Smart Contract Audit, Auditing Tools, and Auditing Companies
A Smart contract audit is the review of code by experts to determine if the code is secure such as whether there are any existing vulnerabilities, possibilities for future bugs or any errors in coding that could expose users.
With the complexity of a new programming environment, it is possible for even expert developers to make mistakes when writing code. It becomes critical to verify correctness using unit testing and tooling validation.
The audit, which is done using standards and protocols such as Solidified Verification Standard and Quantstamp, is done before the code is hosted on Ethereum, thus it can increase the security of the whole ecosystem and individual projects and prevent hacks.
Although it won't guarantee that the code is 100 percent secure, the expert(s) revising the code could find problems and discuss possible improvements to the code to improve the security of cryptocurrencies. The expert can highlight critical issues that need to be checked and improved.
Here is a list of Smart Contract auditing companies
ConsenSys
ConsenSys Diligence is a leader in smart contract auditing and Ethereum blockchain security, with numerous auto smart contract analysis tools that are open source and free and a few offered through subscription. Some of their tools include Panvala and MythX.
Consensys does launch assessment for those who want to launch tokens, dApps, IEOs or STOs by doing a comprehensive assessment of the code to determine its overall readiness. Security audits are targeted to provide unique insight into security vulnerabilities that may lead to hacks or other losses in smart contracts, etc.
The company also provides consultation services on blockchain security and best practices throughout the entire life-cycle of the project - these include scalability reviews, performance and gas optimization, and ongoing support for audited contracts.
According to their website, they are working with Forbes Global 2000 companies, non-profits and world governments to build, test, and deploy high-value public and private blockchain solutions and present across global markets, including the US, UK, Ireland, France, Dubai, Hong Kong, Singapore, Philippines and Australia.
1. New Alchemy
New Alchemy is a strategy and technology advisory company that specializes in tokenization. It provides a range of services to companies that want to launch ICOs including C-level strategy, developing of smart contracts, project management and token game theory, auditing and other marketing services.
The company is based in Seattle, WA and was founded in 2016 by early Bitcoin innovator Peter Vessenes and therefore has a good understanding of cryptocurrencies and token processes and technologies.
The company has provided audit to world's most innovative companies in the cryptocurrency scenes.
2. Solidified.io
Solidified.io is a crowd sourcing company where any developer can submit their code for comprehensive quality review by a community of qualified and certified experts. The code is analyzed for intended behavior, security, Solidity construct usage, best practices and many other things.
Part of the experts who review the codes are blockchain veterans who themselves co-founded early protocols, and Solidity programmers in finance who understand specifics in the industry.
In fact, the company also does accepts application to be an expert. There are some benefits of using a crowd sourced audit service including ensuring that the audit is unbiased, reputable and verified by multiple independent reviewers.
Anyone can upload a contract simply by drag and dropping files and filling out the Spec of Intended Behavior and providing their testing history. The person then pays and sets rewards using an escrow, and the experts review takes place. The review takes about 48 hours depending on complexity of the code.
The experts will review the code based on Solidified Verification Standard that assigns a score for the contract and report on Critical, Major and minor bugs. The escrow (bounty payout) is released when the developer confirms claims and acknowledges an issue. There is a seven day grace period during which the owner can contest findings through a community-based Dispute Resolution process if there is disagreement.
The developer then incorporates the feedback in fixing the code and the expert will review the change-set and give a Solidified stamp to the contract.
3. Coinfabrik
Coinfabrik is a company that helps firms develop smart contracts, hyperledger development, private blockchain development, development of supply chain blockchain, wallet protection, loan data sharing, and development of safe reliable crypto exchanges in addition to helping with smart contract audits. The company
The company has more than 20 years of experience building and reviewing security applications.
They, for instance, built a back-end infrastructure for Monero and Zcash among other 8 cryptocurencies. They also built a wallet back-end and infrastructure for Jaxx Wallet,
They have also performed ant-fraud detection for Sig3, a multi-signature wallet. They added support for Elliptic curve on OpenPGPJS for CryptoKit platform.
The team hails from information security fields with some having experience of working in the industry from as early as 1994.
4. Zeppelin
Zeppelin reviews code and develops a report on the quality of a company's code and result are published online -- same case with New Alchemy.
More than $450 million has been raised with their audited smart contracts. They have audited the likes of BitClave and Global Messaging Token by Mercury Protocol.
Zeppelin uses industry-standard security patterns and best practices. Those intending to build secure smart contracts can use the company's OpenZeppelin standard framework for secure smart contract development to reduce vulnerabilities.
The company also has Coral, a platform that users can use to sell tokens securely to anyone around the world.
5. Token Market
Token Market provides complete token launching set of services including creating tokens, developing and auditing smarty contracts, and hosting crowd-sale, among other services.
It also works more or less like Solidified.io in that the problems are posted along with a bounty for a verified solution. Users will then collaborate to solve the identified problems and will share results and rewards. The submissions are added to Matryx library and marketplace for future purchase. This collaboration and ideas drives research and innovation.
They use standards such as the Solidity safety checklist of ethereum.stackexchange.com wiki to check code safety. This is a list of information from the crypto community about preventing potential attack vectors and pitfalls in smart contract programming.
`
They also use other techniques such as SafeMath library.
6. SmartDec
SmartDec specializes in manual and automated audits of smart contracts. Unlike some companies that analyze code in just Solidity or one programming language, this company analyzes code in Solidity, Java, JavaScript, Python and other programing languages.
Among the tools used include their Static Code Analyzer for Solidity language, which reports and flags issues that need manual checking and verification.
They check the application's logic for backdoors and discrepancies to the declared behavior. They employ teams whose members have academic degrees in code analysis. They have a host of clients and you can read some of their audit examples here.
7. Experfy
Experfy is a freelancing platform bringing together experts in smart contract auditing, and clients. The experts include MIT professors and former Google employees. They call the team of experts a "deep candidate pool" built through rigorous screening. It performs reviews and audits of smart contracts using rigorous independent reviews.
They first check customer's client against the library of known issues seen in dozens of reviews or reported elsewhere. They then check the logic against security issues. They then check impact of the contract to the entire network and also does a gas analysis to ensure users are not exposed to unnecessary Ethereum transaction fees.
They also provide clients with a detailed audit report as a certification of the contract.
8. Miranz
Miranz is based in USA, Europe, and other Asian countries.It brings together a team of professionals that work in collaboration to offer various services including blockchain related services such as auditing and block chain smart contract development service (others are web and mobile application services).
The company does crowd sale and token contract. The audit involves using variety of testing approaches to determine and solve security needs. The company even has developed flagship application to audit smart contract and ICO. The experts work in collaboration to identify and eliminate vulnerabilities.
9. Codecontext
Code Context is a formation of Adria Massanet, an IT professional with more than 18 years of experience in security, cryptography and digital identity software development.
He has, not only developed requirements for building security software and operations, but also does threat modeling and reviews designs and code for threat mitigation.
He is the freelance application security engineer at Code context and has reviewed Solidarity code for famous crypto projects such as SkinCoin, STOX, Maker DAO, Streamr and Sharpe Capital. He's also done security design of an IoT smart lock (under NDA).
See further details on his expertise here
10. HighTechBlock
HighTechBlock is a company that helps clients to build next generation blockchain and cryptocurrency products. This includes helping firms to launch tokens, develop blockchain application and launch other fintech products. They haven't been doing smart contract audit until last year so they can do it on demand.
Other mentions
Other companies helping with smart contract audits include Hosho that performs penetration testing, bug bounty to identify bugs in the system and checks whether the contracts operates as intended.
Another company is Practical Assurance that performs a number of techniques and analysis to minimize the risk of logic errors or vulnerabilities. The company combines smart contract audits with ICO Security Audit to validity maturity of organization and to give investors confidence.
Auditing and Testing Tools
Remix is an online solidity IDE that can be employed by developers to test and compile smart contracts, and which is simple to use and fully featured
There is both an IDE version and an online version.
Some of the tools inside of the Remix includes a Solidity Compiler which generates a lot of useful information that we will use in another environment. It also features three Runtime Environments, namely injected Web3 to providers such as Mist or MetaMask, Web3 provider to local host through IPC and Javascript VM which is a simulated environment.
The code analyzer helps developers to write some of the best codes.
SonarSolidity is provided as a plugin to the SonaQube console to analyze the code. It provides clarifications on vulnerabilities and bugs and can import Solium reports, which can be enhanced with Solium's own plugins.
It uses 25 rules that support Solidity's best practices and track vulnerabilities and code smell issues.
SmartAnvil open-source platform performs static analysis of smart contracts, deployed contract binary analysis, and blockchain navigation and querying.
Maian is an open-source blockchain analysis tool that also highlights potential vulnerabilities in smart contract code which was released last year under the MIT license. It classifies and siphons each smart contract error type in three main distinctions of vulnerability: prodigal, greedy and suicidal, based on their security risk categories.
Suicidal contracts are in which unnoticed or wrongly-coded contract will destroy the entire contract and return the funds to the owner of the contract. If the attacker owned the contract, a suicidal contract allows hijackers to keep the funds.
In prodigal contracts, an attacker can send funds to anyone on the blockchain and instead of killing the entire contract, this kind of error allows anyone to hijack ownership of the funds and then send to anyone random user within the contract and these operations may also go unnoticed. The attacker may send small increments from the contract in order to remain unnoticed.
Greedy contracts; for instance where some tokens may be locked in a smart contract for ever.
The Maian tool deploys the analyzed contracts on a private blockchain, and confirms the found bugs by sending appropriate transactions to the smart contracts.
MythX is cloud-based service that also includes extra paid features and revenue-sharing when the paid subscription option goes live. The subscription model will be based on a stablecoin system. The revenue-sharing model will allow anyone to earn by building MythX fronted tools and integrations. The MythX plugin for Tufflem which is compatible with Truffle 5.0 or higher, is one of the first end-user front-ends. It is used in doing analysis of smart contracts to the Truffle framework.
This and other end user plugins, IDE, extensions and CI scripts are easy to install and work. Truffle, which features the Truffle Debugger, is a common tool for command line development management among Ethereum developers and is one of the most popular development frameworks for Ethereum. It features built-in smart contracts that make it easier for Ethereum developers to link, deploy and manage binaries. Truffle can also be employed for automatic contract testing with Mocha and Chai.
It is used for advanced security analysis and detects many common Solidity vulnerabilities and EVM bytecode vulnerabilities. It can be used by developers to build purpose-built Ethereum security tools.
MythX is currently in beta. A developer or tester can use MythX through apps that integrate it and which are hosted on the MythX website. This can be done by logging in the tool website with MetaMask and setting up an API password. The tester will then install MythX frontend tool of coice and setting up their Ethereum address and password.
Sūrya (name meaning god of the sun) is also made by ConsenSys and gives visual outputs and information about smart contracts and allows the developer or contract tester to manually inspect contracts by querrying the function call graph.
The tool works with Solidity language.
Karl, also designed by ConsenSys, checks smart contracts code against vulnerabilities and can be used to monitor Ethereum blockchain for newly deployed vulnerable smart contracts, in real-time. It eliminates false positives by running candidate contracts in a virtual copy of the blockchain.
Solgraph: It generates a DOT graph that visualizes function control flow of a Solidity contract and highlights potential security vulnerabilities
EVM Lab tool includes VM, Etherchain API, and a trace-viewer through which it interracts with the Ethereum Virtual Machine.
Ethereum-graph-debugger
This graphical EVM debugger displays the entire program control flow graph.
Panvala project by ConsenSys Diligence is a decentralized crypto-economic game that targets at making Ethereum safer and on which developers can stake tokens to get Panvala mark and lose the tokens if any security issues are found.
Through Panvala, grant funders, corporate open source projects and volunteers came together to find sustainable funding together.
Static and dynamic analysis
Slither will detect many common Solidity issues with low false positives. The tool runs a suite of vulnerability detectors and prints out information about contract details, and provides an API to easily write custom analyses.
Therefore, in addition to finding vulnerabilities, developers can also prototype custom analyses.
It has taint and value tracking capabilities and is written in Python 3. It is also compatible with Truffle builds.
Echidna is the only available fuzzer for Ethereum software. It uses property testing to generate malicious inputs that break smart contracts. It uses sophisticated grammar-based fuzzing campaigns to falsify a variety of predicates.
It will generate inputs that are tailored to the testers or developer's actual code, provide an optional coverage guidance to find deeper bugs, and also provides a powerful API for advanced usage.
Securify is an online-based static analyzer for smart contracts that provides a security report based on vulnerability patterns.
SmartCheck static analyzer for solidity source code for security vulnerabilities and bad practices. It will scan the code and highlights the errors or need for correction in the code, as well as provide detailed explanation of the testing/analysis.
The tester or developer will upload the project and submit it for scanning, then wait until SmartCheck is done and highlighted issues against what is recorded in the Knowledge Base, and then check the indicated lines of code that need correction alongside descriptions and recommendations.
It is open-source.
Octopus has EVM support and e(WASM). It also provides explorer for BTC, Ethereum (EVM), ETH (WASM), EOS, NEO and WASM blockchains as well as disassembler and control flow analysis for most of these blockchains.
Weakness OSSClassifcation & Test Cases
SWC-registry: This is a registry of SWC definitions and a repository of crafted and real-world samples of vulnerable smart contracts.
SWC Pages is a SWC-registry repo published on Github Pages
Solidity-coverage: Code coverage for Solidity testing.
Linters
Linters improve the quality of smart contract code by enforcing rules for style and composition. They thus make it easier to read and review the smart contract code.
Solcheck: A linter for Solidity code written in JS and heavily inspired by eslint.
Solint: Helps to enforce consistent conventions and avoid errors in Solidity smart contracts.
Ethlint: Formely Solium, this tool analyzes Solidity code for style & security issues and fixes them. The tool helps to format solidity codes and fix security issues.
It also does not strictly adhere to Solidity Style guide but promotes coding practices agreed upon by the community.
Solhint: The open-source tool for linting Solidity code provides both security and style guide validations.