Providing insight into the basics of smart contracts & the need for proper auditing
The concept of a ‘Smart Contract’ is inextricably linked to blockchain technology and you’ve undoubtedly come across the term often. Whether you’re interested in the advancement of blockchain technology in general or you’re a cryptocurrency aficionado, understanding smart contracts is a foundational necessity either way. This article will provide you with:
1) A basic understanding of smart contracts
2) The ramifications of faulty code
3) The importance of smart contract audits
4) A Dusk Network smart contract case-study
So, what is a smart contract, what purpose do they serve, and how can we begin to rely on them for our financial innovations going forward?
A ‘Smart Contract’ is a self-executing contract on which the terms of the agreement between two parties is written into lines of code.
Smart contracts define the rules of interaction between various parties in rigid terms, doing away with the need for middlemen when executing an agreement.
However, there is one ironic twist to the idea of smart contracts eliminating the possibility of human inefficiency or error: the lines of code that comprise smart contracts are written by fallible humans. The difference between effective and faulty code can be as little as a single misplaced character. As many projects have found out, the ramifications of faulty code can be substantial.
Costly typos & bad logic.
The majority of interactions a user will have with blockchain projects will utilize a smart contract. Contributing to Initial Coin Offerings, participating as a token staker, engaging in trades or swaps; each of these actions puts financial assets in the hands of a smart contract. If the integrity of these contracts is compromised or otherwise faulty, hackers can use exploits to gain access to the assets or the smart contract itself can cause irrevocable damage.
Take, for example, the recent YAM project. An experimental algorithmic stablecoin that exploded onto the scene with a fanatical community backing. Within a day, the coin’s worth pumped from 0 to over 130 USD, accelerated by DeFi excitement within cryptospace. The project was, as the creator(s) frequently reiterated, just an experiment with unaudited code and users were to proceed with caution. Caution, however, was not heeded. With over 440 million dollars surging into the coin in just 2 days, the hype seemed unstoppable. Then came the smart contract bug.
‘Rebase’, one of YAM’s smart contract mechanisms, had a bug in its code which resulted in the coin losing control of its on-chain governance feature. The smart contract mechanic was designed to expand and contract the supply of YAM based on market conditions. Instead, the bug caused it to issue excess tokens to the token’s treasury, indefinitely. The entire event, from launch to discovery of the bug, took only two days.
Alternatively, some smart contract bugs leave the door open for hackers to maliciously exploit the code. Such was the case with Eminence protocol, a smart contract-based game project. When the official Twitter hinted at an upcoming launch, users discovered that non-final, unaudited smart contracts used for ‘in-product testing’ had already gone live. A few hours later, 15 million USD had been deposited into these untested smart contracts by users eager to get a head start. That same night, a user found and exploited an error in the code, draining all of the 15M dollars from the protocol.
Ramifications, big and small.
These two high profile cases are only some of the more recent examples of smart contract vulnerabilities. Looking back, there have been many cases where the lack of proper auditing led to a loss of control, loss of funds, and/or loss of trust in a project altogether. Other cases include DAO, Parity, Spankchain, and the list goes on.
What can we learn from these mistakes? Blockchain projects rely on the quality of their code and its implementation. The importance of assuring the integrity of that code cannot be overstated. Thankfully, due to growing interest in blockchain and smart contract technology, an industry is blossoming with the goal to do just that.
Ensuring integrity: smart contract audits.
Smart Contract Audits enlist certified third-party blockchain technology experts & smart contract developers to pore over the smart contract code and ensure its integrity. This means meticulously investigating the smart contract code for vulnerabilities, exploits, and potential security flaws. We’ve seen how even mistakes in the code can cause major ramifications. With smart contracts set to become the foundation for many financial services of the future, there is no room for error.
Once a smart contract is run, the process is irreversible. Hence, it is vital to carry out contract audits ahead of deployment. Just as important is who you allow to audit your code. A good contract audit not only identifies security flaws for the purposes of risk management, but also finds code optimizations to increase the performance of the contract.
There are many Smart Contract Auditors available and who you choose to contract for an audit usually depends on your budget, contract specialty, and the reputation of the auditor themselves.
Dusk Pre-staking Contract case-study.
As an example of the importance of Contract Audits, we can take a closer look at the smart contracts responsible for executing the conditions of Dusk Network’s pre-staking programs. Like any transaction, staking requires cooperation and trust between both parties; there is a give and take in the shape of effort and reward. A deficient staking contract could cause loss of trust and, in a worst-case scenario, loss of assets on either side of the equation.
Stakers fulfill two important roles within Dusk Network’s ecosystem. If you’re not familiar with these roles, we highly recommend you check out an Introduction To Our Unique Consensus Algorithm. As each staking role necessitated the creation of its own pre-staking smart contract (for use on the Ethereum blockchain) to establish the parameters of the agreement between Dusk Network and the stakers, we ended up with two separate pre-staking smart contracts to audit. To ensure their integrity, we contracted Cyber Unit to perform an in-depth audit.
The South Korea-based Cyber Unit has audited contracts of several high volume exchanges & blockchain projects in the past, including their staking and mainnet contracts. Outside of the blockchain industry, they work for major clients such as CISCO, various governmental agencies, Ministries of Finance, and multinational corporations. With such an extensive pedigree, we could be sure our smart contract audit would be in the right hands.
It is in the public interest to be as transparent as possible about smart contract audits. Not only because members of the public will be utilizing and entrusting their holdings to these smart contracts, but also as to encourage trust and innovation in the blockchain space itself. Practicing what we preach, we’ve published our successful staking contract audits in extensive detail on GitHub, along with the pertinent audit reports.