Automated Smart Contract Audit
What is an automated smart contract audit?
A smart contract audit is an evaluation of smart contract code to check if any vulnerabilities are present. Originally smart contract audits were performed manually. Nowadays a hybrid approach is common, where automated analysis tools are run over the contract code, and the results of this are combined with manual analysis.
An issue with automated smart contract analysis is that it can be slow and only target a very small subset of vulnerabilities. The automated audit system provided by Quant here utilises the machine learning DLVA tool created by University College London of University of Singapore researchers, and is detailed in this publication. DLVA is quick to perform the automated analysis and also scans for a variety of potential vulnerabilities.
Prerequisites
- Create an account and generate your application's API keys
Create an account on Quant Connect. Then, register your application to generate API keys to authorise your requests on Overledger APIs.
- Generate a Bearer Token You must generate an authentication token in order to use the Overledger APIs.
Known Limitations
This automated audit system has the following known limitations:
- This system is for Solidity smart contracts only.
- The DLVA software searches for POTENTIAL vulnerabilities. Like any machine learning algorithm, it may not always be correct. Quant advises to utilise automated audit systems as a first line of security defence. Manual evaluation via Quant Smart Audits will be able to confirm whether a detected vulnerability is actually present and if it is actually exploitable.
- As of today, the DLVA software tool cannot analyse some contracts with a very large bytecode or some contracts built with Solidity version >0.8.22 (due to new OP CODES introduced).
Call the endpoint
The automated smart contract audit is currently available via the endpoint:
https://hook.eu2.make.com/sek9kxagb3fy78enllplxizgqi3jrsfm
To use this endpoint you need to pass in the contract creation bytecode. This bytecode can be found on block explorers and also after local code compilation.
curl --request POST \
--url https://hook.eu2.make.com/sek9kxagb3fy78enllplxizgqi3jrsfm \
--header 'Authorization: Bearer token' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--data '
{
"smartContractCreationBytecode":"60806040..."
}
'
If the request is successful, you would receive a response with the audit response, like so:
{
"message":"Possible vulnerabilities detected.",
"vulnerabilities": [reentrancy-no-eth],
"disclaimer": "The results of this automated analysis maybe flawed, consider a Quant Smart Contract Audit for clarification"
}
Updated 12 days ago