Code reviews are a vital part of the secure software development process.  In this article, you can learn more about what a blockchain code review is, how it differs from a smart contract audit, and why your blockchain project needs one.

Code Reviews: Automated and Manual

A software security audit can consist of multiple different phases, using both automated and manual processes.  For example, security audits commonly include the use of automated vulnerability scanners and static and dynamic code analysis tools to quickly identify common vulnerabilities in the code.

While these approaches are effective at identifying low-hanging fruit, not everything can be detected using a manual tool.  For example, code may contain logical errors that could cause the software to not work as intended.  Also, code could contain vulnerabilities that an automated scanner can’t or doesn’t look for, or a new variation on a vulnerable code pattern.

Code review involves a cybersecurity expert manually reviewing the source code of an application to identify potential logical errors and programming vulnerabilities.  This requires a clear understanding of the intended purpose of an application and its components and knowledge of common software vulnerabilities and how they can be exploited.

A manual code review is more time-consuming and expensive than running an automated tool and requires more security knowledge and expertise to do correctly.  However, it can identify vulnerabilities that an automated tool can’t.

Code Review and the Blockchain

Code reviews – and security audits in general – are an important part of secure development practices.  All software has bugs, and some of these bugs can create functionality and security issues for the software and its users.  Identifying these issues during the development process makes them cheaper and easier to fix and reduces their impact compared to those vulnerabilities that reach production.

Code reviews are an important part of the development process in the blockchain ecosystem.  However, when most people think of code review for the blockchain, they think of smart contract security audits, not blockchain code reviews. Read on to find out the difference between smart contract audits and blockchain code reviews.

Smart Contract Security Audits

Smart contracts are programs that run on top of the blockchain.  Each node in the blockchain network runs an instance of the smart contract platform’s virtual machine and executes instructions that are encoded within the transactions that make up the digital ledger.

Manual code reviews are an important part of the smart contract development process because they allow vulnerabilities to be identified and fixed before a smart contract is released onto the blockchain.  Since smart contract code is stored on the blockchain’s immutable digital ledger, it is much harder to fix vulnerabilities through software updates (unless a contract is specifically designed to be updateable) and exploitation of these vulnerabilities is typically irreversible.

Blockchain Code Reviews

Smart contract security audits are the most common form of code review in the blockchain ecosystem because most blockchain-related projects are implemented and launched as smart contracts.  However, all of these projects rely on software lower in the infrastructure stack.

Blockchains are implemented as software, including the functionality to create, distribute, and validate transactions and blocks, maintain the digital ledger, and run smart contracts within a virtual machine.  All of this functionality is created by code, which can also contain bugs.

Blockchain code reviews analyze the code of blockchain software for logical errors and potentially exploitable vulnerabilities.  Reviews of major blockchains such as Bitcoin and Ethereum have uncovered numerous errors, enabling them to be patched before they could be exploited by an attacker to break the functionality or security of a blockchain project.

The Importance of Code Reviews in Blockchain

Blockchain is implemented as multiple layers of software, including both the underlying blockchain and smart contract platform software and the smart contracts that run on top of them.  The sheer amount of value invested in blockchain projects means that a single vulnerability could have massive impacts if exploited by an attacker.

Code reviews and security audits are vital to identifying and fixing potential vulnerabilities in smart contracts and blockchain software before they can be hacked.  For more information and to request a code review of your blockchain project, reach out to our blockchain security experts at halborn@protonmail.com.

Rob Behnke
02.12.2022