The recent DeFi (Decentralized Finance) boom has brought a lot of new projects into the existing blockchain ecosystem. While smart contracts will always execute the way they are programmed, they are very complex and a simple bug or vulnerability in the smart contract can cause the loss of entire funds. This is where a smart contract security audit company can come in handy.
Due to popular request from the TRON community in hope to learn more about the smart contract and its security, TronLive had an interview with SlowMist – the smart contract security audit company for the recent SUN and JUST project that launched on the TRON blockchain.
TronLive: Hello SlowMist, we are TronLive – a TRON community. Our community noticed that SlowMist has been doing some smart contract security audit work for TRON Foundation and Just team recently. We hope our community can learn more about your company and what you do exactly. Can you give us a brief introduction of who you are and what’s your role in SlowMist?
SlowMist: Hello everyone, I am very happy to participate in this interview, thank you TronLive for the invitation. I am Keywolf, the product leader of SlowMist.
TronLive: Nice to meet you, Keywolf. Can you let us know what exactly is SlowMist? What does a smart contract security audit company cover?
SlowMist is a company focused on blockchain ecological security, founded in January 2018. SlowMist has served many global well-known projects, including cryptocurrency exchanges, cryptocurrency wallets, smart contracts, DeFi projects, public blockchains, and has nearly a thousand commercial customers distributed in more than a dozen major countries and regions.
During the security audit of smart contracts, we will check and find the security vulnerabilities in the smart contract code, and pay attention to whether the code is consistent with the business design, to ensure that no accidents occur during the operation of the smart contract.
TronLive: Can you give us some well-known blockchain projects that you have audited so far?
We have audited many well-known blockchain projects, including ethereum, tron, eos and other blockchains. For example, JUST, SUN, TrueUSD, DeFiBox, ForTube, dForce, etc.
TronLive: Let’s take JUST and SUN project as an example, can you briefly describe to us the flow of how you go about doing the audits?
First, after the customer contacted us, they need to provide us with the smart contract code, which can be a GitHub link or an etherscan/tronscan link;
Then, we will evaluate the complexity of the smart contract code, based on the number of code lines and functional logic, and tell the customer the audit fee and audit duration;
After the customer pays, we start the audit. During this period, we will report the vulnerabilities found to the customer and communicate with them how to fix the vulnerabilities;
When we finally confirm that there are no other vulnerabilities in the smart contract code, we will make a security audit report and send it to the customer.
TronLive: Thanks for the explanation. Usually, how long does it takes to audit a smart contract? How many people are needed to audit a smart contract in SlowMist?
The time used for each audit is different and needs to be determined according to the complexity of the smart contract code.
Generally speaking, we will have at least 3 security engineers participating in each audit. They will conduct security audits independently, and then summarize the problems found and confirm each other.
TronLive: What are the most common smart contract mistake you have encountered? Can you give us some examples and let us know what it may cause if a smart contract bug went unnoticed?
The most common mistakes are related to permissions control. For example, if the mint function does not control permissions well, there will be a problem that anyone can mint tokens, causing the total supply of tokens to get out of control.
Another common problem is the accuracy of tokens. For example, the problem of YAM v1’s smart contract is that the decimal is not handled correctly, resulting in abnormal token supply.
TronLive: After a smart contract audit, is it safe to say that the smart contract is 100% immune to any vulnerabilities and safe from scams?
No, the security audit is mainly to find vulnerabilities in the smart contract code. Some projects require admin authority to perform subsequent functions, such as migration and upgrade, but these functions may be maliciously exploited. In the course of our audit, we will advise customers to hand over the admin authority to the multi-signature smart contract for management.
TronLive: Yes, it is important to know that although a smart contract audit will fix all known securities vulnerability, the private key of the smart contract still belongs to the owner and malicious actor may still freeze and withdraw customers’ fund. A multisig wallet as suggested will help reduce the chances of this happening by requiring multiple parties to sign a transaction. Let’s move on to the next question.
Will you be doing testnet runs to check if the smart contract is indeed free from vulnerabilities? Or do you have some sort of software to do it off-chain?
Yes, we will perform various tests on the local development network, including business process testing and security vulnerability testing.
We have developed a security plug-in to accelerate our automated security audits. This plug-in will perform a static analysis of syntax and semantics and a dynamic debugging model.
TronLive: As more developers are jumping into smart contract development, what kind of useful suggestions do you have for them to keep in mind?
There are a lot of great learning materials on GitHub. You can search for “solidity security” or “smart contract security”. We also collected a knowledge base, which can be obtained by visiting the link https://github.com/slowmist/Knowledge-Base
TronLive: That’s nice. Finally, if our TRON and TronLive community members wish to try out your service, can you give us some brief idea of how much a smart contract audit will cost? We understand that the cost is based on project complexity but some rough figures will do.
Generally, the security audit fee is generally several thousand dollars to tens of thousands of dollars. Also, users who mentioned TRONLIVE when contacting SlowMist can get some discounts.
TronLive: Awesome, thanks for being generous to our supporters and community. That will be the end of this interview. Thank you Keywolf and the entire SlowMist team for sharing your expertise in the smart contract security field.
SlowMist Official Website: https://www.slowmist.com
SlowMist Email: team@slowmist.com
SlowMist Twitter: @SlowMist_Team