Smart Contract Audits Have Failed: Can We Solve the $2.8 Billion Smart Contract Security Problem?
June 15, 2023
By Victor Fang
Despite the robustness of smart contract auditing, it has not been a panacea for Web3 security breaches. An alarming $2.81 billion in losses were caused by smart contract security compromises, 91.96% of which had been audited. As we stand at the precipice of a new era in Web3 security, we must pivot our approach to anticipate potential breaches and adapt accordingly. Our product, Web3SOC, was specifically designed for this purpose.
The Harsh Reality of Smart Contract Audits in 2022
Long hailed as the gold standard for smart contract security, audits fell notably short in 2022. The stark statistics below show that smart contract auditing struggled to provide the required level of security in the Web3 landscape.
Our team at AnChain.AI conducted an in-depth analysis of all major Web3 security incidents in 2022, revealing:
A staggering $2.81 Billion in losses from smart contract securitycompromises.
Smart contract-based incidents made up 70.36% of all Web3 security breaches.
An alarming 91.96% of the hacked smart contracts had undergone auditing processes, with some audited multiple times by reputable security firms.
Note: Detailed data, including the names of smart contract auditors, original audit reports, and incident categories, is available upon request for research purposes.
The problem has persisted into 2023 with no signs of slowing down, as demonstrated in the recent Euler Labs hacking incident. Despite receiving 10 audits from six different firms, including Halborn, Solidified, ZK Labs, Certora, Sherlock, and Omnisica, Euler Labs suffered a devastating $196 million flash loan attack on March 13, 2023.
Euler Labs CEO, Michael Bentley, described it as the “hardest days” of his life and added that the platform “has always been a security-minded project.”
This serves as a sobering reminder of the limitations of current smart contract auditing practices and the urgent need for innovation in this space.
How Does A Smart Contract Audit Work?
Smart contract auditing is a process of reviewing and assessing the code and design of a smart contract to identify potential vulnerabilities, security risks, and logic flaws.
There are several technologies and approaches used for smart contract auditing to ensure the security, correctness, and reliability of the contracts.
Commonly employed technologies at AnChain.AI and other industry leaders include:
Business Logic Code Review: This involves expert auditors conducting a detailed manual review of the smart contract’s source code to identify potential vulnerabilities, bugs, and security loopholes, provided the whitepaper and documentation.
Static Analysis: These tools automatically analyze the source code of smart contracts to detect potential issues. They perform code pattern matching, syntax analysis, and data flow analysis to identify common vulnerabilities such as reentrancy attacks, integer overflow/underflow, or unchecked external calls.
Dynamic Analysis: Dynamic analysis involves executing the smart contract in a controlled environment, such as a test network or virtual machine, to monitor its behavior during runtime. This helps auditors identify vulnerabilities that may not be evident during static analysis, such as gas consumption issues, unexpected contract interactions, or unintended consequences of complex contract logic. Example: AnChain.AI Screen EVM Blockchain Transaction simulator.
Formal Verification: Formal verification is a mathematical method to rigorously prove the correctness of a smart contract. It involves using formal methods and logic to reason about the contract’s behavior and prove properties such as the absence of runtime errors or adherence to specified security properties. Example: AnChain.AI research team published Formal Verification Z3 source code for Soda Finance hack.
Fuzz Testing: Fuzz testing involves generating a large number of random inputs or test cases to identify unexpected behaviors or vulnerabilities in smart contracts.
Penetration Testing: Penetration testing involves actively trying to exploit vulnerabilities in a smart contract or the underlying blockchain platform. Ethical hackers simulate real-world attacks to identify weaknesses, such as unauthorized access, privilege escalation, or denial-of-service vulnerabilities. Anchain.AI has trained 100+ ethical smart contract hackers via IHackNFT, IHackWeb3, and various training events.
Why Are Audited Smart Contracts Still Hacked?
While the process of passing a smart contract audit can, to an extent, enhance the security of contracts, it is not foolproof and can, at times, fail to detect certain vulnerabilities or prevent exploitation.
The shortcomings of audits are extensive, with the list below demonstrates just a few of the reasons why audited smart contracts might still be at risk of compromise:
Incomplete Audit Scope: Auditors typically focus on known vulnerabilities and commonly exploited attack vectors. However, the evolving nature of blockchain technology and the emergence of new attack vectors mean that auditors may not catch all possible vulnerabilities. If an auditor overlooks a specific vulnerability or fails to consider a novel attack vector, the contract may remain exposed.
Resource Constraints: Audits are often conducted within a specific timeframe and may be subject to other resource limitations, including but not limited to the expertise of the auditors themselves. This can result in certain vulnerabilities being missed, especially if they are subtle or complex. Smart contract auditing requires a rare combination of both blockchain technology and secure coding practices. A lack of domain-specific knowledge or oversight can easily lead to more atypical vulnerabilities being overlooked/
Supply Chain Vulnerabilities: The smart contract itself only constitutes a fraction of its total potential attack surface. Insecure code libraries, malicious or vulnerable external dependencies, and compromised development environments are core problems for supply chain vulnerabilities in smart contract development. It is crucial to ensure that external dependencies are secure, regularly audited, and obtained from trusted sources.
Interactions with External Systems (Oracles): Smart contracts frequently interact with external systems, such as oracles or decentralized finance (DeFi) protocols. These interactions introduce additional complexities and potential vulnerabilities that may fall outside the scope of the smart contract audit. If vulnerabilities exist in these external systems or the integration is not thoroughly evaluated, it can lead to the exploitation of the audited contract.
Zero-Day Vulnerabilities: Zero-day vulnerabilities are unknown vulnerabilities that are discovered and exploited by malicious actors before they are identified by auditors or security researchers. These vulnerabilities can bypass existing security measures and compromise audited smart contracts before the vulnerabilities are widely known or patched.
Human Error: Auditing, like any human endeavor, is susceptible to human error. Auditors may make mistakes, misinterpret code, or overlook critical issues due to oversight or fatigue. Even the most experienced auditors can inadvertently miss vulnerabilities, leaving the audited contract exposed. Furthermore, smart contract audits, no matter how thorough, can never account for human error in operations security, with incidents like the Axie Infinity hack clearly illustrating how human operators can quickly become a point of failure.
Platform or Infrastructure Vulnerabilities: The underlying blockchain platform or infrastructure on which the smart contract operates may have vulnerabilities that are beyond the scope of the contract audit. If the platform or infrastructure is compromised, it can undermine the security of audited contracts.
Finally, it must be noted that smart contract auditing should not be a one-time task, but an iterative and continuous process. With these factors combined, smart contracts failed to live up to expectations in 2022.
There is, however, a better way forward.
Web3 SOC: The Future of Web3 Security
With the inherent limitations of smart contract auditing, we propose a novel approach. We’re proud to introduce Web3SOC, our award-winning product designed for the evolving security needs of the Web3 world. “It was a great honor that our WebSOC product and vision won the RSA Innovation Sandbox Top 10 Award, the ‘Oscar of Cybersecurity’!”, said Victor Fang, AnChain.AI CEO and Co-Founder. Watch our 3 minute pitch.
Building a secure Web3 DApp in the modern era requires a more systematic approach and a departure from spending most of one’s security budget on smart contract auditing alone. Inspired by Mandiant, FireEye, and other top-tier cybersecurity companies’ best practices, AnChain.AI launched a revolutionary product at RSA Conference 2023:
Web3SOC – Security Operations Center Platform designedto safeguard your Web3 digital assets.
It focuses on improving your Web security maturity:
Threat Modeling: Model for your DApp’s Attack surface, including smart contracts, private key management, Cloud infra, and all.
Incident Response Planning: Let’s assume the hackers are hacking you right now. What would you do to detect, respond, and remediate? Our experts can help you.
Attack simulation and Metrics focused: Start with measuring MTTD: Mean Time to Detect. The Web3SOC fire drill will measure your organization’s key metrics starting with MTTD.
Monitoring and Alerting: Web3SOC connects with blockchain full nodes and real-time monitoring and alerting on potential threats.
Automatic Response with AI:We leveraged various machine learning and AI to automate the SOC workflow. “Auto Trace AI” comes in handy for hackers attribution; the machine learning risk scoring engine has scored Billions of Web3 / Blockchain addresses and enabled as real-time API; GPT and LLM will scan smart contracts including vulnerabilities;
3rd party integration: Web3SOC connects to mainstream SIEM platforms and counting.
Web3SOC framework is built on a proven foundation – the 5-step NIST Cybersecurity Framework – combining the battle-tested framework with our world-leading Web3 smart contract attack surface domain knowledge.
The Web3SOC framework includes 5 core functions:
Identify: Understand Web3 digital assets, systems, data, and resources that need protection, and develop a comprehensive understanding of the organization’s cybersecurity risk landscape. For example, smart contract auditing fits into this stage.
Protect: Implement safeguards to ensure critical infrastructure services, prevent or minimize damage from cyber threats, and establish security policies and procedures.
Detect: Employ monitoring and detection systems to identify cybersecurity events promptly, enabling early detection and effective response. For example, Leveraging machine learning to detect fraudulent actors on Elrond blockchain, and applying Preventative countermeasures such as blocking the transaction falls into this category.
Respond: Develop and implement an incident response plan to address detected cybersecurity events, minimize damage, and ensure a faster return to normal operations.
We have reached a critical juncture in the field of Web3 security. The vulnerabilities exposed in smart contract auditing indicate the need for a paradigm shift in our approach. By leveraging the power of Web3SOC, we offer a comprehensive solution to safeguard your Web3 digital assets. We must prepare for the possibility of a hack happening, rather than reacting to it.
Now is the time to step up your organization’s security measures.
