Adventures in Blockchain: A Quick ERC20 Smart Contract Audit


9 min read
Adventures in Blockchain: A Quick ERC20 Smart Contract Audit

As we continue to plunge further into the rabbit hole of Ethereum and smart contracts, the importance of smart contract security is becoming increasingly apparent.

But how can we account for such a thing?

After all, these contracts can be complex, at best - and assessing whether something is functioning correctly or not often requires having some sort of higher level of knowledge of what the smart contract in question was designed to do (i.e., we can only say that "draining the contract" is a 'vulnerability' if we can be certain that this action was not in the developer's original intentions).

This report won't be able to answer / address any and all concerns that users have regarding ERC20 tokens, but the information conveyed within should help (hopefully).

Open Source Auditing Tools

Within (and outside) of the Ethereum ecosystem, there are no shortage of tools that can be leveraged to gain more insight on various smart contracts.

However, as you probably guessed, not all tools are built the same.

We must be able to parse the differnece between tools that were designed to:

  1. Provide an actual assessment of the smart contract in question.
  2. Graphical Interface vs. Command Line
  3. Open Source vs. Paid (we're almost always going to go for the former for obvious reasons; I'm assuming that whoever is reading this doesn't have an unlimited warchest to kick out on smart contract audits)
  4. Certain tools may require a lot of initial setup to deploy vs. others that are just simple, 'point and click' installations with intuitive, graphically-powered instructions to guide users through the audit process.
  5. Quality of audit is absolutely another point of analysis that must be taken into account before opting for any given solution.

Don't let this process stress you out. At the end of the day, there are plenty of solutions out there that users can choose from that are free, intuitively easy (to a large extent), and fairly high level in terms of the analysis that's provided.

In the next section, we're going to look at one tool in particular that appears to show a lot of promise as far as becoming a viable solution / fixture for us for smart contract analysis (just one of many possibilities that we will be exploring over the coming days and weeks in the blockchain space!).

Sooho: Open Source Contract Analysis Tool

Above, a screenshot of the organization's GitHub page (located here: https://github.com/soohoio/sooho)

Per the GitHub, the project states that it is:

"Toolbox for auditing and patching vulnerabilities in smart contracts."

Seems simple enough. Let's take a look at the relevant instructions (all combined into a quasi-shell script for those that are looking to experiment directly with this smart contract analysis tool).

But Wait, CryptoMedication - I Don't Have a Free Terminal On Hand!

Hmm. That's interesting (since its rare to possess a device that can access a website like this w/o having the capability to bring up a terminal).

But never fear!

That's what 'VSCode' (in-browser IDE) is here for (if you're a Librehash Member; #shamelessplugibutwearelegitthough).

Let's head on over there guys.

Instructions Are Right There in the 'README' (main page of the GitHub Repo)

Perfect! That means that this may just boil down to executing a few lines of code and then we're doine.

Let's see what they're asking us to do here:

Ah, okay - so we just need to run:

git clone https://github.com/soohoio/sooho.git
lerna bootstrap 
lerna run build
lerna run prepack

Hang on one second; what the hell is "lerna"?

What is LernaJS?

A quick search around Google tells us.

"But, how did you know to search Google?"

How else do you figure things out in this world? And, yes, it would've been a bit helpful if the team had given us a heads up in the 'README' somewhere (or perhaps annotated the code), telling us that we would need to go install & configure 'LernaJS' first before we could move forward with installing 'Sooho', but not to fear!

We're on the job anyway.

Answering the Question: 'What is LernaJS?'

Simply put

That's it. Nothing mind boggling here. Just something that will facilitate the installation & unpackaging of this tool that we're going to use (found this information at lerna.js.org for reference, by the way).

Steps to Install / Download "LernaJS"

Thank God for us, the steps to download & install LernaJS are extremely simple!

We actually only need to run one command here since we're intalling this module globally (i.e., on the entire system), and we also already have an initialized npm project that we're attempting to install and deploy (Sooho).

Thus, we only need to run the following line of code:

npm install --global lerna

Running it in VSCode

This part is pretty intuitive.

User just need to:

Visit our IDE (VSCode); this should be located on your main dashboard (search for the word 'code' if you find yourself getting impatient with this part of the process).

Once you click on the correct panel, you'll be taken directly to our in-browser VSCode instance

Once there, you just need to pull up the Terminal

Shortcut / Keybinding = (Ctrl)+(Shift)+(`)

Upon completion, a terminal should pull up at the bottom of the screen (literally can't miss it):

In case you did miss it though (somehow), here it is (explicitly pointed out for you):

Okay, so now that we're here - let's try running that command again:

npm install --global lerna

Mission Success

This was successfully downloaded locally (on my own personal computer) as well as on our VSCode instance as well.

I would have went the extra mile to connect this with our GitLab Runner as well, but it appears that this won't be needed because they code will not produce any tangible results for the audits that it performs on the code (which is pretty disappointing, to say the least!).

As users can see in the screenshot of my terminal below, the smart contract audit was ran successfully:

But alas, too little to late - this matters not in the greater context of broken Ethereum ecosystem code burying your precious time that you could have otherwise spent doing other things.

All Hope is Not Lost

Bittersweet, but it appears that there is an online solidity linter that uses this very same tool (Odin).

That can be inspected at this site here: https://odin.sooho.io/

Below are the steps (presented directly from the website), which detail how one is supposed to interact with this tool to render relevant results:

Is this free? According to them, yes.

Running the Audit

So let's bite and see if this tool will actually work (still a bit sour about wasting so much time trying to deploy something that didn't work... but when life hands you lemons!)

First Step: Clicking the 'Try it Free' Button

Seems easy enough so far.

That takes us to this page below (at the time of writing):

Hunting For an ERC20 Smart Contract

Let's see...since we've come this far, we might as well make this worth our while.

So I'm going to fish up a relevant ERC20 smart contract for our analysis.

How's Balancer Protocol sound?

Balancer's Relevance

At the time of writing, Balancer is ranked sixth among all other 'DeFi' platforms with a total of >$250 million "locked up" on its ecosystem.

Hunting Down the Contract

This shouldn't be too difficult - let's just go to etherscan.io (very popular blockchain explorer website for Ethereum).

From here, we just type in 'Balancer' (they have the contract mapped to the name of the this token, as this is information that is provided by Ethereum on the chain as well).

Here's the Link For Those That Wish to Follow Along: https://etherscan.io/token/0xba100000625a3754423978a60c9317c58a424e3d

If we want to see the contract though - we need to click directly on the contract link (on that page)

Which will take us here: https://etherscan.io/address/0xba100000625a3754423978a60c9317c58a424e3d

Upon our arrival, we'll be in the prime location to extract the contract for the balancer token itself (keep in mind that there is more than one contract in the balancer ecosystem):

With the Contract Extracted, its Time to Glean the Relevant Results

Next phase is simple, we just upload the .sol file into 'Odin' and wait for it to spit out the relevant results.

Let's see what happens when we click 'submit'

Results Are Surprisingly Kind of Negative

Here is what Odin spit back out at us after we clicked "submit":

Based on what we carn see above, it appears that the linter identified:

  • One flaw of critical severity
  • One flaw of 'high' severity
  • Another flaw of 'Medium' severity
  • Eleven Flaws of 'Low' severity

And past everything you see above, there was a "note" left on the smart contract code as well.

Here's the link to said audit: https://odin.sooho.io/result/4bcd72186fde0210b86896d8136bad01

There's no telling whether this link remains in the long-term (perhaps these are temporarily generated links for whatever reason) - but, if not, then go ahead and check out this report for yourselves as well (this space has a habit of calling any and everything as 'FUD' that does not fit squarely within the narrative of hero worship).

Additional Details on the Balancer.sol Online Smart Contract Audit

Since we're here, we decided to extract all relevant information provided by the smart contract audit.

Check out the breakdown of identified issues with the smart contract:

The 'Code' Tab Provides Us With Some Specifics:

There is an Accompanying PDF Report That Was Published As Well

Scooped that up for safekeeping too.

Figured that this would be of interest to any and all those that wish to review the results of the audit themselves.

That will be published at a latter point in time (since there's way for us to currently embed that document in this report for the general public).

Conclusion / Closing Thoughts

There's no way for us to truly be able to assess the efficacy of these protocols unless we take the first step of auditing these contracts.

However, in doing so - I began realizing that merely providing an audit of said code is just one facet of what should be a much greater due diligence process.

In addition, its important to parse out the severity / likelihood of contract compromise / detriment.

Unfortunately, this information is not yet publicly avaiable and there are no intuitive guides, courses, breakdowns that yield concrete guidance on how one would go about extracting said information.

Thus, we will be taking time over the course of the next few weeks, months and, perhaps even years, to seriously dissect smart contracts, outline an agnostic framework for risk assessment, and parse out greater details about specific 'vulnerabilities' or errors detected by the linter in order to stick these discoveries within a context that allows researchers and interested parties to glean meaningful (and accurate) insights from the data that is not unduly harsh on projects, yet refrains from being too forgiving as well.

Until next time.

GO TOP