With the rapid development of blockchain technology and applications, loopholes in smart contracts have also begun to break out frequently. Since September 2017, each vulnerability outbreak has brought a large amount of financial loss. This makes some blockchain developers, smart contract developers or some users highly doubt the security of smart contracts, and also greatly hinders the development of blockchain.
Smart Contract Automated Audit
Review the current state of smart contracts. According to the statistics of the Bitan audit team, there are now 4.61 million smart contract audit services, and they have maintained a steady daily growth rate. Current auditing methods include manual offensive and defensive audits and automated audits.
In the mass of smart contracts, the best idea is to reduce some of the complexity of manual auditing, so that more automated auditing is carried out. At the same time, there are smart contract security companies in the market that have also launched their own smart contract automated security auditing platforms, so today we will introduce smart contract automated auditing.
Bitan divides automated auditing into three parts:
l Matching of feature codes;
l Automated auditing based on morphological verification;
l Automated auditing based on symbolic execution and symbolic abstraction.
1. Feature code matching
First a specific code matches. From the name, you should be able to understand that, in fact, it is to extract and abstract malicious code. Like the static code detection we did before, we sampled it into a semantic match, and then matched its static source code.
The advantages of this auditing method are obvious, for example, it is very fast, because it is a string matching on the source code. The second is that it can quickly respond to new vulnerabilities, because most of this auditing method is developed in the form of plug-ins. For example, when a new vulnerability appears, we can quickly submit some new matching patterns.
2. Automated Auditing Based on Formal Verification
Use formal verification to audit the security of smart contracts, convert some OPCODEs compiled by EVM into a formal model through a specific description language, and then judge whether there is a problem with the logic in the code through the verification of the formal model.
3. Automated auditing based on symbolic execution and symbolic abstraction
The data detected by automated auditing based on symbolic execution and symbolic abstraction still requires manual secondary confirmation, which is actually very cumbersome.
What conditions should an excellent smart contract automated audit system meet?
1) Automation
It is required that the security audit of smart contracts should be fully automatic, or at least semi-automatic, that is, upload the contract source code or provide the token address of the smart contract, and the system can automatically scan the security of the contract. And it can be configured for periodic scheduling (such as monthly, half-yearly) to automatically conduct scheduling audits as needed.
2) No risk
A security audit of smart contracts is required not to break or modify the functionality of the original contract.
3) Accuracy
A security audit of smart contracts is required, with a low false positive rate.
4) High efficiency
It is required that the security audit of smart contracts must be efficient, that is, the audit time should not be too long, the sooner the better.Only when the above 4 points are achieved can it be a basically qualified smart contract automatic audit system .In addition, smart contract security audit if you want to be more professional and better , Bitante has summarized the following four requirements:
1. Easy to expand;
2. The system has the current standard specification management of smart contracts; in this way, users can upload and download standard specifications in the system for reference.
3. The operating experience of the system is better; a simple example:
1. A wizard can be used to guide users to familiarize themselves with the functional operation of the system.
2. Industry classification and manufacturer classification of user-defined contracts are available.
3. The audited security problems can be located in the ranks, and can at least provide the correction security of this security problem. Of course, it is better to have automatic correction, with automatic correction function, and correspondingly provide a version that retains the original content so that it can be rolled back and compared. .
4. Show rich reports on security audit results;
There is a long way to go to protect the security of the blockchain. Bitan audit has been rooted in this for many years, and has a very rich theoretical foundation and practical experience. Bitan will continue to update it. You are welcome to leave a message, discuss and make progress together.
