Smart contracts are lines of code running on a blockchain, enabling a wide range of onchain applications. They provide powerful benefits such as programmability, automation, and trust minimization, but can also be highly vulnerable if not designed and maintained with rigorous security practices.
According to DeFiLlama, over $9 billion has been compromised through smart contract hacks across the industry so far, with $1.2 billion of that occurring in 2024 alone. These staggering figures highlight the pressing need for thorough security measures, which is why smart contract audits play a critical role. By identifying and mitigating vulnerabilities, audits help safeguard users, protect funds, and improve codebase quality for easier maintenance.
What Is a Smart Contract Audit, The OpenZeppelin Way
At OpenZeppelin, a smart contract audit is a comprehensive, multi-stage process designed to identify and address vulnerabilities before a project goes live. Our methodology has evolved over years of working with top-tier protocols, ensuring we deliver thorough and actionable guidance. While each audit is tailored to the project’s specific needs, our general approach typically includes:
1. Audit Preparation & Scope Definition
Before formally starting the audit, we align with the client to:
- Confirm the Codebase & Commit Hash: We identify the exact version of the code to audit, avoiding last-minute changes.
- Review Documentation & Architecture: We assess high-level design choices, usage scenarios, and any existing developer docs.
- Discuss Project Goals & Concerns: If needed, we hold a “pre-audit call” to clarify any unique business logic or specific issues the client wants examined.
- Audit Kit: In some cases, we provide an “audit kit” that highlights missing tests or documentation, so the team can resolve these gaps before we start. This helps us focus on deeper security reviews.
2. Kick-Off & Audit Planning
Once everything is set, we officially begin:
- Kick-Off Call: We meet with the client’s team to confirm final details—timeline, scope, and any nuances discovered from an initial code review.
- Audit Plan: Our internal lead creates an audit plan outlining the structure and responsibilities for each auditor. This ensures every part of the code is thoroughly reviewed in a systematic, consistent manner.
3. Code Review
At the heart of every OpenZeppelin audit, at least two security auditors are assigned to review the same codebase. This ensures that each line of code undergoes multiple sets of expert eyes, catching issues that might slip past a single reviewer.
Our core security review consists of two key phases:
- Thorough Manual Analysis
- Line-by-Line Review: Our security engineers scrutinize every part of the code, looking for logical flaws, edge cases, and business logic errors.
- Access Control Checks: We confirm role and permission configurations are correctly implemented across all functions.
- Custom Logic & Edge Cases: We pay special attention to project-specific features or assumptions that might introduce unforeseen vulnerabilities.
- Strategic Use of Automated Tools
- Static Analysis: Automated scanners flag common security patterns (e.g., integer overflows) that might otherwise slip through.
- Fuzz Testing: We flood the contract with random inputs to see how it performs under extreme or unexpected conditions.
- Tooling Dashboard: An internal step where we run compulsory security checks, cataloging potential issues for further review.
This synergy of human expertise and specialized tools helps us identify both high-level design flaws and common coding pitfalls, ensuring a robust audit that leaves no stone unturned.
4. Ongoing Communication & Check-Ins
Throughout the audit, we maintain regular check-ins with the client to:
- Clarify Complex Areas: If any portion of the code raises questions, we discuss with the client’s dev team.
- Flag Critical Findings Early: For critical or high-severity issues, we alert the client right away so they can begin planning fixes.
5. Reporting & Fix Review
Upon completion, we produce an initial private audit report, detailing:
- All Found Issues: Clearly categorized by severity (Critical, High, Medium, Low, Informational). At OpenZeppelin, we are committed to excellence and it's in our mission to not only spot vulnerabilities but also provide suggestions on the code (Low and Informational issues) to improve the general robustness, quality and readability, ultimately reducing the chance of future bugs.
- Recommendations: Step-by-step guidance on how to remediate each vulnerability.
- Context & Rationale: Why a particular issue matters and how it could be exploited.
- Methodology Summary (optional): An overview of our thorough, multi-layered approach for teams that require deeper insights into our assessment and risk analysis processes.
The client is entitled to one round of fix reviews provided each fix is in a dedicated pull request. While each fix has to be submitted as a separate PR for focused, isolated analysis, we always consider the entire codebase to prevent new issues. Once the client addresses these issues, we verify the solutions and finalize the report.
6. Retro & Knowledge Sharing
After delivering the initial report, our audit team devotes a “Retro Day” to:
- Document Lessons Learned: Summarize any new attack vectors or notable approaches uncovered during the audit.
- Expand Our Research Wiki: If we’ve discovered novel vulnerabilities, we add them to our internal knowledge base, ensuring our entire team stays updated.
We also gather feedback from the client to adapt and improve based on these insights ensuring our processes remain flexible, efficient, and aligned with each team’s unique needs.
7. Final Delivery & Optional Publication
We update the report with verified fixes and provide a final, polished PDF report or a Defender-based version. If desired, we can also coordinate a public audit release via the OpenZeppelin Blog to share results with the broader community, further demonstrating transparency and commitment to security.
Common Vulnerabilities & Risks
Smart contracts can fail in countless ways, but certain patterns recur frequently. Below are some of the most prominent vulnerabilities we encounter, along with notes on how they manifest in practice:
- Reentrancy Attacks
Reentrancy attacks are among the oldest yet still highly impactful types of exploits, with the most famous example being The DAO hack. When a contract fails to manage external calls correctly, attackers can repeatedly invoke a function before the initial contract call has finished its initial logic. This can lead to inconsistent state and eventually to draining of funds or other unintended state changes. In modern variants, even functions that appear “read-only” can be leveraged for reentrancy if the code relies on state-dependent logic or external calls without proper checks.
- Example: A withdraw function that updates balances only after sending tokens, coupled with a malicious token contract that invokes back the calling contract, allowing an attacker to call withdraw multiple times.
- Integer Overflows & Underflows
In languages like Solidity (prior to certain version updates) and in some custom libraries, calculations that exceed numeric bounds can “wrap around” in unexpected ways.
- Impact: Attackers might artificially inflate their token balances or cause token supply manipulations.
- Access Control Misconfigurations
Failure to restrict privileged functions or overlooking necessary checks for admin roles can hand attackers or malicious insiders unrestricted power.
- Impact: Funds can be frozen, minted, or drained if the wrong party obtains these permissions.
- Price Oracle Manipulation & MEV Attacks
Smart contracts often rely on on-chain oracles for data like token prices. If these oracles are manipulated, attackers can exploit the contract’s trust in the data. Similarly, Miner Extractable Value (MEV) or front-running can reorder transactions to an attacker’s advantage.
- Impact: Unfair token swaps, manipulated lending/borrowing rates, or sandwich attacks in DEXes.
- Unprotected External Calls
Contracts that call external untrusted contracts or handle user-supplied addresses without proper checks can inadvertently trigger fallback functions, reentrancy, or other malicious code paths.
- Example: A contract awarding tokens to a user-supplied address without verifying if it’s a contract with potential reentrancy triggers.
- Lack of Input Validation
Smart contracts that fail to adequately validate user input, such as function parameters or data payloads, risk enabling a wide range of attacks, from logical errors to injection-based vulnerabilities.
- Impact: Malicious or malformed inputs can bypass intended restrictions, leading to partial or full contract compromise.
- Logic & Business Rule Errors
Even well-known security pitfalls don’t cover all the ways a project’s custom logic can fail. Incorrect assumptions, poorly structured code, or edge cases in business rules can break functionality or cause financial damage.
At OpenZeppelin, thorough threat modeling and experience with real-world exploits give us a robust understanding of how these vulnerabilities can play out under different protocols and market conditions.
OpenZeppelin’s Key Audit Highlights
As one of the leading audit firms in the blockchain space, OpenZeppelin has pioneered many of the best practices now used industry-wide. In 2024, our team performed 400 audits, identifying more than 190 critical and high-severity issues. By flagging and addressing these vulnerabilities early, we’ve helped clients avert costly exploits and maintain user trust.
OpenZeppelin’s breadth of experience extends across Layer 1, Layer 2, DeFi, NFTs, Oracles, and more, with an extensive roster of audits for top-tier projects. You can read more about the details and findings in each audit report.
Smart contracts offer enormous potential across finance, gaming, supply chains, and more. Yet with that innovation comes security responsibility. A robust, expert-led audit can spell the difference between success and catastrophic losses. OpenZeppelin’s proven methodology, unparalleled expertise, and hands-on experience enable us to protect smart contracts so builders can focus on delivering the next wave of Web3 solutions with confidence.
Ready to secure your project and build user confidence? Get in touch with our team to learn more about our Smart Contract Audit Services and begin your path toward a more resilient, future-proof blockchain solution.