Smart contracts occupy a unique niche in software development. They are small, immutable, publicly visible, run on decentralized nodes, and handle user funds.
The ecosystem of smart contracts is rapidly evolving, bringing new development tools, practices, and vulnerabilities. Security weaknesses in smart contracts often lead to immediate financial losses, necessitating the fast-paced evolution of smart contract security.
Once deployed, smart contracts are often difficult to update. Therefore, thorough analysis and checks are essential before they go live on the blockchain to mitigate potential exploits and provide quick response mechanisms for threats.
This article focuses on the Tezos network, covering topics such as the LIGO language, liquid proof of stake (LPoS), gas issues, and the unique aspects of the “Tezos way.” While some blockchains share similar approaches, others, like Ethereum or Solana, face unique threats not covered here.
Auditing smart contracts requires different tactics compared to traditional software, which we will discuss in this post.
Understanding Smart Contracts In simple terms, a smart contract is code stored on a blockchain. They can be thought of as state machines with storage (state) consisting of various data fields. Users invoke contracts by providing specific parameters, which the contract executes, resulting in either a failure or a new state. The contract’s source code determines what is stored and accepted.
In Tezos, transactions or operations are used for invocations and parameter passing. A user creates a transaction with arguments to the contract’s address, which goes into the transaction pool. Bakers (similar to miners in other blockchains) select transactions to create the next block. If the transaction invokes a contract, the baker executes the code, obtains new storage, and embeds it into the block. Other nodes then validate the operation by executing the same contract with the same parameters.
Interaction with Other Contracts A contract can generate a list of operations, including calls to other contracts, creating new operations. In Tezos, these operations form a queue, unlike Ethereum’s stack-based approach, making reentrancy attacks harder. If one contract fails, the entire operation fails, ensuring atomic contract executions.
Accounts Tezos has implicit and originated accounts, both with unique addresses and balances. Implicit accounts, created from key pairs, transfer and store user assets, while originated accounts are smart contracts that can receive Tez (XTZ, Tezos’ native cryptocurrency). Smart contracts cannot securely store private keys; instead, the consensus mechanism protects their assets by ensuring transaction authenticity across validating nodes.
Fees Tezos users pay storage and gas fees. Gas, a unit of contract execution, is consumed by operations like instruction execution, data serialization, and type checking. The total fee is based on consumed gas and storage. Transactions and blocks have gas limits to prevent infinite loops and ensure quick block creation. Users choose fees based on their willingness to pay, and bakers select transactions to maximize block content.
Other Tokens and FA Standards Tezos uses Tez (XTZ) as its sole cryptocurrency, but other tokens exist as smart contracts tracking user accounts.
Smart Contract Security Audit Process The security of smart contract audit is rapidly evolving, unlike traditional software, with emerging security standards and best practices. Good examples include the Smart Contract Security Verification Standard (SCSVS), Tezos security assessment checklist, and Tezos security baseline checking framework.
Smart contracts share similarities with distributed applications but have unique threat vectors, such as malicious bakers or gas exhaustion. Despite not storing private data, they handle sensitive information like signatures, administrator addresses, and user balances.
The security review process involves several steps:
- General Risk Model Clarification: Formulating risks and threat vectors affecting contract consistency.
- Research of Domain Issues: Studying recent vulnerabilities, mitigations, and tools to stay updated.
- Design and Use Case Review: Analyzing contract behavior, entry points, and interactions to identify design flaws.
- Cryptographic Design Review: Verifying cryptographic primitives and their implementation for desired security properties.
- Security Review of Controls: Testing for reentrancy, replay attacks, gas exhaustion, denial of service, unhandled edge cases, and blind spots.
- Surrounding Infrastructure Review: Examining tests, CICD pipelines, dependency management, and supply chain issues.
- Operational Security: Assessing deploy procedures, logging, and centralization issues (e.g., admin person’s opsec).
Experience in building, auditing, and improving security/cryptography within cryptocurrency protocols, nodes, wallets, and bridges emphasizes the importance of focusing on the smart contract’s code, infrastructure, and data flow:
- Test Coverage: Ensuring tests cover all major use cases and edge cases.
- Deployment: Reviewing deployment procedures for potential vulnerabilities.
- Key Management: Assessing key infrastructure, storage, and management procedures.
- Contract Interactions: Analyzing interactions to prevent forced actions through other contracts.
- Life Cycle: Establishing migration procedures and updating strategies.
- Emergency Situations: Implementing rapid response mechanisms to handle bugs, exploits, key leakage, and ensuring such scenarios are tested.
The audit process involves working closely with developers, providing detailed issue lists and correction advice to improve security, code quality, maintenance, user experience, and compliance with specifications. Highlighting deficiencies is not enough; investing in solutions to fix problems effectively is crucial.
