Solidity Development: Why You Should Avoid It?
Alongside the ongoing DeFi boom, there's been a rising demand for Solidity development services. Blockchain development firms are surfing the tide, witnessing a significant surge in their workflow. However, because the relevant processes are highly complicated and require expertise, auditing or developing a smart contract often becomes very expensive.
There is, of course, some justification for the costs, although significant optimizations are possible. First, developing a proper smart contract is not anybody's cup of tea. Besides in-depth knowledge, you need domain-specific skills and experience. Developing an Ethereum-based smart contract may cost anything between $7,500 to $45,000; some companies even charge as high as $100,000. On this note though, there’s an additional aspect to consider.
From our experience at Ulam Labs, we believe the likes of ConsenSys and Trail of Bits employ most of the top-notch Solidity developers. Naturally, good talent has its due price, which is true for open markets as well. Cheaper services come at the cost of mediocrity and simplistic code; superior skills and experience entail higher rates. Moreover, considering the nature of Solidity, cost-effective smart contract development is rather impossible, unless you compromise on quality.
Clients often request us to develop dApps on Ethereum at very tight budgets. In our view, it is never advisable to build Ethereum-based applications with inadequate resources at hand. Furthermore, the story does not end in the development phase. Because a smart contract may have potential vulnerabilities despite high development costs, there's a consistent need for proper smart contract audits. In turn, this adds another cost dimension, further incrementing the expenses. Nevertheless, auditing is of paramount importance from the perspective of blockchain security.
We are writing this article against the above backdrop, to discuss in detail the reasons why developing a smart contract and getting its security audit done is such a costly affair.
Before anything else, though, let's acquire a deeper understanding of the critical smart contract security audit process that's critical for Solidity development. For one, the overall project analysis involves several steps, including formal verification, unit tests, code analysis, security report preparation, and so on.
What is a Smart Contract Audit
A smart contract comprises lines of code and functions as a digital contract between two parties. They are the cornerstone of decentralized applications and finance, enabling automated execution based on predefined conditions. Additionally, they enhance security by immutably recording outcomes on the underlying blockchain.
However, just like any other code block, these contracts foster vulnerabilities related to bugs and the risk of consequent security lapses. A smart contract audit can remedy this, through a detailed examination and analysis of the contract's code to detect critical vulnerabilities and security risks.
The team of auditors can identify loopholes by running rigorous code tests, thereby assessing the scope for security improvements. Furthermore, auditing ensures the reliability and integrity of the contract for its users as well as the project deploying it. On the contrary, inefficient or inadequate security audits result in disastrous outcomes concerning smart contract security in particular and blockchain security in general.
Consequences of Smart Contract Flaws: A Few Examples
Users may lose millions of dollars due to a smart contract with severe security vulnerabilities. There are multiple examples, involving diverse Ethereum-based blockchain applications, where bugs in the solidity code severely affected the related financial assets.
- Lendf.me, a DeFi lending platform, lost $25 million to a Reentrancy attack in April 2020.
- Synthetix, a synthetic asset platform, lost $37 million synthetic Ether (sETH) to an oracle attack in June 2019.
- bZx, another DeFi protocol, lost $645,000 (2,388 ETH) to network manipulated hacking in February 2020.
- Parity, a smart contract coding company, lost $30 million (150,000 ETH) to a bug in a multi-signature contract in July 2017.
- The DAO attack in 2016 resulted in a $55 million (3.6 million ETH) loss and the Ethereum hard fork as a way to overcome the losses.
What are Some of Common Smart Contract Mistakes?
Having seen how devastating smart contract security vulnerabilities can be, it’s time to focus on some of the relevant security attack vectors. As such, an online registry already summarizes the common mistakes concerning smart contracts but it's too technical for most people. For your benefit, we’ll point them out in a manner that anyone can understand.
It changes the calling function of the contract’s code. Thus, a particular function gets repeatedly called before the completion of the previous function. The relevant solution for developing secured contracts is to keep a close tab on external calls and block concurrent calls in specific functions.
Cross-function Race Conditions
This happens when two functions share the same state and solutions. Consider an example where the attacker externally calls the ‘transfer’ function before setting his user balance to zero. Thus, only after making a withdrawal does he set it to zero, thereby exploiting the code.
Transaction-Order Dependence (Front Running)
Rather than breaching the code directly, such attacks manipulate transactions in a given block. In doing so, the attacker leverages the gap between a transaction's initiation and finalization, whence it remains in the mempool.
In this scenario, the hacker tampers the transaction time, taking advantage of the improper time documentation. Ethereum-based betting contracts entail these vulnerabilities the most because the network's timestamp is disconnected from a synchronized global clock.
Such manipulations occur when the unit value reaches zero or drops even below. Through such a security attack, the attacker can send ETH to a designated address without any restrictions.
How Long Does a Smart Contract Audit Take?
By now, you already have knowledge about the major smart contract security vulnerabilities and realize the need for a smart contract audit. But each project comes with a timeline and has deadlines to meet. So, the obvious question is how long a smart contract audit takes. Additionally, there can be queries about the costs involved. In this section, we’ll answer these queries.
Let's address the price factor first. In a preliminary market survey, a certain development firm quoted $300K for a security auditing. Interestingly, however, anyone who knows the nitty gritties of the procedure won't find this surprising at all. As we have already mentioned in the introduction, several factors abet the high costs. A team of auditors with the required expertise is extremely scarce. Additionally, the procedure is time-consuming, which brings us to our next point.
The primary determining factor for how long a smart contract audit will take depends on the size and complexity of the project. Auditing process of a simple token's contract may take a couple of days, whereas for a dApp with complicated tokenomics it may take a week or so. For more advanced smart contract security audits, with extensive research to rule out backdoors, it can take upto a month.
Second, the length of a smart contract security audit also depends on whether the developers' team wants an interim report or a full security audit. Generally, it is advisable to audit the release candidate (deployed smart contract) rather than the one on Github. Such practices minimize the chances of code churning and malicious last-minute showstopper bugs. They also give out a message of readiness and transparency to the community of users. Overall, this will also lead to ecosystem synergies.
Third, whether the analysis is manual or automated also plays a role in determining the audit's duration. During automatic audits, the contract code runs through bug detection software like Mythril and Slither.
On the other hand, a manual review of individual functions in the code is a time-intensive process. However, they are also more efficient as they minimize the chances of false reports. Manual code analysis effectively means a line-by-line checking of the code to help detect the hidden problems in coding logic and architecture.
Examples of Smart Contract Audits
To help illustrate all that we have said up until now, we will take the example of Trail of Bits’ audit process. This will help us understand the general practices for auditing and the necessary tests required for detecting security vulnerabilities.
To audit smart contracts properly, the auditors perform a binary auditing analysis to ensure that the code is free from backdoors. To this end, the team checks whether any unauthorized parties get administrative access while scrutinizing the bonding and transcoding protocols among participants as well. Additionally, it also verifies cryptographic algorithms and helps strengthen the overall security infrastructure through the audit. To learn more, you can also read about Uniswap and Balancer who did their security audits to check for bugs and security lapses.
There are numerous other companies that offer smart contract audits, but when deciding on your contractor, you must remember that quality comes at a price. Cutting costs on the audit, especially in Ethereum or Binance Smart Chain, can lead to severe damages to the users’ assets and in consequence the brand’s reputation and trust.
How to make Solidity development more efficient?
So far so good, but before concluding, we must state a crucial point.
The attack vectors which ultimately led to the common mistakes involving smart contracts, as discussed earlier, were all related to Ethereum blockchain applications. The Ethereum blockchain has some inherent flaws, and Solidity is the one to blame here.
However, there are some ways around this case. One would be choosing another blockchain platform that has a simpler code structure. For example, Algorand's smart contracts can be understood at the time of writing them which makes it much less prone to bugs that won't be spotted by the developers.
Another idea would be to build Solidity smart contracts with one of the reputable blockchain development companies that have a proven track record of successful smart contracts implementations or take the time to hire such experts in-house. Then, you can build the end solution with an external team that knows the ins and outs of crypto but also about end-to-end software development, from an idea, through UX/UI, to frontend and backend implementations. This unique combination allows you to develop software efficiently and never compromise on quality.
That's exactly what we're doing here, at Ulam Labs. We are a group of crypto enthusiasts that are custom software development experts. We can integrate your solution with any blockchain or build it from scratch with smart contracts using Algorand.
Have some questions? Happy to help – just connect me on chat in the corner, and let's build your fintech project!