What is an audit?

With the intent to foster the general community’s understanding of what an audit is and what expectations we should put forth, this post aims to provide a trigger for further points of view and challenging ideas (note: ideas and opinions here are solely mine).

Generally speaking, an audit is an independent assessment of a project seen through the lens of a particular concern. Examples of these concerns include security, compliance, economics, etc.

In the crypto space, audits have largely focused on security, with their primary goal being to assess correctness (with respect to a specification), as well as to identify potential vulnerabilities in implemented code. These are known as code audits.

Code audits are generally requested by project owners to assess the security quality of their code, typically as a means to convey trust to the community at large. As in any other business-to-business relationship, an audit has an agreed timeline and scope, and its findings point to specific improvements in the code, ranked according to a severity scale.

Although the definition outlined above seems straightforward, there is a growing misconception of what it means to be audited. If someone claims that project X has been audited, that is not to say that project X is secure. It simply means there exists an audit report for project X, whose findings should be carefully considered by the project’s stakeholders (developers, investors, community, etc). Hence, it is important to also define what an audit is not:

  • An audit is NOT a statement that a project is safe and free from bugs. An audit reports what has been found to be wrong with the best effort possible given the agreed scope and timeline;
  • An audit report is NOT a one-size-fits-all analysis. Rather, it is specific to the concern it targets. A code audit is not an economic audit, which in turn is not a compliance audit;
  • An audit is NOT peer-reviewed, as is generally the case with scientific papers;
  • An audit is NOT a guarantee that the code has been deployed following all the recommendations in the report.

It would be great to hear from others about their thoughts and if and how these points are in tune with their understanding :)

11 Likes

English is not my native language (working with @Gearlad), so this post is especially useful for me.

So, in a nutshell, an audit in the context of the blockchain is a security/correctness checker for the entire blockchain system. What would be an example specification? Are there any cases in which auditing refers to non-security topics in the context of blockchain?

4 Likes

Hi @Cindy. Thanks for your post and welcome to SCRF.

A code audit in the context of the blockchain is not a security check of the entire blockchain system. Rather, it is bounded by the implementation code under analysis. Let me exemplify:

  • If one is auditing a smart contract, the scope of the audit is hence bounded by that contract and the ones that it interfaces with.
  • If one is auditing a blockchain network (layer 1), the scope of the audit is bounded by the components (e.g., p2p, consensus, storage, etc) comprising the blockchain implementation and its dependencies.

As for examples of specifications, you have EIPs in the case of Ethereum (e.g., ERC20, ERC-721, etc), whitepapers (e.g., the spec of the Compound lending protocol), or any other form of documentation that auditors are pointed to by the client (e.g., internal or public-facing).

Please let me know if this explanation helps :)

5 Likes

I very much agree with @lnrdpss that auditing is the process of checking that a system is functioning according to the specifications that were designed for it.

Auditors seek any indications that resources are being misused, abused, or misappropriated. The auditing process may either be carried out manually or with software assistance.

The fact that an audit may cut across differently to many, especially when at the receiving end. To management, it is a way to validate processes, whereas to the process owner it is scrutinizing their activity.

Auditing in a blockchain environment offers a multitude of advantages. In the first place, it improves the reliability of the blockchain network as a whole.

Secondly, it contributes to the reliability and freshness of the information that is kept on the distributed ledger (blockchain).

Last but not least, it may assist in detecting and preventing possible security breaches.

The need for continuous auditing cannot be overemphasized to ensure a reasonable assurance of critical operations in line with applicable standards in the enterprise.

3 Likes

@lnrdpss thank you for your comprehensive explanation on auditing.

From your definition of auditing, you stated that an audit focuses on a particular concern of a system. I want to know, what are the financial consequences if a smart contract doesn’t undergo proper auditing?

1 Like

Thank you for your research, I really appreciate it. My contribution on

What is the value of a blockchain protocol audit?

Blockchain protocol audit ensures that the foundational layer of the whole ecosystem of smart contracts built on blockchain is free of security vulnerabilities. Hacken offers token audit solutions for all major platforms and chains, including ERC20 audit.

This is an informative write-up @lnrdpss , and I appreciate all the contents put out to keep this community rocking. Audits are definitely important and one of the first thing we should look into when staking a step into crypto research. Well I’ve got some questions and we’d be happy if answers can be provided @Larry_Bates & @zube.paul

→ Is audit a guarantee that a crypto project will stay without failing or is it preferreable to go after projects with with doxxed devs ??

→ Is AI used to edit the token codes ??

→ Thirdly, when we talk about auditing of wallets, how can you audit/verify funds in a private wallet, for example is someone’s claiming you’ve got 100 Thousand Bitcoins, is message signing the only way to verify the amount and does this work across all wallets ??

1 Like

Hi @Yeoriton56 since you haven’t gotten a response to your question yet, let me offer some help.

There are so many financial implications of not auditng a smart contract. The most outstanding implication is that an unaudited smart contract is vulnerable to exploits. This puts the fund under that smart contract at so much risk.

I will attach a comment by @Idara_Effiong that gives a wonderful insight on this subject. Hopefully, it will provide a clearer picture for you.

3 Likes

@Ulysses Thank you for your response and also the attached comment of @Idara_Effiong was really helpful too.

3 Likes

@Yeoriton56 I’m glad to know that my comment was helpful. Thanks for sharing @Ulysses

2 Likes

There are two parts in your question.

  1. Is audit a guarantee that a crypto project will stay without failing? Definitely not. Projects evolve over time, and an audit can only reflect the issues found at the time the audit was made. If issues from an audit report get fixed, but later on devs introduce new features or change the code in a careless way, with no auditing, then there is definitely a higher risk. Altogether, even if you have an audit, it goes back to my first point: “An audit is NOT a statement that a project is safe and free from bugs”.

  2. Is it preferable to go after projects with doxxed devs ??
    I think this is an extremely overloaded question and unfortunately, I don’t feel comfortable providing a silver bullet. Personally, I think having doxxed devs is not necessarily an issue. As long as one can check the code of a deployed smart contract, what’s there is what should ultimately matter.

Is AI used to edit the token codes ??

Not sure what you mean here. Sorry :frowning:

1 Like

What are the financial consequences if a smart contract doesn’t undergo proper auditing?

Funds can be compromised (e.g. stolen or locked).

1 Like

I agree with your points about the limitations and misunderstandings of audits. It is important to recognize that an audit is not a guarantee of security or a comprehensive analysis of all potential issues, but rather a focused assessment of a specific concern based on the agreed scope and timeline.

It is also important to understand that different types of audits target different concerns and may not be interchangeable. For example, a code audit will focus on the security and reliability of the code, while an economic audit will examine the financial viability of the project.

Additionally, it is important to note that an audit report is not a peer-reviewed publication and should not be treated as such. It is important to carefully evaluate the findings and recommendations of an audit report, but it is also important to consider other sources of information and to do further research as needed.

Overall, it is important to have realistic expectations about the scope and limitations of audits, and to understand that they are just one part of a larger process for ensuring the security and reliability of a software system.

It is important to understand that an audit is not a guarantee that a crypto project will not fail. An audit is a snapshot of the project at a specific point in time, and it can only identify issues that exist at the time the audit is performed. It is important for project developers to continue to monitor and maintain the security and reliability of their code, even after an audit has been completed.

As for your question about doxxed devs, I think it is important to evaluate a project based on the quality and security of its code, rather than the personal information of the developers. However, it is also important to consider the transparency and accountability of the development team when evaluating a project.

As for your question about AI being used to edit token codes, it is possible that AI could be used to analyze and identify potential vulnerabilities in code, but it would not be able to make changes to the code itself. Ultimately, the code for a crypto project is written and maintained by human developers, who are responsible for ensuring its security and reliability.

An audit is not a guarantee that a crypto project will stay without failing. As I mentioned to @lnrdpss an audit is a snapshot of the project at a specific point in time, and it can only identify issues that exist at the time the audit is performed. It is important for project developers to continue to monitor and maintain the security and reliability of their code, even after an audit has been completed.

AI can be used to analyze code for potential vulnerabilities, but it is not currently capable of editing code itself. Human developers are responsible for writing and maintaining the code for a crypto project.

When it comes to auditing wallets, there are a few different approaches that can be used to verify the contents of a private wallet. One approach is message signing, which involves the owner of the wallet signing a message with their private key to prove that they have access to the funds in the wallet. This approach can work with most wallets, but it may not be foolproof, as there is always a possibility that the private key could be compromised or stolen.

Another approach is to use a third-party service to audit the contents of the wallet. This can involve providing the wallet address and relevant transaction history to the service, which can then verify the balance and transaction history of the wallet. However, this approach may not be feasible for all wallets, depending on the privacy and security features of the wallet software.

Overall, it is important to be cautious when verifying the contents of a private wallet, and to use a combination of different approaches to ensure the accuracy and integrity of the information.

1 Like