Smart contract audits don’t focus only on blockchain security. They also look at efficiency and optimization. Some contracts make a complicated series of transactions to complete their intended function. With gas
fees on networks like Ethereum being relatively costly, efficient contracts can save a lot on transaction costs
Optimizing their performance is also an indicator of the developer’s skill. Inefficient steps provide more points for failure and should be avoided. When gas costs are high, smart contracts may fail to execute, even more so when a low gas limit is used.
Most of the work in audits involves checking contracts for security vulnerabilities. While some issues can be easy to see, many exploits involve advanced techniques and strategies to drain funds. For example, market manipulation can be used with weak smart contracts to conduct flash loan attacks. To find these issues, auditors start the break testing process and simulate malicious attacks on the smart contract. Common vulnerabilities include:
1. Reentrancy issues: When a smart contract makes an external call to another external contract before any effects are resolved. The external contract can then recursively call the original smart contract and interact with it in ways it shouldn’t be able to, as the original contract’s balance hasn’t yet been updated.
2. Integer overflows and underflows: When a smart contract carries out an arithmetic operation, but the output exceeds the storage capacity (usually 18 decimal places). This can lead to incorrect amounts being calculated.
3. Front running opportunities: Badly structured code can provide forewarning of market purchases or sales. This, in turn, can allow others to use the information and trade on it for their own benefit.
Platform security flaws
Most audits include looking at the network hosting the contracts and even the API used to interact with the DApp
. A project may be vulnerable to a DDoS attack or have its website UI compromised, meaning users will actually connect their wallets to malicious blockchain applications.