How to Audit DeFi contracts like a Pro!
In recent years Defi has become famous and obviously, there is no doubt it will also rule the future.
But what about security?
DeFi is a place where a lot of funds are involved and transactions will happen. so we must ensure the security of the defi project, otherwise, users' funds will be at risk.
Today we will be looking into the things that have to be noted when auditing defi contracts.
What is DeFi?
In Centralized finance there will be an intermediary like banks and other financial institutions will be there, but in Defi(Decentralized Finance) there will be no intermediaries and payments will be peer-to-peer. Basically, Defi will eliminate the intermediaries like banks and other financial institutions.
what are all the things to note when doing a DeFi audit:
1) address(this).balance
represents the current balance of the contract in Wei, and it does not include the value of the Ether that is being sent with the current function call (which is stored in msg.value
).
If you are doing any logic or arithmetic with the balance of the contract and you want to include the value of the Ether that is being sent with the current function call, you need to add msg.value
to address(this).balance
. This will give you the correct balance of the contract after the Ether has been received.
If you do not include msg.value
when doing arithmetic with the balance of the contract, you may end up with incorrect results. For example, if you want to calculate the percentage of the contract's balance that is being sent by the caller, you would need to add msg.value
to address(this).balance
before doing the calculation, otherwise, the result would be incorrect.
2) Most of the problems, I would say over 90%, in contracts happen due to the lack of checks. Check for function inputs, access, token/contract, and requirements.
3) Check if the contract updates after the transaction or before. If it updates after transferring there is a possibility for a reentrancy attack.
4) Check the return values of the function. In most cases, the return values can be passed as an argument to another function and that will create potential vulnerabilities.
When doing manual audits you may miss some vulnerabilities and that is where tools come into play. Tools like Echidna and foundry can fuzz and can find edge cases also.
By saying so, we are also planning to release our own automated tool for smart contract auditing.
You just have to upload your smart contracts as a zip file and the rest of the things would be taken care of by our tool.
That’s it…see you soon with another great article.