A lot of blockchain projects have a smart contract security audit on their website and publish about this on social media.
-
What are these audits?
-
Does my project need one?
Solidity Security – What is a Smart Contract Security Audit?
Securitysolidity
Related Solutions
The answer is that machines who break the law do "break" the law. By that I mean that machine doing "illegal" (in some jurisdiction) things do break the very concept of the law as we humans know it. The law system just wasn't meant to handle such a situation.
There's a great talk by Gavin Wood (ex core Ethereum dev) where he talks about "a-legal" systems. The Ethereum machine doesn't care about human-made laws. The code of the smart contract is the only law the Ethereum machine obeys to. As long as in one country there's one Ethereum node running which you can connect to, anyone who can reach that node can call any smart contract he wants.
There's also a cool blog entry by the almighty security expert Bruce Schneier: "When Thinking Machines Break the Law" where he gives the example of a bot that randomly bought stuff from a dark market using Bitcoins.
Here's the talk by Gavin Wood:
Here's the blog by Bruce Schneier:
Bruce Schneier on machines breaking the law
What about illegal smart contracts?
Illegal in which country?
Who would you sue anyway? The person who put the contract there, even when he makes no personal gain (suddenly the case is very weak)? What if it's a foreigner? What if the code was anonymously published? The "players"? Same thing: they're using pseudonymous identities to "play", they're maybe using coin anonymizers (or ETHs bought using some untraceable crypto, like Monero), they're maybe from countries where it is perfectly legal, etc.
Sorry to be a downer...
You can't recover the original code from byte code because information is lost during the compilation. However, disassembly is always possible if the byte code is retrievable. Since the code for the contract must be executed by all full nodes and by miners, the byte code must be readily available to those parties. In practice, since anyone can be a node, that means everyone can get the byte code. As a former assembly programmer, I will assert that it is impossible to protect your IP completely in this case. If it's economically beneficial or just plain interesting, it will probably get reverse engineered.
Unfortunately, I can't offer best practices; legal avenues may be your best bet (but not patenting or copyright; not particularly useful here). At best, I think you can use some anti-disassembler techniques, but those will increase the cost of executing your contracts. As a person who has personally stripped out anti-piracy code from software I own in order to speed it up, I would ask that you try some other method of making your business (I assume) more resilient to reverse engineering.
Given that even with protections like clock-skew detection, instruction timing checks, hardware-based protection, encrypted instructions, and checks that test physical hardware only slow down the best crackers, it's almost certainly a better use of your time/efforts to build a better product/business than it is to try to defend against this scenario on the EVM (which is a much simpler system than a real computer and therefore easier to defeat due to a reduction in things that can be worked into the byte code). If you have to ask this question about best practices, it's almost certain that there are people, individually (let alone as a group) who can break your obfuscation efforts more easily than you can implement obfuscation.
Best Answer
In a smart contract security audit, or "smart contract audit" for short, usually a third party reads through the code written by the project smart contract developers and they look out for security vulnerabilities. This is somewhat different from the traditional IT security audits and penetration testing because a good smart contract auditor must possess a great deal of domain-specific knowledge not just about coding, but finance and cryptocurrency ecosystem as well.
Because the industry is new, there are not yet best practices for auditors or what the client or the investors should expect. The industry is developing so fast, so setting any technical standards today might be outdated tomorrow.
The quality of auditors and audits varies greatly. For the sake of this answer being neutral, I do not want to name any auditors or services. You can find these easily if you want to check if any auditor is legit and worth of their asking price.
Usually an audit happens "before deployment" e.g. before smart contracts go live and touch real money.
Smart contract auditor is hired by any protocol or other smart contract developer: token issuer, DeFi protocol, NFT project.
The project hires the auditor. Depending on the bull/bear market cycle and the brand value of the auditor, the auditing cost can be anything between $500/day to $10,000 day.
Note that audits are rarely "independent". There are some exceptions, like audits done by venture capital funds that look to invest in a project. But those are not usually called "smart contract audits". More about this below.
In high-quality audits, the person who performs the actual audit is named in the audit report. In low-quality audits this often is not the case, because the person do not want any personal responsibility for the shoddy quality of work.
For the audit itself, the auditor checks the smart contracts with free linting and static analysis tools and also reads the code through to find any bugs in the logic.
The smart contract audit is not a guarantee of a security. In a proper audit, the purpose of the auditor is to give guidance and verbal feedback to developers how to make it more secure.
A smart contract audit should not be used as a marketing material. If any project does this, it is usually a red flag about the motives of the project.
Unlike in traditional finance and accounting audits, on public blockchains any investor or a third party can assess the risk themselves. Any smart contract source code is public, so any auditor does not need privileged access to see if there could be vulnerabilities. For a true public protocol, any flow of money is 100% transparent. Thus, any investor is able to assess the risk themselves or ask someone to do it on their behalf.
For high-quality projects, so-called bug bounty programs or audit contents are run where white hack hackers are rewarded high sums of money for finding bugs in already deployed smart contracts.
Auditors rarely take any liability for the quality of work ("skin in the game"). There are some exceptions like the Sherlock protocol where auditors are only fully paid if there is no exploit over the course of the full life cycle of a project.
Centralised exchanges, like Binance, KuCoin, Gate.io and others ask for an audit for any ERC-20 token they list. This is mostly to ensure the free-form ERC-20 contracts do not have functions to remove tokens from exchange reserves (i.e. not backdoored). Some other exchanges like Coinbase perform their own audits.
Note that like in accounting audits, from the investor perspective, there is usually a conflict of interest between the auditor and their client, the project. Auditors do not work for investors. This is especially true when a smart contract audit report is publicly used as marketing material, The auditor is getting paid by the client, not the external users of the protocol or smart contracts. Thus, any audit, especially one from low-quality auditors, can be seen as biased. Audits never directly says if a project is a scam, because the auditor would not be paid in this case.
What do you need to do before you go for an audit
An audit does not fix any bad development process or low-quality software engineers.
Here is a good presentation by Corey Petty what a smart contract project should have in order before asking for an audit.
The Ultimate 100+ Point Checklist Before Sending Your Smart Contract for Audit
Audit Readiness Checklist
What do smart contract auditors look for while doing a smart contract audit
How to find an auditor
See also the list of blockchain security audit companies.
Another list of audit companies.
Disclaimer: I did some of the early audits for Ethereum smart contracts back in 2016-2017.