Blockchain Audits Are Complex, Costly, And Completely Necessary
A development firm shocked laypersons by quoting $300,000 for a security audit in a preliminary market survey. However, those familiar with the ins and outs of the blockchain world were not surprised by the hefty price tag in the least. A number of factors necessitate the high costs, including the extreme scarcity of audit teams with the required expertise.Blockchain audits are time-consuming and highly complex. Atom Accelerator recently ran an RFP that culminated in a grant of $440,000 for Zellic to engage as an audit partner of Cosmos Hub over a period of two years. Zellic has performed audits for Cosmos Hub numerous times, including the Inactive Validator Set, Permissionless ICS, and Liquid Staking Module (engaged by Atom Accelerator). The Inactive Validators set involved a third-party audit of the codebase with the same name. Zellic conducted the audit in two weeks for a total ask price of $59,500, which included Simply Stakings fee as an intermediary. This entity also performed mediation for the Permissionless ICS third-party audit, which enabled anyone to create an optional consumer chain without a governance proposal, aimed at launching chains faster and with less friction. Zellics quote was $90,000 and a 25% price buffer to account for ATOM token volatility during the voting period. The total price, including Simply Stakings fees, was $121,500. Cosmos Hub spent $327,000 on one-off feature audits in the past year and a half, coming to an average of $26,000 for each week in which audits took place. The grant engages Zellic based on a 20 audit-week contract, which costs 16% less per week than Cosmos Hub paid, thanks to Atom Accelerators efforts.
A smart contract audit can take up to a monthThe projects size and complexity are the primary factors in determining how long a smart contract audit will take. While auditing a single token contract takes a couple of days, this goes up to a week for a decentralized application with complicated tokenomics. More advanced smart contract security audits are performed in up to a month. The length also depends on whether the developer team wants a full security audit or only an interim report. Its generally a better idea to audit the smart contract that has been deployed, not the one on GitHub. It minimizes the risk of code churning and malicious last-minute bugs and conveys a message of transparency to the user community.The audits duration is also affected by whether its manual or automated. Reviewing individual functions in the code manually is time-intensive. However, manual audits are more efficient because they reduce the risk of false reports. They involve checking the code line-by-line to help identify hidden issues in its architecture and logic.Binary analysis and cryptographic algorithm verificationSmart contract auditors perform a binary analysis to make sure the code is free from backdoors, i.e. hidden mechanisms attackers use to access a system without authentication. To this end, the team makes sure no unauthorized entities gain administrative access and inspects the transcoding and bonding protocols among participants. It also verifies cryptographic algorithms and enhances the overall security infrastructure.Product security audits require deep knowledge of programming languagesMost software products integrate a user interface. Smart contracts frequently interact with a backend server in DeFi and Web3, whose code can be proprietary or open-source. The interface communicates with the backend server and uses Metamask or another local wallet to verify the user and sign transactions. There is often at least one database, such as PostgreSQL or MongoDB, and AWS Cognito, Auth0, or another OAuth2 authentication service.Product security auditors verify that all components interact with each other as expected, each component performs its functions correctly, no information leaks are possible, system deployment procedures follow best practices, and unauthorized access is prevented. These tasks require a strong understanding of large software project architecture and the ability to navigate codebases written in different programming languages. Typically, the frontend is written in ReactJS, while the backend is a mix of Golang, NodeJS, Python, etc. The smart contracts are in Rust or Solidity. A wide range of tools is involved, including blockchain nodes and Docker container management techniques.Penetration testers are well-versed in network protocols and architecturePenetration testing focuses on external API endpoints Web2 backend services offer. Testing auditors mitigate security flaws by calling some of these APIs via unexpected syntax to obtain privileged access. This is a common attack vector, where cybercriminals trick the system into leaking private data or performing another unauthorized action. Auditors are well-versed in network protocols such as TCP/IP, HTTP/HTTPS, UDP, DNS, and SMTP, as well as architecture like firewalls, routers, switches, and their configurations. Familiarity with subnets and IP addressing (CIDR, NAT, VLANs, and VPNs) and tools like Wireshark to analyze packets is also required. Knowledge of command-line proficiency, permissions, and configurations entitles auditors to command high fees.The risks of skirting an auditFailing to identify smart contract bugs or errors can result in exploits, leading to fund loss. Skipping audits can also lead to violations of KYC/AML laws, resulting in fines or legal action.Without an audit, vulnerabilities in smart contracts, consensus mechanisms, or cryptographic protocols may go unnoticed. It also suggests a lack of due diligence, leading to skepticism among users and partners.A breach of trust or funds can lead to a loss of users or participants in the blockchain network. Without an audit, inefficiencies in the code can lead to increased transaction costs or slow network performance.Finally, auditors often provide recommendations that improve performance, security, and compliance. Their services are indispensable to blockchain operations for these and many other reasons and are well worth the substantial compensation.Text source: The Crypto Basic
