For over 15 years Security Innovation has offered a unique software security expertise with the goal of helping developers build a more robust connected world. We specialize in security assessment, education, and are the authors of several immersive learning environments including the Security Innovation Blockchain CTF. )
If you are planning to launch a project on the Ethereum blockchain, you probably know the importance of a third-party code audit. An external audit can ensure that your contracts function as intended and remove vulnerabilities in the code. Choosing a team of experienced, rigorous auditors is of course essential, but your preparation will also impact the quality of the audit. Some effort on your part will go a long way toward getting you a better, faster audit.
You’ve just approved a security review of your codebase. Do you:
Send a copy of the repository and wait for the report, or
Take the extra effort to set the project up for success?
By the end of the review, the difference between these answers will lead to profoundly disparate results. In the former case, you’ll waste money, lose time, and miss security issues. In the latter case, you’ll reduce your risk, protect your time, and get more valuable security guidance.
It’s an easy choice, right?
Glad you agree.
Now, here’s how to make that security review more effective, valuable, and satisfying for everybody involved.
Smart contracts are the heart of the Ethereum blockchain. Every dApp we engage with contains a smart contract created to dictate how it works at the most basic level. It is safe to say we should expect smart contract creators to produce sound and stable smart contracts. But the proverb, trust but verify, exists for a reason. Smart contract auditors are the independent verification mechanism to determine if the intentions and goals of the contract’s creator were rendered into the language of the blockchain. This verification is essential. Because of this importance, we want to shed some light on the organizations doing the audits to verify the integrity of the smart contracts powering the Ethereum blockchain.
Smart contracts can be compromised: they can have bugs, the owner’s wallet can be stolen, or they can be trapped due to an incorrect setting. If you develop a smart contract for your business, you must be prepared to react to events such as these. In many cases, the only available solution is to deploy a new instance of the contract and migrate your data to it.
Although in its infancy, Solidity has had widespread adoption and is used to compile the byte-code in many Ethereum smart contracts we see today. There have been a number of harsh lessons learnt by developers and users alike in discovering the nuances of the language and the EVM. This post aims to be a relatively in-depth and up-to-date introductory post detailing the past mistakes that have been made by Solidity developers in an effort to prevent future devs from repeating history.