Smart Contract Audit

Smart contracts are programs that are executed in a decentralized manner by each participant in the network. Therefore, smart contracts require more careful audits because they are economically rewarding targets for hackers. This execution has the property that the resulting outcomes are immutable. Misguided executions can therefore not be undone.

Definition and Explanation of Blockchain Components

Our take on Smart Contracts, Decentralized Financial Markets and the Metaverse

Many vulnerabilities in smart contracts came as a surprise and there is no reason to believe that there will not be more exploits. As long as investors choose to invest large sums of money in complex but poorly verified code, we will continue to see new incidents that lead to devastating consequences. Methods for formal verification of smart contracts are not yet mature. As new classes of vulnerabilities continue to be found, developers will need to stay current and new tools will need to be developed to find them. These top 10 will likely evolve quickly until smart contracts reach a state of stability.

Industries

Automotive
Finance
Healthcare
SME
Startup
Technology

Certificates

Blockchain, Metaverse and DeFi

Our Examination and Analysis Focus

We audit smart contracts and decentralized exchanges (DeFI projects) as well as metaverse components with our own and external frameworks according to NCC standard on most blockchain technologies.

    Reentrancy Attack

    The reentrancy attack occurs when external calls to a contract are allowed to make new calls to the source contract before the initial execution is complete. For a function, this means that the contract state can change in the middle of execution due to a call to an untrusted contract or the use of a low-level function with an external address.

    Access Control

    Typically, one accesses the functionality of a contract through its public or external functions. While insecure visibility settings provide attackers with easy ways to access a contract's private values or logic, access restrictions are sometimes more subtle. These vulnerabilities can occur when contracts use the deprecated tx.origin to validate the user.

    Arithmetic Problems

    Integer overflows and underflows are not a new class of vulnerabilities, but they are especially dangerous in smart contracts where unsigned integers are widely used and most developers are accustomed to simple int types (which are often just signed integers).

    Unchecked Return Values for Low Level Calls

    One of the deeper features of Solidity are the low-level functions call(), callcode(), delegatecall(), and send(). Their error detection behavior differs significantly from other Solidity functions in that they do not propagate (or flash) and do not result in a complete reversal of the current execution. Instead, they return a boolean value set to false, and the code continues to execute. If the return value of such low-level calls is not checked, this can lead to failures and other undesirable results.

    Denial of Service

    While other types of applications can eventually recover, smart contracts can be taken offline forever by a single one of these attacks. Many paths lead to denials of service, including malicious behavior as the recipient of a transaction, artificially increasing the gas needed to compute a function, abusing access controls to access private components of smart contracts, and using mistaken identity. This class of attack includes many different variants and will continue to evolve in the coming years.

    Bad Randomness

    Randomness is difficult to achieve in Ethereum. While Solidity offers functions and variables that can access seemingly hard-to-predict values, they are generally either more public than they appear or subject to miner influence. Because this source of randomness is predictable to some degree, malicious users can generally replicate it and attack the function that relies on its unpredictability.

    Front-Running

    Since miners are always rewarded with gas fees for running code on behalf of external addresses (EOA), users can set higher fees to get their transactions validated faster. Since the Ethereum blockchain is public, anyone can see the contents of others' pending transactions. This means that if a particular user reveals the solution to a puzzle or other valuable secret, a malicious user can steal the solution and copy their transaction with higher fees to prevent the original solution. If smart contract developers are not careful, this situation can lead to practical and devastating front-end attacks.

    Time Manipulation

    Sometimes smart contracts need to rely on the current time. This is usually done using block.timestamp or block.height solidity. Since the miner of a transaction has some leeway in block creation, good smart contracts avoid relying heavily on the announced time. Furthermore, note that block.timestamp is also sometimes used (incorrectly) in random number generation, as described in 6).

    Short Address Attack

    Short address attacks are a side effect because the EVM itself accepts incorrect padding. Attackers can exploit this by using specially crafted addresses to trick poorly encoded clients into miscoding arguments before including them in transactions. Although this vulnerability has not yet been exploited, it is good evidence of problems arising from the interaction between clients and the Ethereum blockchain.

    Unknown Unknowns

    Ethereum is still in its infancy. The main language for developing smart contracts, Solidity, has yet to reach a stable version, and the ecosystem tools are still experimental. That's why our expertise and experience in testing is especially important

Range of Services for Cyber Security

Further useful Services within the Scope of an IT Security Audit

Penetration Test
Penetration tests are simulated attacks from external or internal sources to determine the security of web applications, apps, networks, and infrastructures and uncover any vulnerabilities.
Cloud Security
Due to the increasing complexity of cloud infrastructures, many services are misconfigured. We help you identify and eliminate misconfigurations and their effects.
Phishing Simulation
A spear phishing simulation is used to increase the detection ability of employees. We help you to sensitize your employees and thus strengthen the last barrier.
Static Code Analysis
Static code analysis, also known as source code analysis, is typically performed as part of a code review and takes place during the implementation phase of a Security Development Lifecycle (SDL).

Linkable in Your Website

Certification with Seal

We have developed an effective and comprehensive format for verifiable security that can be integrated directly into your website. This certificate proves to third parties such as customers or insurance companies a high level of security, data protection and IT security awareness.

The certificates we issue prove a high level of IT security at a given time according to a standard or individual test modules. Depending on the assessment, different test guidelines are chosen and evaluated.

To the Certificate

Current information

Recent Blog Articles

Our employees regularly publish articles on the subject of IT security

ISMS
Testing Digital Operational Resilience under DORA

It is important for financial organizations to establish and regularly update TLPT to review their digital operational resilience.

Jan Kahmen
jan_kahmen
Jan Kahmen
5 min read
Red Teaming
Phishing with Flexible HTTP Reverse Proxy

An HTTP reverse proxy can be used to improve phishing simulations by switching between the client and the target server.

Jan Kahmen
jan_kahmen
Jan Kahmen
3 min read
Red Teaming
What is Pharming?

Pharming means fraudulently obtaining information by manipulating DNS queries.

Jan Kahmen
jan_kahmen
Jan Kahmen
3 min read

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment:

Arrange appointment