Smart Contract Audit Questions Answered!
Blockchain and smart contract hacks are irreversible and so are the funds stored in them for community led projects. Ethereum was the first blockchain to introduce smart contracts and since then other blockchains have gone through the same road which resulted in numerous DeFi projects popping up. In the past years, we’ve seen hacks impacting contracts and causing massive financial loss and trust in the project. Smart contract hacks are rising exponentially and there’s a common lesson to learn in every hack- start taking the security of your smart contracts seriously.
A good smart contract security audit is essential for protecting user’s hard earned money from hacks especially if you are a DeFi project. Hackers can easily drain all the money stored in a smart contract and cause a massive loss (generally in Millions of $$). Whether you are a project going for a smart contract security audit or a security geek, this article aims to clear your queries that arrive in the process. So without any delay, let’s get started.
Q1. What are the types of smart contract security audits?
>> There are two types of smart contract audits- interim audit and full audit.
Q2. What’s the difference between interim and full audit?
>> Interim audit is a short term security audit, generally consisting of 48-hour period. It is done in the initial stages of smart contract development when the developer has started developing a smart contract and wants to know if they are going in a positive direction. Again, it takes less time if the code is based on open source libraries and takes more if the contract is custom developed.
A full audit is done when the contract is developed and ready to be deployed on the main-net but needs to be reviewed by security experts before that.
Q3. How much time does a typical smart contract take?
>> Depending on the code-base, if the contract is using standard open source libraries like that of Open Zeppelin, it can reduce both- time and cost. A typical smart contract audit can take up to a week or two.
Q4. When am i ready for a security audit?
>> When the smart contract has been developed and checked by an internal auditor. Internal audit is recommended to eliminate any mistaked during security audit by external auditor.
Q5. Who should go for a full audit?
>> Anyone who takes security seriously specially DeFi smart contracts, dapps, lending protocols.
Q6. What does a full smart contract audit looks like?
>> A full smart contract security audit contains-
Manual review, automated tests, functional tests, business logic, deploy and test on test-net. Depending on the budget, if the budget is more and maximum security tests are needed, go for property testing.
Q7. What happens after my contract pass a security audit?
>> After your smart contract passes security audit, you will be given a detailed PDF report of the auditor’s findings, mitigations to fix vulnerabilities in a flexible time limit. After the issue fixes, the previous report is edited to make sure the changes have been committed in the code. At last, a certificate/stamp is issued by the auditing company to prove the legitimacy of the audit.
Q8. Will my report be public after the security audit?
>> Depends on you. You can choose not to disclose the report on your discretion. Developers do generally make their smart contract reports public to build trust in their project.
I hope this article cleared your queries related to smart contract security. A special thanks to Somish Blockchain Labs and Tejas Rastogi (Razzor) for supporting the writing of this article.
Have more questions? Comment down below or ping me on Twitter, i’ll answer them in the next blog. Additionally, you can join RazzorSec Discord to raise your questions about smart contract and blockchain security.
RazzorSec:
Twitter- https://twitter.com/razzorsec
LinkedIn- https://company/in/razzorsec
Discord- https://discord.com/invite/JTkeNXX
Stay tuned and safe until next time!
