Binance Smart Chain (BSC) has partnered with CertiK, a leading enterprise in blockchain cybersecurity, to help projects building on top of the Binance Smart Chain build trust, follow best practices, and raise the standards of security throughout the entire ecosystem.
Why Partner with a Security Firm?
2020 has proven to be a critical year for DeFi, and it’s fair to say that it’s currently one of the hottest topics in the blockchain space. At its core, DeFi allows users to take control of their assets enabling them to unlock new forms of value.
Binance Smart Chain, created by Binance and global developers, is a dual-chain architecture that encourages users to utilize one blockchain for building digital assets and decentralized apps while trading faster with lower transaction fees. Numerous DeFi projects are either experimenting with their new ideas or porting their protocols to Binance Smart Chain. Read the article in full here to explore the features and benefits of building DeFi on Binance Smart Chain.
Without trust and security, however, there can be no true decentralized and permissionless products in the blockchain space. The success of any blockchain hinges on the correctness and robustness of the source code. This is where Certik comes into play.
CertiK is a technology driven security company that applies different approaches and detection methods ranging from manual, static, and dynamic analysis to ensure that a project is checked against known and potential vulnerabilities. They have also pioneered the use of Formal Verification techniques to enhance the security of smart contracts. CertiK has serviced more than 200 clients with high quality auditing and consulting services, including Aave, BZX, Lien Protocol, Tellor, Matic, Terra, ThorChain and many more.
To chart a way forward for a more secure chain, CertiK leverages its years of experience to help shape a safer ecosystem on Binance Smart Chain and boost the growth of DeFi dApps atop. By preventing vulnerabilities across the Binance Smart Chain landscape, the combined efforts between Binance Smart Chain and Certik will contribute to a sustainable blockchain industry.
Security Risks and Solutions in DeFi
While the advantages of many DeFi methods can be impactful, the technology and its use-cases behind it are still at an early stage, which can pose serious security challenges.
According to DeFi Pulse, there is roughly $6.74 billion dollars currently locked within DeFi projects. Many DeFi projects have already faced security threats from malicious hackers due to lack of audits or an imperfect audit process.
Besides the publicly disclosed issues in the DeFi space, the CertiK team has found critical bugs that could cause a severe impact on different DeFi projects. These bugs include:
- Integer overflow
- Resource exhaustion(denial-of-service)
- Race condition
- Problematic financial model
There can be no growth in DeFi or the blockchain ecosystem without trust and security; however, security services can be costly, and poorly prepared audits can waste companies’ resources and lead to rather frustrating experiences.
After providing security services to some of the largest projects and companies in the blockchain space, the CertiK team has come up with a checklist to help companies optimize their budget and complete an audit.
How To Prepare for a Security Audit
Define the Scope and Set a Goal
The testing scope refers to the what and how the audit will be performed. For smart contracts, do all files or only a few functions in the most critical module(s) need to be tested? For application penetration tests, are you looking for whitebox or blackbox testing? Blackbox testing mimics real world scenarios to find out what an attacker without insider information could discover and exploit. Whitebox testing, on the other hand, aims to be a more comprehensive security review of the entire system.
During the scoping call with client, the client is asked:
- What is the primary goal of this audit/pentest?
- Which module do you consider to be the most critical to your system?
- Are there any particular attack scenarios you are concerned with?
These answers allow the Certik team to design a testing plan that effectively targets specific areas, optimizes resources and of course meets the client’s needs. Having a rough idea of the scope of the audit and setting up clear goals also helps projects prepare for an audit.
It’s essential for any security auditor to understand the design and architecture of a system before they dive deep into the client’s codebase. For a security audit, the most important thing is for clients to create clear and comprehensive documentation that explains how their systems work. All documentation should be easily readable with accurate and up-to-date information so that auditors are able to understand the exact intention behind the code. Here is a list of items that should be included in the documentation:
A README contains sets of useful information such as the project description, and build and run instructions about a project. Having a detailed and clean README also gives your audience a good first impression since it serves as the first file people can read when they visit your repository.
Technical documents provide an overview of the systems, the problem the project aims to solve, and the intended functionalities for different components of the system.
Comments On the Code
Good comments can tell the auditor what the code aims to accomplish or potential problems it may contain, such as boundary conditions, argument validation, and corner cases, among others. These comments help facilitate the audit process.
The efficiency of the entire audit process can be affected by the quality of the code. Clean and well-formatted code can help auditors focus on finding issues, rather than spending time deciphering the meaning behind it. In order to deliver code to auditors with the highest quality, it’s encouraged to:
Enforce a Consistent Style of Code
Enforcing a consistent style of code allows auditors to rapidly understand the functionality of the code. To achieve consistency, it’s recommended to use linters to help analyze source code and flag programming errors, bugs, stylistic errors, and suspicious constructs. Developers can run a linter against the code to fix errors and such warnings.
Remove Dead Code and Comments
Components in the project may have been deprecated throughout the software development life cycle. While it might be obvious to the client, it may take a while before auditors realize certain functions are not being called anywhere in the project. It’s a waste of time for auditors to investigate issues on dead code.
Use Trusted and Up-to-Date Dependencies
When it comes to developing smart contracts or applications, there are many existing libraries engineers can leverage. Using existing libraries that have already been audited will simplify the development process and dramatically reduce the possibility of security issues creeping in.
That said, always keep an eye out for new security issues that might have been discovered in some of your dependencies. Projects should also make sure that the third-party libraries and dependencies in the project are up-to-date to avoid any additional security issues.
Perform the First Round of Testing
It is important to ensure that the code executes without error and works as expected before handing it to auditors. This will save projects and auditing firms a lot of time and resources.
Developers are encouraged to write unit tests that cover every functionality of the system. Unit tests need to cover not only the normal path of contract execution, but also edge cases and error handling of each function.
Once completed, the next step is to write additional tests that target multiple components and cover all potential use cases at a higher level. Don’t forget to update the unit tests when the code is updated to ensure that all tests are compatible with the new code.
Always document details on the testing process, which includes the test plan, test scenarios, test cases, and traceability matrix. Auditors will have a much better understanding of your systems if they have access to detailed and thorough unit tests and testing documentation prior to the code review.
Have the Testing Target Ready
Auditors need to have a testing target to work on, which can include the source code for an audit, the application and credentials for a penetration test, or the physical device for IoT hardware testing. At the end of the day, nothing can be done without receiving the target from the client. To make the audit as efficient as possible, clients are advised to:
Specify the Commit Hash
Make sure that auditors are reviewing the right code. Providing a commit hash allows auditors to look at the “locked” version of the code. If the code isn’t ready, it’s better to push back your timeline for an audit rather than ask auditors to review code that is still under development.
Deploy a Stable Testing Environment
For an application penetration test, the client would need to host their application for a pentester to do their job. Providing a stable testing environment is crucial for any penetration test, regardless of the method. The time it takes to address potential server issues can take from a few hours to a day, depending on how effective two parties communicate and how difficult it is to fix the issue.
Provide the Compiled Binary
Testing mobile and desktop applications often requires the compiled binary or the installation package. It’s not recommended to make auditors build the binary themselves as there are many things that can go wrong during the building process. Auditors shouldn’t waste time trying to resolve the build/compile error. Use their time wisely!
Once everything is ready, the client can send the source code/application and necessary documentation to the security team of their chosen auditing firm like Certik. Providing them with detailed instructions on how to interact with the system will also be wise as it speeds things up dramatically.
All this prep work takes time; however, it is really important as it allows security auditors to start working without any confusion and frustration. Good audits are not cheap, and a good preparation allows the security engineers to focus on what matters most: improving the security posture of your products.
Projects built on top of the Binance Smart Chain will have access to the following perks by Certik:
Free 30 Minute Consultation
After providing access to the codebase, clients will receive a plan with a detailed description on the scope and testing methodologies chosen. CertiK’s team of engineers will walk you through how to best prepare for a code review, and everything needed to make the process quick and seamless.
20% Discount on All Audits and VAPT Work
All Binance Smart Chain projects will receive a 20% discount on all audits and VAPT working.
Free Monthly Security Scans for a Year
Security is an on-going process. As projects evolve, the attack surfaces can grow. That’s why it’s vital to perform periodic security scans. CertiK will provide free monthly security scans on all VAPT engagements for an entire year.
The length of an audit depends on many factors, including the complexity and length of the code. CertiK will prioritize all projects built on top of Binance Smart Chain, building it into a more secured and trusted ecosystem.
If you have any feedback or questions about Binance Smart Chain or CertiK, both teams will be happy to help. You can reach the Binance Smart Chain team on the Binance Chain Developer Telegram Group and the CertiK team on www.certik.io or via [email protected] for your free 30- minute consultation.