Our Blog

Full-stack development and intelligence for blockchains

Auditing Smart Contracts with Epirus

Bugs in smart contracts cause problems. From the original DAO hack, to issues with Parity's multisig wallets, to smaller bugs caused by integer overflows and underflows, software errors have caused real world consequences. Some of which have seriously affected trust in various companies, and the Ethereum ecosystem more broadly. 

Writing bug-free code in Solidity can be difficult for new developers, and even experienced blockchain engineers will still make mistakes from time to time. Vulnerabilities are often subtle, and may not be noticed before they are committed. Whilst code review and audits can be successfully used to eliminate most of these types of bugs, both are imperfect and often expensive: the former in developer time, and the latter monetarily.

 

The Solution

The Epirus CLI aims to make the process of smart contract development easier and more accessible for new developers, and for this reason we have integrated a smart contract static analysis tool directly into the application. Using static analysis, common mistakes such as reentrancy, unsafe arithmetic, and vulnerability to Denial of Service can be identified. Epirus can provide specific information about the features and potential vulnerabilities detected, including the relevant files and line numbers.

 

Demo

First of all, if you don’t have Epirus installed, you can install it by heading here.

Then, in order to test this feature on an existing smart contract, simply run:

epirus audit <filename>

Consider the following Solidity code which implements a simple crowdfunding campaign, an audit of which produces the following output:

epirus

Four lines of output have been generated, each representing a feature detected by the static analysis tool. The first column displays the line and the character associated with the detected feature, the second the severity (1 is informational, 2 is a warning, and 3 could represent a critical vulnerability), the third offers details of the detected issue, and finally the fourth offers an identifier for the rule which was triggered.

Detections with severity 1 tend to be informational, or to be suggestions to use best practices or aid readability, but items with severity 2 often require attention. Warnings with severity 3 are a critical issue, and as is visible from the first row of output, the author of this contract has failed to include a method to withdraw money from the Crowdfund, thus locking funds into the contract and effectively making them unusable. In order to fix this, a function to withdraw funds should be created. 

Such a function could be implemented like so, and should be called from inside the vote function:

function payStage() internal inState(State.Funded) returns (bool) {

     uint256 totalRaised = currentBalance;

     currentBalance = currentBalance.sub(balancePerStage);

     if (creator.send(balancePerStage)) {

         emit CreatorPaidStage(creator);

         return true;

     } else {

         currentBalance = totalRaised;

         state = State.Successful;

     }

     return false;

}

A fixed version of this contract can be found here. After reviewing and fixing this issue, running another audit should result in only issues with severity 1 being shown - in this instance, they are informational and not a threat to the security of the contract.

 

Integrate with your workflow

The Epirus audit function is useful on its own to audit contracts, however code analysis tools are often most effectively applied when integrated into the development process itself. As the audit command will return a nonzero exit code if any issues with severity higher than 1 are detected, it can easily be used in conjunction with a pre-commit git hook, or even a CI pipeline on Jenkins/Travis/etc. A future blog post will document how to integrate Epirus' auditing functionality into your development process.

Smart contract auditing is provided by SmartCheck and is executed locally - no files are uploaded to any 3rd party servers.

Developing robust smart contracts is hard, that’s why we want to provide all of the tools in Epirus to keep blockchain development as simple as possible. Did you know Epirus can also generate unit tests automatically for you and provides embedded blockchain environments? If you’re keen to learn more head here. I promise you won’t regret it!