Smart Contract Audit - Security Review for Blockchain Code
Smart Contracts are programs that are executed decentrally by every participant in the network. Therefore, Smart Contracts require more careful checks, as they are economically rewarding targets for hackers. This execution has the characteristic that the resulting outcomes are immutable. Misguided executions, therefore, cannot be undone.
Definition and Explanation of Blockchain Components
Our assessment of Smart Contracts, decentralized Financial Markets, and the Metaverse
Many vulnerabilities in Smart Contracts surprised us and there is no reason to believe that there will be no further exploits. As long as investors decide to invest large sums in complex, but poorly reviewed code, we will continue to see new incidents that have devastating consequences. Methods for the formal verification of Smart Contracts are not yet mature. As new classes of vulnerabilities continue to be found, developers need to stay up-to-date and new tools need to be developed to find them. This top 10 will likely evolve quickly until the Smart Contracts have reached a state of stability.
References
Certificates
Blockchain, Metaverse and DeFi
Our Investigation and Analysis Focal Points
We audit Smart Contracts and decentralized exchanges (DeFi projects) as well as Metaverse components using our own and external frameworks according to NCC standard, on which most blockchain technologies are based.
Reentrancy Attack
The Reentrancy attack occurs when external calls of a contract are allowed to make new calls to the source contract before the first execution is completed. For a function, this means that the contract status can change in the middle of execution through a call from an untrusted contract or the use of a low-level function with an external address.
Access Control
Typically, one accesses the functionality of a contract through its public or external functions. While insecure visibility settings provide attackers with easy opportunities to access a contract's private values or logic, access restrictions are sometimes more subtle. These vulnerabilities can occur when contracts use the outdated tx.origin to validate the user.
Arithmetic Problems
Integer overflows and underflows are not a new class of vulnerabilities. However, they are particularly dangerous in smart contracts, where unsigned integers are widespread and most developers are accustomed to simple int types (which are often just signed integers).
Unchecked Return Values for Low Level Calls
One of the deeper features of Solidity are the low-level functions call(), callcode(), delegatecall() and send(). Their behavior in error detection differs significantly from other Solidity functions, as they do not propagate (or throw) and do not lead to a complete reversal of the current execution. Instead, they return a boolean value that is set to false, and the code continues to execute. If the return value of such low-level calls is not checked, this can lead to failures and other undesirable results.
Denial of Service
While other types of applications may eventually recover, smart contracts can be taken offline forever by a single one of these attacks. Many paths lead to denials of service, including malicious behavior as the recipient of a transaction, artificially increasing the gas required for the calculation of a function, abuse of access controls to access private components of smart contracts, and the use of confusions. This class of attack encompasses many different variants and will continue to evolve in the coming years.
Poor Randomness
Randomness is hard to achieve in Ethereum. While Solidity offers functions and variables that can access seemingly hard-to-predict values, they are usually either more public than they appear or subject to the influence of miners. Since this source of randomness is predictable to some extent, malicious users can generally replicate it and attack the function that relies on its unpredictability.
Front-Running
Since miners are always rewarded with gas fees for executing code on behalf of external addresses (EOA), users can set higher fees to have their transactions validated faster. As the Ethereum blockchain is public, anyone can see the content of others' pending transactions. This means that if a certain user reveals the solution to a puzzle or another valuable secret, a malicious user can steal the solution and copy their transaction with higher fees to prevent the original solution. If smart contract developers are not careful, this situation can lead to practical and devastating front-running attacks.
Time Manipulation
Sometimes, Smart Contracts need to rely on the current time. This is usually done via block.timestamp or block.height Solidity. Since the miner of a transaction has some leeway in block creation, good Smart Contracts avoid relying heavily on the announced time. Furthermore, it should be noted that block.timestamp is also sometimes (incorrectly) used in the generation of random numbers, as described in 6).
Short Address Attack
Short Address Attacks are a side effect, as the EVM itself accepts incorrect padding. Attackers can exploit this by using specially designed addresses to get poorly coded clients to encode arguments incorrectly before including them in transactions. Although this vulnerability has not yet been exploited, it is good evidence of problems arising from the interaction between clients and the Ethereum blockchain.
Unknown Unknowns
Ethereum is still in its infancy. The main language for developing Smart Contracts, Solidity, has yet to reach a stable version, and the tools of the ecosystem are still experimental. Therefore, our expertise and experience in testing are particularly important.
Range of Services for Cyber Security
Additional Meaningful Services within the Scope of an IT Security Audit
- Penetration Test
Penetration tests are simulated attacks from external or internal sources to determine the security of web applications, apps, networks, and infrastructures and to uncover any vulnerabilities.
- Cloud Security
Due to the increasing complexity of cloud infrastructures, many services are incorrectly configured. We help you identify and eliminate misconfigurations and their effects.
- Phishing Simulation
A spear-phishing simulation is used to enhance the detection capabilities of your employees. We help you to raise awareness among your staff, thereby strengthening the last line of defense.
- Static Code Analysis
Static code analysis, also known as source code analysis, is typically conducted as part of a code review and takes place during the implementation phase of a Security Development Lifecycle (SDL).
Linkable on your website
Certification with Seal
We have developed an effective and comprehensive format for verifiable security that can be directly integrated into your website. This certificate demonstrates a high level of security, data protection, and an awareness of IT security to third parties such as customers or insurance companies.
The certificates we issue demonstrate a high level of IT security at a given point in time following a standard or individual test modules. Depending on the assessment, different test guidelines are chosen and evaluated.
Current Information
Recent Blog Articles
Our employees regularly publish articles on the subject of IT security
Contact
Curious? Convinced? Interested?
Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: