Smart Contract Audits: Why are They So Expensive?
August 5, 2021
Alongside the ongoing DeFi boom, there's been a rising demand for smart contract audit and development services. Blockchain development firms are surfing the tide, witnessing a significant surge in their workflow. However, because the relevant processes are highly complicated and require expertise, auditing or developing a smart contract often becomes very expensive.
There is, of course, some justification for the costs, although significant optimizations are possible. First, developing a proper smart contract is not anybody's cup of tea. Besides in-depth knowledge, you need domain-specific skills and experience. Developing an Ethereum-based smart contract may cost anything between $7,500 to $45,000; some companies even charge as high as $100,000. On this note though, there’s an additional aspect to consider.
From our experience at Ulam Labs, we believe the likes of ConsenSys and Trail of Bits employ most of the top-notch smart contract developers for Ethereum. Naturally, good talent has its due price, which is true for open markets as well. Cheaper services come at the cost of mediocrity and simplistic code; superior skills and experience entail higher rates. Moreover, considering the nature of Solidity, cost-effective smart contract development is rather impossible, unless you compromise on quality.
Clients often request us to develop dApps on Ethereum at very tight budgets. In our view, it is never advisable to build Ethereum-based applications with inadequate resources at hand. Furthermore, the story does not end in the development phase. Because a smart contract may have potential vulnerabilities despite high development costs, there's a consistent need for proper smart contract audits. In turn, this adds another cost dimension, further incrementing the expenses. Nevertheless, auditing is of paramount importance from the perspective of blockchain security.
We are writing this article against the above backdrop, to discuss in detail the reasons why developing a smart contract and getting its security audit done is such a costly affair.
Before anything else, though, let's acquire a deeper understanding of the critical smart contract security audit process. For one, the overall project analysis involves several steps, including formal verification, unit tests, code analysis, security report preparation, and so on.
A smart contract comprises lines of code and functions as a digital contract between two parties. They are the cornerstone of decentralized applications and finance, enabling automated execution based on predefined conditions. Additionally, they enhance security by immutably recording outcomes on the underlying blockchain.
However, just like any other code block, these contracts foster vulnerabilities related to bugs and the risk of consequent security lapses. A smart contract audit can remedy this, through a detailed examination and analysis of the contract's code to detect critical vulnerabilities and security risks.
The team of auditors can identify loopholes by running rigorous code tests, thereby assessing the scope for security improvements. Furthermore, auditing ensures the reliability and integrity of the contract for its users as well as the project deploying it. On the contrary, inefficient or inadequate security audits result in disastrous outcomes concerning smart contract security in particular and blockchain security in general.
Users may lose millions of dollars due to a smart contract with severe security vulnerabilities. There are multiple examples, involving diverse Ethereum-based blockchain applications, where bugs in the solidity code severely affected the related financial assets.
- Lendf.me, a DeFi lending platform, lost $25 million to a Reentrancy attack in April 2020.
- Synthetix, a synthetic asset platform, lost $37 million synthetic Ether (sETH) to an oracle attack in June 2019.
- bZx, another DeFi protocol, lost $645,000 (2,388 ETH) to network manipulated hacking in February 2020.
- Parity, a smart contract coding company, lost $30 million (150,000 ETH) to a bug in a multi-signature contract in July 2017.
- The DAO attack in 2016 resulted in a $55 million (3.6 million ETH) loss and the Ethereum hard fork as a way to overcome the losses.
Having seen how devastating smart contract security vulnerabilities can be, it’s time to focus on some of the relevant security attack vectors. As such, an online registry already summarizes the common mistakes concerning smart contracts but it's too technical for most people. For your benefit, we’ll point them out in a manner that anyone can understand.
It changes the calling function of the contract’s code. Thus, a particular function gets repeatedly called before the completion of the previous function. The relevant solution for developing secured contracts is to keep a close tab on external calls and block concurrent calls in specific functions.
This happens when two functions share the same state and solutions. Consider an example where the attacker externally calls the ‘transfer’ function before setting his user balance to zero. Thus, only after making a withdrawal does he set it to zero, thereby exploiting the code.
Rather than breaching the code directly, such attacks manipulate transactions in a given block. In doing so, the attacker leverages the gap between a transaction's initiation and finalization, whence it remains in the mempool.
In this scenario, the hacker tampers the transaction time, taking advantage of the improper time documentation. Ethereum-based betting contracts entail these vulnerabilities the most because the network's timestamp is disconnected from a synchronized global clock.
Such manipulations occur when the unit value reaches zero or drops even below. Through such a security attack, the attacker can send ETH to a designated address without any restrictions.
By now, you already have knowledge about the major smart contract security vulnerabilities and realize the need for a smart contract audit. But each project comes with a timeline and has deadlines to meet. So, the obvious question is how long a smart contract audit takes. Additionally, there can be queries about the costs involved. In this section, we’ll answer these queries.
Let's address the price factor first. In a preliminary market survey, a certain development firm quoted $300K for a security auditing. Interestingly, however, anyone who knows the nitty gritties of the procedure won't find this surprising at all. As we have already mentioned in the introduction, several factors abet the high costs. A team of auditors with the required expertise is extremely scarce. Additionally, the procedure is time-consuming, which brings us to our next point.
The primary determining factor for how long a smart contract audit will take depends on the size and complexity of the project. Auditing process of a simple token's contract may take a couple of days, whereas for a dApp with complicated tokenomics it may take a week or so. For more advanced smart contract security audits, with extensive research to rule out backdoors, it can take upto a month.
Second, the length of a smart contract security audit also depends on whether the developers' team wants an interim report or a full security audit. Generally, it is advisable to audit the release candidate (deployed smart contract) rather than the one on Github. Such practices minimize the chances of code churning and malicious last-minute showstopper bugs. They also give out a message of readiness and transparency to the community of users. Overall, this will also lead to ecosystem synergies.
Third, whether the analysis is manual or automated also plays a role in determining the audit's duration. During automatic audits, the contract code runs through bug detection software like Mythril and Slither.
On the other hand, a manual review of individual functions in the code is a time-intensive process. However, they are also more efficient as they minimize the chances of false reports. Manual code analysis effectively means a line-by-line checking of the code to help detect the hidden problems in coding logic and architecture.
To help illustrate all that we have said up until now, we will take the example of Trail of Bits’ audit process. This will help us understand the general practices for auditing and the necessary tests required for detecting security vulnerabilities.
To audit smart contracts properly, the auditors perform a binary auditing analysis to ensure that the code is free from backdoors. To this end, the team checks whether any unauthorized parties get administrative access while scrutinizing the bonding and transcoding protocols among participants as well. Additionally, it also verifies cryptographic algorithms and helps strengthen the overall security infrastructure through the audit. To learn more, you can also read about Uniswap and Balancer who did their security audits to check for bugs and security lapses.
So much for grasping smart contracts audits. Now, before concluding, let us consider the best companies for getting your smart contract audited. Besides Trail of Bits, whom we have mentioned earlier, there's Consensys.
Both of these firms perform smart contract audits for the Ethereum network and are associated with 100+ companies with almost 10,000+ analyses per month. They have cutting-edge security analysis tools and a team of veteran auditors. Most importantly, Consensys Diligence helps avoid errors by integrating its tools into the code’s environment for continuous analysis.
Dapp.org is another smart contract audit company that is focused on the research and development of secure smart contracts. They were the ones behind the Uniswap and Mooniswap smart contract audits. However, none of them are able to deal with the aspect of high costs, due to Ethereum's inherent shortcomings.
There are numerous other companies that offer smart contract audits, but when deciding on your contractor, you must remember that quality comes at a price. Cutting costs on the audit, especially in Ethereum or Binance Smart Chain, can lead to severe damages to the users’ assets and in consequence the brand’s reputation and trust.
A Final Suggestion
So far so good, but before concluding, we must state a crucial point.
The attack vectors which ultimately led to the common mistakes involving smart contracts, as discussed earlier, were all related to Ethereum blockchain applications. The Ethereum blockchain has some inherent flaws, which are to blame here.
On the other hand, Algorand smart contracts are way more sophisticated and immune to errors. On any given day, it is a far better choice for blockchain security solutions.
Ulam Labs is the official development partner of Algorand for building layer-1 smart contracts (ASC1). Due to their robust code, these smart contracts are less prone to bugs and security errors. The process of developing and auditing smart contracts on this forkless blockchain is much simpler. Moreover, Algorand’s instant block finality makes transactions faster and cheaper while its Pure-Proof-of-Stake (PoS) consensus mechanism enhances scalability.
In all, Algorand provides the foundation for simple, cost-efficient, and sustainable blockchain applications of the future. Blockchain technology platforms like Ethereum and Binance Smart Chain may have become popular for now, but are not conducive to secure smart contract development and audits. Plus, they entail high costs in all aspects.
Looking to audit your smart contracts? Let's talk! Fill up our contact form and join us in the march towards the future.