Hacker's Lens
Case Studies and Security Insights from Auditors and Audits.
This article delves into key considerations for conducting smart contract security audits, offering insights from my personal experiences and perspectives shared by top security researchers I had the privilege of meeting during DevCon VII. These seasoned experts have spent years in the security space, and their insights were invaluable in shaping this piece. Highlights of the article include practical approaches to identifying vulnerabilities and strategies to address them from a hacker’s mindset.
My first DevCon experience was nothing short of incredible. I am deeply grateful to the Ethereum Foundation for the opportunity to attend as a DevCon SEA 2024 Scholar. The event provided a platform to learn from and engage with some of the most brilliant minds in the tech and blockchain sectors.
Having spent a significant amount of time exploring the security landscape, I’ve had the chance to audit prominent protocols, including Chainlink’s CCIP, among others. Every step of this journey in security research has been fulfilling and enriching. Attending this year’s DevCon felt like destiny, as the event had a heavy emphasis on security-focused workshops, aligning perfectly with my interests. I made it a priority to attend as many sessions as possible to deepen my understanding of this field.
Here are some of the key questions this article seeks to address:
How do top auditors approach the detection and mitigation of vulnerabilities?
Don’t get into an audit when you are exhausted. Schedule audits when you’re well-rested, and take regular breaks to maintain mental acuity.
Deep Dive into Specifications
Insight: Understanding the protocol's business logic and intended functionality is critical before looking at the code. This ensures you identify both implementation and design-level vulnerabilities.
Example: Misaligned incentives in tokenomics or flawed logic in payout structures often stem from a lack of alignment with the intended design.
Actionable Tip: Spend time reading the documentation, whitepapers, and test cases to grasp the project's goals before diving into the code.
Adopt a Layered Approach
Insight: Top auditors approach security in layers—starting with high-level risks (e.g., architectural flaws) and moving to granular details like unchecked low-level calls.
Actionable Tip: Create a checklist of categories to explore, such as access control, reentrancy, oracle dependency, token standards, and gas optimizations.
Use Diverse Tools, but Don’t Over-Rely on Them
Insight: Automated tools like Slither, Aderyn, and Echidna are great for flagging common vulnerabilities, but manual review is essential for uncovering complex logical flaws.
Actionable Tip: Use tools to cover the basics, then focus your manual review on code paths, modifiers, and error handling.
Simulate Attacks Proactively
Insight: Thinking like an attacker helps uncover vulnerabilities that static analysis tools might miss.
Example: Foundry is excellent for writing and running simulations of malicious interactions with the contract.
Actionable Tip: Write attack scripts to simulate token manipulation, reentrancy loops, or malicious input to edge cases.
Follow the Risk-to-Impact Framework
Insight: Evaluate each vulnerability based on its risk and potential impact on the protocol.
Example: While a gas optimization bug might have low risk, unchecked access control could lead to catastrophic loss.
Actionable Tip: Categorize vulnerabilities into low, medium, high, and critical severity, considering their potential exploitability.
Stay Updated with Exploits and Lessons Learned
Insight: Top auditors continuously study recent exploits and incorporate those learnings into their reviews.
Example: Events like the Curve Finance exploit highlights the importance of closely examining third-party integrations.
Actionable Tip: Maintain a personal repository or notes on exploits and apply those insights to audits.
Collaborate and Peer Review
Insight: Security audits are rarely solo endeavors. Peer reviews often uncover vulnerabilities missed by a single auditor.
Actionable Tip: Discuss findings with teammates or other auditors to validate hypotheses and gain fresh perspectives.
Trust, but Verify Developer Tests
Insight: Developers may write tests that align with their assumptions, but these may not cover edge cases or attacker scenarios.
Actionable Tip: Write additional tests using adversarial thinking to check how the contract behaves under unexpected conditions.
Document Everything
Insight: Detailed documentation helps others understand the severity of an issue, the conditions for exploitation, and possible remediations.
Actionable Tip: Follow a structured template to report vulnerabilities, including clear reproduction steps, impact analysis, and mitigation suggestions.
How can auditors cultivate an attacker's mindset to identify vulnerabilities before they are exploited?
Developing an attacker’s mindset is a skill that grows with time and deliberate practice. To excel in auditing, it’s essential to think like a hacker—a mindset that comes through experience and continuous learning.
Start by mastering the programming language you’ll work with in security reviews, such as Solidity for Ethereum smart contracts. Familiarity with the language's nuances is critical for understanding where vulnerabilities may lie.
Engage in hands-on activities like Capture the Flag (CTF) challenges, which simulate real-world hacking scenarios and hone your problem-solving abilities. Shadow audits and competitive audits provide opportunities to practice analyzing codebases under realistic conditions. These experiences teach you to anticipate the strategies an attacker might use.
Additionally, studying past audit reports from contests and leading security firms offers valuable insights into how seasoned researchers think. These reports can reveal patterns, common pitfalls, and creative ways vulnerabilities have been exploited or mitigated. Combining all these efforts helps you build a robust, attacker-focused perspective that’s essential for uncovering and addressing security flaws proactively.
What lessons can be learned from real-world exploits, and how can they inform future audits?
Smart contract exploits have provided invaluable lessons for the blockchain security community, shaping how auditors, developers, and security researchers approach vulnerabilities.By analyzing real-world exploits, auditors can identify patterns, refine their methodologies, and propose robust preventative measures.
Curio Protocol Exploit (March 2024): A $16 million loss occurred due to weak access control mechanisms. This demonstrates the necessity of implementing strong role-based access controls and regular stress testing of permissions
Hedgey Finance Breach (April 2024): This $44 million attack stemmed from vulnerabilities in the reward handling logic. Comprehensive testing and simulations are critical to avoiding similar exploits.
Woofi Breach (March 2024): Authorization check flaws enabled attackers to siphon $8.75 million. This emphasizes the importance of thorough input validation and on-chain monitoring systems to detect anomalies early
DeltaPrime Hack (September 2024): An attacker exploited weak private key security to maliciously upgrade proxy contracts, draining $6 million. This highlights the importance of multi-sig wallets, cold storage, and robust private key management, especially for upgradeable contracts
What improvements in smart contract design can prevent the recurrence of common exploits?
The prevailing approach to securing smart contracts often involves writing the code and then engaging external auditors for a code review. While this is an essential practice, it has its limitations. Most notably, it lacks ongoing security assurance, which is critical for protocols under active development.
To mitigate these challenges and enhance smart contract design, protocols should adopt the following best practices before initiating an audit:
Comprehensive Documentation: Providing thorough and well-organized documentation ensures auditors can quickly grasp the codebase and protocol flow. Clear documentation reduces misunderstandings and accelerates the identification of vulnerabilities.
Security Tooling: Utilize tools for unit testing and fuzzing to identify and address common vulnerabilities early. Writing unit tests specifically aimed at common attack vectors strengthens the code and prepares it for more in-depth reviews.
Design Reviews and Specifications: A solid protocol design minimizes vulnerabilities. By reviewing the system’s design and architecture, developers can identify weak points and better outline specifications. Clear specifications define what the code should and should not do, guiding auditors and preventing ambiguities.
Enhanced Tool Utilization: Leveraging test suites, formal verification, and automated processes through continuous integration (CI) pipelines ensures a consistent level of security. Automating audits for every pull request or commit introduces a layer of proactive vulnerability detection.
Internal Security Practices: Employing internal blockchain security auditors or developers familiar with common vulnerabilities adds another safeguard. These individuals can perform regular reviews, ensuring the protocol adheres to best practices even before external audits.
By implementing these measures, protocols set themselves up for more effective audits and stronger long-term security, helping to prevent repeat exploits and instill trust in their user base.
Conclusion
Smart contract security is a continually evolving field, where proactive measures and collaborative efforts make a significant difference. By cultivating an attacker’s mindset, leveraging comprehensive documentation, employing security tools, and embracing robust design principles, teams can substantially reduce the risk of vulnerabilities.