Whether you are a smart contract developer yourself or just read the news, you're almost certainly aware of the urgent need for security in crypto. Just this week, an exchange in South Korea was hacked - impacting the price of coins across the board as investors worried about the security of exchanges holding their own tokens.
One of the most important security tools at our disposal is smart contract auditing. There's resounding agreement among developers that auditing smart contracts is essential. However, there are no standards yet about what we mean when we say "smart contract audit." Many standards exist around what a traditional penetration test audit should look like – from the itemization of targets to the enumeration of vulnerabilities. It's time to develop the same for smart contracts.
There is some informal consensus among auditors about best practices. A smart contract audit should detail aspects of the code that may lead to potential issue and provide guidance to ensure the smart contract is indeed secure from known risks. Auditors ideally evaluate whether the contract is vulnerable to any known exploits, provide details about these vulnerabilities, and offer suggestions for hardening the relevant code.
Informal consensus among industry insiders is a fantastic start – but we can do better. Without standardization in this space, we won't get much further than a series of disaffiliated rough ideas of what an audit standard looks like. Clarity will benefit us as auditors, and provide much needed transparency to organizations seeking audits.
Some players in this space may attempt to establish their own standard and have others adopt it, which isn't as useful as building standards together as a community. And worse, if we don't self-organize then we run the risk of government bodies attempting to create regulations for us.
In the spirit of decentralization and reaching consensus, over the next few weeks we will work together with other forward-thinking auditing companies in order to establish an organization that can reach an open standard on smart contract security. Responsible stewardship of this space should be led by us (the community of auditors) rather than externally imposed by regulators.
We applaud groups like ETH.Security that have taken lead on structuring this process. We hope that their endeavors in standardizing the resources provided to auditors by requesting companies will have a ripple effect in the space. Projects like DASP from NCC Group further this, driving us towards some level of standardization for vulnerability classification. Advances have been made – but we cannot wait for another large scale hack before we come together to take action.
Moreover, we cannot wait for larger standards bodies to lead this. These organizations take years to establish standards, creating a lengthy process of adoption for what should be included, who can participate, and how the space can be regulated. These organizations often exclude smaller entities from the space, driven largely by vast corporate sponsorships or government entities. While this structure works for many, in a space that can so drastically shift and change momentum in weeks, not years, it's likely the standards proposed would be outdated by the time they reached any larger body.
We look forward to working with like-minded practitioners to establish standards emphasizing security, transparency, and responsibility to our clients and the community.
If you're interested in joining us on this journey, reach out to [email protected]