crownIcon Mint Crypto Bums Now & Earn NFTonPulse Marketplace Fees! smileIcon

by starburst
October 25, 2023

How to self-audit a smart contract

Table of Content

Latest News

The crypto space is good for fast gains but there are also losses. While it cannot be predicted which token will go down, potentially causing you to lose money, there are some specific cases where you really shouldn’t put your money because smart contracts have been purposefully designed to extract funds from users. It’s difficult to know if the contract is secure, as even audited contracts can fall prey to exploits. Moreover, many contracts on PulseChain don’t undergo security audits because they’re very expensive. The lack of an audit doesn’t stop users from buying the token, but there are certain basic security checks that anyone can implement before interacting with the contract. Here are some practices you can adopt to assess the security and legitimacy of a smart contract.

Basic concepts of smart contract security

Pulsechain Scanner – Your first stop

Scan.pulsechain.com is an invaluable resource for anyone looking to audit a smart contract. It allows you to examine the contract in detail, including its functions and transactions. Here’s how to leverage scan.pulsechain.com to assess a smart contract:

Token supply and allocation to the owner:

The simplest mistake a user can make is to buy a token where most of the supply is in the hands of the owner or some other account. This is because it’s easy to manipulate the price or to dump everything on the market, collapsing the price to almost zero.

Go to scan.pulsechain.com, insert the contract’s address in the search field, and navigate to the Token Holders list. Verify who the major holders are. Keep in mind that the majority holder will often be a liquidity pool, a burn address, or an exchange, and that shouldn’t be regarded as an issue. Look for mint functions in the contract’s code. If the owner has the possibility to mint more tokens, they will be able to create more tokens for themselves without buying anything, diluting everyone else.

Token Holders tab on Pulsechain scanner

Read Contract:

Start by navigating to the token’s contract page on scan.pulsechain.com and clicking on the “Read Contract” tab. This section displays the contract’s critical information and read-only functions. Here, you can look for specific functions that shouldn’t be there. However, it all depends on the contract’s purpose. 

Write Contract:

In the “Write Contract” tab, you can access the contract’s functions. These functions have the potential to alter the contract’s state. Review these functions to understand how the contract behaves and what actions are possible. The Mint function may allow the owner to arbitrarily mint more supply, while the Freeze function may freeze tokens.

Audits:

Ask founders for audits. If there was an audit, the founder will be able to provide you with a link where you’ll be able to read the final security assessment. PulseChain contracts often have no audits, and in that case, you need to rely on yourself. Ask ChatGPT to review the code for you. More on this below.

Reviewing the Contract Code

Beyond scan.pulsechain.com, it’s essential to review the contract’s code itself. While not everyone is a developer, looking at the code can provide valuable insights. Here are some key aspects to consider:

Open source:

When you navigate to the Code section of the scanner, you should see the published code of the smart contract. That contract will usually have a green check mark, which means that it’s verified and matches the GitHub repository. 

Open source verified code

When the contract code is not visible, that means it’s closed source, and it’s impossible to know what it does. It can’t be verified, and if there’s no audit, that should be a red flag.

Closed source non verified code

Ownership:

Be wary of contracts that have ownership. This can make the contract prone to changes and potentially allow malicious actors to change the contract’s functionality.

Privileged Access Functions:

Look for functions that grant privileged access. Some functions may only be callable by the owner, which can be a security risk.

Supply Modification:

Inspect the code for functions that can modify the token supply. Excessive control over supply modification can lead to inflation or deflation, impacting token value.

Timelocks and Delays:

Check if there are safeguards, such as timelocks, in place to prevent sudden, unexpected changes to the contract. These mechanisms add a layer of security.

Security check:

More advanced users can use special tools to ensure that the code follows best practices and standards for smart contract development. Tools like MythX, Slither, and Solhint can help identify potential vulnerabilities and issues.

Functionality Analysis:

Review the contract’s functions to see if there are critical functions missing, like a ‘pause’ or ‘sell’ function. Missing functions could be a red flag.

Community and Social Proof:

Assess the community and social media presence of the project or contract. Legitimate projects often have active communities and transparent communication. When founders dodge security questions, that’s a red flag.

Use Trusted Sources:

Stick to using well-known wallets and interfaces to interact with contracts. Beware of obscure or less-known platforms.

Don’t share your seed phrase:

Never share your seed phrase with anyone for any reason. If someone sends you a link and says to insert a seed phrase, consider it a red flag and a phishing attempt.

Trust Your Instincts:

Trust your instincts and don’t rush into transactions. If something feels too good to be true or overly complex, it’s worth taking extra caution.

Beware of airdrops:

Some of the most common losses come from claiming airdrops. They are free and often include malicious code that can steal all your tokens. If you received an NFT or want to claim an airdrop, you should be wary of the transaction you’re signing. If the code is malicious, MetaMask will usually warn you that the contract asks for the transfer of all your tokens. Users usually don’t look at what’s written, and they give up their funds. If you want to claim an airdrop, use trusted sources.

Always approach smart contracts and blockchain projects with caution, especially when investing or transacting large amounts of cryptocurrency. Even with these precautions, there are no guarantees, so only invest what you can afford to lose.

How to spot the danger in the code

If you want to identify potential malicious functions that allow the owner to mint additional tokens or change the contract’s behavior, you should look for the following types of functions and patterns during a smart contract audit:

  1. Minting Functions:

    • Functions that allow the owner to create or mint new tokens.
    • Look for functions that increase the total token supply. It’s important to understand the game theory of the token. If it’s a token that can be minted by anyone, then the supply is created by the community, and that’s probably part of the design. But if it’s only the owner or a privileged account that can do it, then you need to look deeper and see how it can impact the tokenomics.
  2. Parameter Modification Functions:

    • Functions that enable the owner to modify critical contract parameters that affect token functionality or distribution.
    • These parameters can include rewards, allocation points, fees, or any variable that impacts token behavior.
  3. Pausing or Freezing Functions:

    • Functions that give the owner the ability to pause or freeze the contract.
    • These functions can be used to prevent token transfers or other actions in the contract.
  4. Ownership Transfer Functions:

    • Functions that allow the owner to transfer ownership or admin privileges to another address.
  5. Role-Based Access Control (RBAC):

    • Complex role-based access control systems where the owner can assign different roles with varying levels of control and permissions.
    • Owner can manipulate these roles to exert control over the contract.
  6. Whitelist or Blacklist Functions:

    • Functions that permit the owner to add or remove addresses from a whitelist or blacklist.
    • Owner can manipulate these lists to control user access or actions.
  7. Parameter Initialization Functions:

    • Functions executed during the contract deployment that set critical parameters. These functions can include the initial allocation of tokens, setting rewards, or defining how the contract behaves.
  8. Proxy Functions:

    • Functions used to upgrade the contract’s logic or to switch to a new implementation.
    • These can potentially be misused by the owner to change the contract’s behavior.
  9. Privilege Revocation Functions:

    • Functions that the owner can use to revoke privileges or alter permissions for other users or roles.
  10. Functionality Disabling Functions:

  • Functions that can disable or restrict the functionality of certain features or other functions.
  1. Admin-Only Functions:
  • Functions that can only be called by the contract owner.
  1. Emergency Functions:
  • Functions that give the owner emergency control over contract actions.

It can be easily seen that the presence of owner or administrative privileges in a smart contract exposes the users to uncertainty about what could be done in the future if any of the functions is called. That’s why it’s important to interact with contracts that don’t have these privileges or where they’ve been renounced to a burn address, for example. When the contract can’t be changed, it’s immutable and doesn’t require any trust from the user. This, on the other hand, means that in case of an exploit, it will be impossible to intervene; however, that’s probably a lower risk than the owner calling arbitrarily different functions.

To check for owner/administrator privileges in a smart contract, you need to review the contract’s source code. These privileges are typically implemented through specific functions or state variables that allow the owner to perform administrative actions.

Here’s how you can recognize them in the code:

State Variables:

Look for state variables that designate the contract owner or administrator. Common names for such variables include owner, admin, creator, governance, or similar terms. These variables usually store the Ethereum address of the owner/administrator.

Example:

   address public owner;

Constructor Function:

In the constructor function, check for the assignment of an initial owner/administrator. This assignment is typically done within the contract’s deployment.

Example:

   constructor() { owner = msg.sender; // Assigns the deployer’s address as the owner }

Modifier Functions:

Look for functions that use modifiers like onlyOwner to restrict access to specific functionalities to the owner/administrator. These functions often contain sensitive operations, such as changing contract parameters or minting new tokens.

Example:

   modifier onlyOwner() { require(msg.sender == owner, “Only the owner can call this function”); _; }

Privileged Functions:

Review the functions within the contract to identify those that can only be called by the owner/administrator. Such functions usually contain logic that can alter the contract’s behavior or its state.

Example:

   function changeParameter(uint256 newValue) public onlyOwner { parameter = newValue; }

Role-Based Access Control (RBAC):

In some cases, smart contracts implement more complex role-based access control systems, where specific roles (e.g., admin, manager) have different levels of control. These systems can involve multiple state variables and functions to manage different roles.

Events:

Events are used to log important contract actions. Check for events that indicate owner/administrator actions, such as contract parameter changes or privilege updates.

Example:

   event ParameterChanged(uint256 oldValue, uint256 newValue);

Comments and Documentation:

Review comments and documentation within the contract code. Sometimes, the roles and privileges of the owner/administrator are explained in the code comments.

Here’s a simplified example of what it might look like in a smart contract:

By reviewing these elements in the contract’s source code, you can identify owner/administrator privileges and understand their scope and potential risks. Be sure to assess how these privileges might impact your funds and the project’s overall security.

Owner renunciation check:

To check if a contract has renounced ownership, you need to inspect the contract’s source code or verify its state on the blockchain. Ownership renunciation is typically done by setting the owner address to the zero address (0x0000000000000000000000000000000000000000) or a specific burn address, depending on the contract.

Here’s how you can check for ownership renunciation:

Inspect the Source Code:

If the contract’s source code is publicly available, search for functions that set the owner address to the zero address or the burn address. These functions are usually named “renounceOwnership” or something similar. For example, the OpenZeppelin Ownable contract provides a “renounceOwnership” function.

Here’s an example from OpenZeppelin’s Ownable contract:

Contract renounciation function

Verify on the Blockchain:

If you don’t have access to the contract’s source code, you can verify the contract on blockchain explorers like scan.pulsechain.com. Look for a transaction in the contract’s history that renounces ownership by setting the owner address to the zero address.

For example, on scan.pulsechain.com, you can check the “Write Contract” section to see if the “renounceOwnership” function was called.

Keep in mind that the availability of these details depends on whether the contract has been verified on the blockchain explorer and if the “renounceOwnership” function has been used. If the contract has been verified and the function has been used, you should be able to find the relevant information.

ChatGPT audit

ChatGPT is a useful tool for reviewing the code; however, it isn’t foolproof. You need to know which questions to ask because it won’t always tell you if the owner can mint more tokens and dilute your holdings or if it can change parameters or if the contract was renounced. You need to know which questions to ask, and it’s better if you review the Read and Write Code functions beforehand so you can ask specific questions about them.

If you’re unsure about how to review the contract code, consider asking these basic questions:

Can the owner modify the contract, and if so, are there safeguards in place to prevent abuse?

Are there any functions that allow minting of tokens?

How is ownership handled? Has it been renounced, and if so, when?

What is the distribution of tokens?

Are there significant allocations to the owner or team?

Are there any timelocks or other mechanisms in place to protect token holders?”

Who Are We?

As members of the PulseChain community, HowToPulse.com mission is to make the onboarding process as simple as possible.
We did the research for you providing top quality information, tools, news and updates about PulseChain, HEX and PulseX

Ask us a Question