contracts are written on the Ethereum blockchain in Solidity (which compiles into the Ethereum Virtual Machine (EVM)). Meanwhile, other smart contract-supporting blockchains, including Polygon and BSC, are EVM-compatible. This means that the knowledge acquired for Ethereum’s security audits can be used across multiple blockchains.
- Knowing Solidity’s security vulnerabilities: Knowing what patterns to avoid, as well as the common security vulnerabilities found in smart contracts will help an auditor quickly identify them when auditing.
- Know how to carry out an audit: As well as knowing the auditing steps covered above, an auditor should be ready to think like a hacker and use the tools and software available to find any holes in the code. Another factor that can help an auditor think in this way is to study smart contracts that have already been audited as well as study successful hacks. An auditor should ask how these hacks were carried out and check that these cannot be carried out on the platform they are auditing.