Smart contract audit is the review of code by experts to determine if the code is secure such as whether there are any existing vulnerabilities, possibilities for future bugs or any errors in coding that could expose users.
With the complexity of a new programming environment, it is possible for even expert developers to make mistakes when writing code. It becomes critical to verify correctness using unit testing and tooling validation.
The audit, which is done using standards and protocols such as Solidified Verification Standard and Quantstamp, is done before the code is hosted on Ethereum thus it can increase security of the whole ecosystem and individual projects and prevent hacks.
Although it won't guarantee that the code is 100 percent secure, the expert(s) revising the code could find problems and discuss possible improvements to code to improve security of cryptocurrencies. The expert can highlight critical issues that need to be checked and improved.
Here is a list of Smart Contract auditing companies
1. New Alchemy
New Alchemy is a strategy and technology advisory company that specializes in tokenization. It provides a range of services to companies that want to launch ICOs including C-level strategy, developing of smart contracts, project management and token game theory, auditing and other marketing services.
The company is based in Seattle, WA and was founded in 2016 by early Bitcoin innovator Peter Vessenes and therefore has a good understanding of cryptocurrencies and token processes and technologies.
The company has provided audit to world's most innovative companies in the cryptocurrency scenes.
Solidified.io is a crowd sourcing company where any developer can submit their code for comprehensive quality review by a community of qualified and certified experts. The code is analyzed for intended behavior, security, Solidity construct usage, best practices and many other things.
Part of the experts who review the codes are blockchain veterans who themselves co-founded early protocols, and Solidity programmers in finance who understand specifics in the industry.
In fact, the company also does accepts application to be an expert. There are some benefits of using a crowd sourced audit service including ensuring that the audit is unbiased, reputable and verified by multiple independent reviewers.
Anyone can upload a contract simply by drag and dropping files and filling out the Spec of Intended Behavior and providing their testing history. The person then pays and sets rewards using an escrow, and the experts review takes place. The review takes about 48 hours depending on complexity of the code.
The experts will review the code based on Solidified Verification Standard that assigns a score for the contract and report on Critical, Major and minor bugs. The escrow (bounty payout) is released when the developer confirms claims and acknowledges an issue. There is a seven day grace period during which the owner can contest findings through a community-based Dispute Resolution process if there is disagreement.
The developer then incorporates the feedback in fixing the code and the expert will review the change-set and give a Solidified stamp to the contract.
Coinfabrik is a company that helps firms develop smart contracts, hyperledger development, private blockchain development, development of supply chain blockchain, wallet protection, loan data sharing, and development of safe reliable crypto exchanges in addition to helping with smart contract audits. The company
The company has more than 20 years of experience building and reviewing security applications.
They, for instance, built a back-end infrastructure for Monero and Zcash among other 8 cryptocurencies. They also built a wallet back-end and infrastructure for Jaxx Wallet,
They have also performed ant-fraud detection for Sig3, a multi-signature wallet. They added support for Elliptic curve on OpenPGPJS for CryptoKit platform.
The team hails from information security fields with some having experience of working in the industry from as early as 1994.
Zeppelin reviews code and develops a report on the quality of a company's code and result are published online -- same case with New Alchemy.
More than $450 million has been raised with their audited smart contracts. They have audited the likes of BitClave and Global Messaging Token by Mercury Protocol.
Zeppelin uses industry-standard security patterns and best practices. Those intending to build secure smart contracts can use the company's OpenZeppelin standard framework for secure smart contract development to reduce vulnerabilities.
The company also has Coral, a platform that users can use to sell tokens securely to anyone around the world.
5. Token Market
Token Market provides complete token launching set of services including creating tokens, developing and auditing smarty contracts, and hosting crowd-sale, among other services.
It also works more or less like Solidified.io in that the problems are posted along with a bounty for a verified solution. Users will then collaborate to solve the identified problems and will share results and rewards. The submissions are added to Matryx library and marketplace for future purchase. This collaboration and ideas drives research and innovation.
They use standards such as the Solidity safety checklist of ethereum.stackexchange.com wiki to check code safety. This is a list of information from the crypto community about preventing potential attack vectors and pitfalls in smart contract programming.
They also use other techniques such as SafeMath library.
Among the tools used include their Static Code Analyzer for Solidity language, which reports and flags issues that need manual checking and verification.
They check the application's logic for backdoors and discrepancies to the declared behavior. They employ teams whose members have academic degrees in code analysis. They have a host of clients and you can read some of their audit examples here.
Experfy is a freelancing platform bringing together experts in smart contract auditing, and clients. The experts include MIT professors and former Google employees. They call the team of experts a "deep candidate pool" built through rigorous screening. It performs reviews and audits of smart contracts using rigorous independent reviews.
They first check customer's client against the library of known issues seen in dozens of reviews or reported elsewhere. They then check the logic against security issues. They then check impact of the contract to the entire network and also does a gas analysis to ensure users are not exposed to unnecessary Ethereum transaction fees.
They also provide clients with a detailed audit report as a certification of the contract.
Miranz is based in USA, Europe, and other Asian countries.It brings together a team of professionals that work in collaboration to offer various services including blockchain related services such as auditing and block chain smart contract development service (others are web and mobile application services).
The company does crowd sale and token contract. The audit involves using variety of testing approaches to determine and solve security needs. The company even has developed flagship application to audit smart contract and ICO. The experts work in collaboration to identify and eliminate vulnerabilities.
Code Context is a formation of Adria Massanet, an IT professional with more than 18 years of experience in security, cryptography and digital identity software development.
He has, not only developed requirements for building security software and operations, but also does threat modeling and reviews designs and code for threat mitigation.
He is the freelance application security engineer at Code context and has reviewed Solidarity code for famous crypto projects such as SkinCoin, STOX, Maker DAO, Streamr and Sharpe Capital. He's also done security design of an IoT smart lock (under NDA).
See further details on his expertise here
HighTechBlock is a company that helps clients to build next generation blockchain and cryptocurrency products. This includes helping firms to launch tokens, develop blockchain application and launch other fintech products. They haven't been doing smart contract audit until last year so they can do it on demand.
Other companies helping with smart contract audits include Hosho that performs penetration testing, bug bounty to identify bugs in the system and checks whether the contracts operates as intended.
Another company is Practical Assurance that performs a number of techniques and analysis to minimize the risk of logic errors or vulnerabilities. The company combines smart contract audits with ICO Security Audit to validity maturity of organization and to give investors confidence.