Hartej Sawhney On the High-Stakes World of Security Audits
In the Wild West of blockchain, where fortunes are made and lost in an instant, smart contract security auditing isn’t just a buzzword — it’s the cornerstone of trust.
As self-executing contracts increasingly become the backbone of decentralized finance and a growing range of applications, ensuring their security is more critical than ever. But the landscape is treacherous, with potential pitfalls that even the most seasoned developer might overlook.
Hartej Sawhney, founder and CEO of Zokyo and creator of Hosho, the first blockchain cybersecurity firm, provided insights into the difficulties of smart contract security auditing. With 11 years of experience in the field, his team at Zokyo has secured over $42 billion in digital assets.
Zokyo specializes in securing intricate Web3 protocols and infrastructure. Their experienced engineers understand the novel risks presented by restaking protocols, modular Layer 2 solutions, and DePIN ecosystems. These evolving systems are often complex, lack thorough auditing, and are developing at a pace that challenges traditional security measures.
Facts and Figures: A Growing Problem
In 2024, the blockchain and cryptocurrency sectors experienced a significant increase in security breaches, underscoring the critical need for enhanced protective measures. According to the yearly report from Chainalysis, approximately $2.2 billion was stolen across 303 hacking incidents, marking a 21% increase in funds stolen compared to the previous year.
These alarming numbers underscore the pressing need for robust security measures within the blockchain ecosystem. Especially now that adoption is accelerating across institutions, Fortune 500 companies, and the public sector.
This is why leading bug bounty platforms are offering increasingly substantial payouts to ethical hackers who uncover critical vulnerabilities in smart contracts. Uniswap, for example, set rewards as high as$15.5 million for discoveries in their v4 core contracts. This trend reflects a broader industry shift, with tech giants such as Microsoft and Google also increasing their investment in proactive security.
The Unique Challenges of Blockchain Security
Unlike traditional software, where vulnerabilities can often be patched post-deployment, smart contracts are immutable once they are live on the blockchain. This immutability creates a high-stakes environment where security audits must be thorough before deployment.
As Sawhney puts it:
“Smart contracts are immutable and often hold real financial value from day one. There’s no room for error — a single overlooked vulnerability can have immediate, irreversible consequences. That’s why blockchain audits demand a completely different mindset.”
The Devil is in the Details: Prevalent Smart Contract Attacks
Even the most well-crafted smart contract can be undone by a single overlooked vulnerability. That’s why security auditors must maintain relentless attention to detail — the most minor flaw can open the door to significant exploits. Sawhney breaks down some of the most common threats:
“‘Reentrancy attacks’ exploit the recursive calling of functions before a contract’s state is updated, often resulting in unintended and dangerous behavior. Mitigation involves updating state variables before making external calls. ‘Inflation attacks’ manipulate token balances to gain unfair advantages in distribution. These require rigorous validation of state changes and safeguards. ‘Math errors’ and ‘access control issues’ — ranging from rounding mistakes to unauthorized function access — can be prevented with strict checks and proper permissioning.”
These are just a few of the usual suspects. Unchecked external calls, timestamp dependence, and excessive contract complexity persist as significant risks, each expanding the attack surface in distinct ways. More concerning, however, is that the threat landscape is constantly evolving, as attackers devise increasingly sophisticated ways to exploit smart contracts.
“Smart contracts, as finite state machines, can exist in numerous states, some of which may be vulnerable to attacks,” states Sawhney. “Developers can prevent these vulnerabilities through defensive programming, extensive testing (both unit, integration, and fuzz testing), and adopting a security-first mindset all the way through the development process.”
The Balancing Act: Thoroughness vs. Time Constraints
Blockchain development moves fast, and security teams are often racing against the clock. Auditors are expected to deliver deep, comprehensive analysis while navigating tight deadlines and rapidly evolving codebases.
“Criminal hackers have unlimited time to find a single vulnerability, whereas auditors must identify all potential issues in a limited timeframe,” said Sawhney. “By collaborating closely with development teams, auditors can accelerate their understanding of the code and focus on uncovering critical vulnerabilities that might not be immediately obvious.”
Enter the White Hats: The Role of Ethical Hacking Teams
Ethical hacking teams, often referred to as white hats, are an essential part of the security equation. These cybersecurity experts use their skills to identify and exploit vulnerabilities in a controlled environment, providing invaluable insights to developers and project stakeholders. According to Sawhney:
“Ethical hacking teams enhance security auditing by simulating real-world attacks, similar to red team operations in traditional cybersecurity. They adopt the mindset and techniques of malicious hackers to test the resilience of smart contracts, providing insights that standard audits might miss. This adversarial approach can reveal deeper vulnerabilities and improve the robustness of the contract against potential threats,” adds Sawhney.
As technology evolves, so do the tools and techniques available to security auditors. Of course, as with everything else in tech, artificial intelligence (AI) plays its part. AI-enhanced static analysis and improved debugging platforms are at the forefront of this evolution. These tools enable more sophisticated vulnerability detection and enhanced simulation of real-world scenarios.
“Emerging tools like AI-enhanced static analysis and improved debugging platforms are revolutionizing smart contract security auditing,” Sawhney said. “These tools allow for more sophisticated detection of vulnerabilities and better simulation of real-world scenarios. Platforms like Tenderly provide advanced debugging capabilities, but more user-friendly, integrated solutions in development environments like VSCode could significantly streamline the auditing process.”
Beyond Technical Skills: The Human Element
While technical expertise is undoubtedly crucial for a successful security auditor, Sawhney emphasizes the importance of effective communication skills:
“Beyond technical skills, effective communication is crucial for security auditors. They must translate complex technical issues into understandable language for non-technical stakeholders, particularly in audit reports, which serve as the primary deliverable for clients. Clear articulation of vulnerabilities and recommended fixes ensures that all parties understand the security posture and necessary improvements.”
Development teams, however, should ensure their code is complete and thoroughly documented before engaging auditors.
“To maximize the effectiveness of a security audit, development teams should ensure their code is complete and fully documented before the audit begins,” said Sawhney. “This includes thorough unit testing and detailed documentation of the contract’s intended functionality and design. Engaging collaboratively with auditors, being open to feedback, and promptly addressing identified issues can significantly enhance the audit’s outcomes.”
Navigating Ethical Considerations and Risks
In the pseudonymous world of blockchain, where transparency and privacy often collide, engaging external security auditors presents unique challenges. Trust issues and potential conflicts of interest are inherent risks that organizations must address to ensure transparency and accountability.
To mitigate these risks, Sawhney recommends a few crucial steps:
“Utilizing external teams for security audits in the pseudonymous blockchain environment presents unique challenges, including potential conflicts of interest and trust issues. To mitigate these risks, companies should implement robust bug bounty programs, respond promptly to reported vulnerabilities, and consider Know Your Customer (KYC) measures to ensure accountability without compromising anonymity. Clear communication and defined boundaries for ethical behavior are essential to maintain trust and security.”
The Road Ahead
The threats and vulnerabilities facing security auditors are constantly evolving, and the stakes have never been higher. Meeting this challenge demands meticulous attention to detail, the use of innovative tools, and a collaborative mindset. Only then can the blockchain ecosystem become a safer, more resilient environment for everyone. In Sawhney’s words:
“Security is not a one-time event but an ongoing process. By embracing best practices, adopting a proactive approach, and working hand-in-hand with security experts, we can navigate this digital minefield and build a more resilient and trustworthy blockchain future.”
This article was originally published on Dataconomy and is republished with permission.
