Unlike traditional software applications, smart contracts are immutable. When you deploy one onto the blockchain, the action can’t be reversed and the code can’t be changed. This means that if you identify a vulnerability after deployment, it likely can’t be fixed and the loss of funds can be catastrophic. These scenarios are not rare, in 2021 alone it is estimated that the amount of money lost in Decentralized Finance (DeFi) is approximately $1.3 Billion USD. Identifying these vulnerabilities before deployment is key to mitigating these risks. That is why testing and auditing your smart contract code before deployment shouldn’t be considered optional. Instead, it should be considered a vital component of the development process. In this article, we discuss our testing and auditing pipeline for smart contracts and how we help our clients safely deploy high-value smart contracts.
At BlockFold we implement a test-driven development framework with a variety of different tools and techniques to make sure our smart contracts are covered from every angle. This includes unit testing, static analysis, dynamic analysis and fuzzing.
Unit tests enable you to test small units of code and verify that these units are working as expected. This typically involves manually writing tests that address positive and negative scenarios as well as any conceivable edge cases. Unit testing should be extensive and cover 100% of the smart contract code. It is not uncommon for a simple smart contract to have hundreds of unit tests.
Fuzzing allows you to treat your smart contract as a black box and expose your contract to a large number of random scenarios. These scenarios will randomly execute a sequence of functions and generate thousands of random inputs for those functions. The goal here is to find inputs to the smart contract which generate unexpected outputs.
Static analysis tools check for security vulnerabilities in your smart contract code without actually executing that code. These tools add great value to any testing toolkit as the setup is minimal and it will check your code against a big list of commonly known vulnerabilities.
Dynamic analysis tools check for vulnerabilities by executing your smart contract code and determining all the possible execution paths. This provides another means of vulnerability detection and often yields fewer false positives than static analysis tools.
Auditors are often equipped with specific knowledge on past exploit patterns in the ecosystem, current best practice recommendations, gas optimisation techniques, as well as expert skills on questioning the business logic and coming up with potential new ways to take advantage of the code. Auditors often work in groups to tinker with the code and make sure it is safe from attack from every angle imaginable. Findings from the most critical flaws to informational, best practice recommendations are collected in an audit report, jointly with the team’s response and fixes upon the recommendations from the auditors. Very often, the audit reports of a protocol are publicly available to inspire users’ confidence in the smart contracts.
Blockfold has been fortunate enough to work with the best auditors in DeFi, OpenZeplin on our highest value smart contracts. This provides our clients with the best possible assurances that their contracts are as safe as possible.
Combining Auditing and Testing
It’s now clear that both testing and auditing are essential to ensure your smart contracts’ safe execution. At BlockFold we integrate auditing directly into our test-driven development pipeline. This is done by hiring internal auditors for faster feedback and then external auditors such as as CertiK, Consensys Diligence and OpenZeppelin for the final review.
There are many manual, automated and semi-automated methods for analyzing smart contracts. Each of these methods in isolation will not give you a complete picture of the threats your smart contract may face. Combining them together will maximize your smart contract coverage and give you a better overview of your threat surface. As the crypto industry evolves to have more complex code, more use cases and newer exploit patterns there has never been a more pivotal time to make sure you have implemented good testing and auditing processes for your company’s needs.