Smart Contract Development and Auditing

Smart contract creation and auditing

If you are somewhat into blockchain and cryptocurrencies, you have probably heard the word smart contract more than once.

The first thing that comes to mind is something from law, some kind of smart contracts, which are monitored by an algorithm and probably can’t be violated. The second thing you might think of is the future of transactions: soon they will only be concluded through smart contracts. Let’s see if that is really the case.

What a smart contract is

A smart contract is a computer algorithm designed to help conclude an agreement, monitor fulfilment of a contract, and execute the obligations. Created in code, it is only executed on a blockchain, a distributed ledger controlled by a decentralized network of peer nodes.

As you might have guessed, this process has nothing to do with conventional deals. You can’t use a smart contract to buy a car or secure the supply of a carload of wheat. But you are free to exchange one token for another without any intermediaries, or deposit a token at interest with a crypto bank.

In the real world, contracts are concluded on paper or electronically, with the use of the digital signature. Contract fulfilment is monitored by the state, and disputes are resolved in court. There are some mentions on the web of people selling an apartment or another asset using a smart contract. But such information is nothing but deception.

Like offline, where contracts are regulated by certain countries and jurisdictions, a smart contract is only valid on the network where it is written and deployed.

It’s easier to grasp this with the example of a vending machine. One user puts stamps into the machine, the other puts seashells. The machine uses the exchange rate of 2 stamps per seashell. Both users trust the machine since its source code is public and everyone can read it.

How smart contracts emerged

The idea and the term ‘smart contract’ were coined by Nick Szabo in 1994. He described a smart contract as a cryptographic protocol that conducts and monitors contracts using a set of algorithms.

Smart contracts saw broad application in practice with the emergence of Ethereum. In 2013, the future project founder Vitalik Buterin realised that Bitcoin’s protocol was unusable for smart contracts because it had been designed for other purposes. So he decided to create a different protocol from scratch, which could be more relevant to the task.

Smart contracts help close deals and perform transactions according to pre-established rules, without any intermediaries. Blockchain makes such transactions transparent, traceable, and irreversible.

Where smart contracts are used

Use of smart contracts

Applications based on smart contracts deployed on blockchain networks are called dApps (short for decentralized apps). Blockchain-based smart contracts enforce obligations on crypto projects, make them more secure, and provide a safe payment system for cryptocurrencies. Oracles play a key role in creation of next-gen smart contracts that provide fintech products and monetary instruments (e.g. market data-driven ones).

  • Token issue. Perhaps the most popular use case. Hundreds of examples available in the public domain is what makes issuing tokens easy and accessible to everyone.
  • Decentralized exchanges. DEXs are blockchain-based exchanges that allow trading tokens without the need to store them with centralized companies. Among the shining examples are Uniswap, PancakeSwap, SushiSwap, Polyx DEX. The most common type of DEXs is automated market makers. They are on-chain liquidity pools that exchange tokens by a specific formula rather than using the order book. They help traders access liquidity, and liquidity providers get passive income.
  • Staking. Staking is a process of providing cryptocurrency as a stake in a contract. Protocols use it to ensure efficient tokenomics. With such a method, it becomes apparent where, how, and in which proportion the staking rewards should be distributed. They can also be slashed (automatically withdrawn) in some cases.
  • Farming. This innovation emerged in the DeFi ecosystem and is used there to retain liquidity and distribute governance tokens evenly between users. Most DeFi projects offering farming reward liquidity providers with native tokens that fund protocol development.
  • Algorithmic stablecoins. What makes them similar to centralized and decentralized stablecoins is that they are also backed by fiat money, cryptocurrency, or any other asset. But here is the difference. Algorithmic stablecoins maintain the equivalent of pegging using automated rewards and fines. If the price falls below the pegging level, excess tokens are burned; if the price gets higher than the pegging level, extra tokens are issued.

How to create a smart contract

Let’s examine how smart contracts are created with the example of Ethereum, the most common blockchain platform.

First, we need to work out the smart contract’s logic and write the source code. Developers use Solidity, a language that is somehow similar to JavaScript. The code can be written in any integrated development environment, but Remix Online IDE is the most widespread one. It allows designing a smart contract, compiling it, and placing it on the network.

After compilation is complete, we need to deploy the code on the network. For that, we create a special transaction, and the deploying address pays a fee to the network (the fee currency is ETH in our case). The more complex the smart contract, the higher the fee.

If all goes well, the deployment transaction will be executed in one of the blocks and the smart contract will end up on the blockchain with a unique address. After that, it will be able to receive commands.

How much it costs to develop a smart contract

The price of a smart contract depends on its complexity. For example, creating a simple smart contract for issuing tokens costs 1000–5000 USD, while development of sophisticated dApps starts from 10,000 USD and may cost over 100,000 USD.

We at Polygant have been doing blockchain development for 10 years. For this time, we have designed around a hundred smart contracts of different complexity. Contact us on Telegram to discuss how advanced a contract your crypto project needs.

What a smart contract audit is

A security audit is an independent examination of a smart contract’s code that projects usually publish on GitHub. Audits are a must for DeFi projects and dApps whose numerous users transact millions of dollars. Usually, an audit consists of the following stages:

  1. Auditors conduct an initial review of contracts.
  2. Auditors submit the review results to the project developers for further action.
  3. Project developers make changes and fix the errors found.
  4. Auditors draw up a final report considering the changes made and remaining errors.

Auditing is a common process for large crypto projects. Most investors take into account the audit results when studying new DeFi projects. And they have more confidence in reports compiled by reputable audit firms.

Why a crypto project may need an audit

Smart contracts help transact or block gigantic amounts of cryptocurrencies. And this can be a big prey for hackers. Even tiny code errors may lead to a project losing millions of user funds. For example, a hacking of The DAO resulted in the theft of $50 million worth of ETH and Ethereum’s hard forking.

A project team needs to make sure the code is secure, since transactions on the blockchain can’t be reversed. The specificity of the technology won’t allow their cryptocurrency to be recovered, nor solve problems after a hack. This is why it is critical to find all vulnerabilities beforehand.

Purposes of smart contract auditing

Auditing helps achieve a variety of goals, including:

Finding and fixing vulnerabilities

Auditors check smart contracts for various downfalls. Some are found immediately, but most can only be identified with the use of special techniques and tools. For example, during market manipulation, an assailable smart contract may be attacked with flash loans. To find such bottlenecks, auditors try to hack a smart contract. Here are the most common types of attacks they imitate:

  • Recursive call. A contracts another, external contract, before committing changes. After that, the second contract can recursively interact with the first one in an invalid way, since the balance of the first one hasn’t been updated yet.
  • Front running. When the execution of a contract depends on its position in a block, one can push a transaction forward in the queue by overpaying for gas and thus unfairly win auctions, lotteries, and games.
  • Integer overflow. When a contract performs an arithmetic operation, the value may exceed the storage capacity, resulting in an incorrect calculation of amounts.

Addressing security errors

Auditors also examine the network that hosts the smart contracts and the application programming interface (API) used to interact with dApps. If it turns out that the project can’t withstand a DDoS attack or its API is compromised, it will be unsafe for users to connect crypto wallets to potentially harmful blockchain apps.

Optimizing gas expenses

On top of analysing blockchain security, auditors look at how optimized and efficient smart contracts are. Seasoned blockchain developers try to optimize their performance. But inexperienced enthusiasts may neglect optimization.

Some smart contracts need to send a series of transactions to be executed. Given that gas fees are high on networks like Ethereum, efficient smart contracts could help save on transaction fees. And if they are inefficient, expensive gas could disrupt their operation.

How smart contracts are audited

A security audit is a common service. And though different audit firms may employ different approaches, here is a typical plan most of them follow:

  1. Determining the scope of work. Contract specifications depend on the project’s purpose and architecture. They help auditors find out which goals developers pursued when writing the smart contract.
  2. Estimating the audit cost based on the scope of work.
  3. Carrying out the audit. The techniques and tools used vary from company to company. Both automated and manual examination methods can be used.
  4. Drafting a bottleneck report. It’s then submitted to the team for troubleshooting.
  5. Drawing up a final report describing action taken by developers to fix the problems found.

What an audit report is

A report is submitted at the end of the audit. In most reports, problems are categorised by severity: critical, major, minor, trivial. The problem status is also indicated, and is updated in the final report if the team had managed to fix the related error before the final report was drawn up.

Besides general takeaways, the report contains recommendations, code error review, and examples of inefficient code. When the project team receives the final report, they can publish the full version or the key findings in the community.

How much it costs to audit a smart contract

The audit cost depends on the number of smart contracts to be reviewed. On average, an audit costs 2000–3000 USD. In a more complex case, it can cost over 10,000 USD. Another factor affecting the cost of service is the reputation of the audit firm.

Polygant is respected in the market. But we don’t think our reputation should be reflected in our rates. Send us a request to find out how much an audit will cost you.

07 February 2020

Feel Free to Contact Us