How long does it take to audit a smart contract?

One of the most common questions we receive is how much time smart contract auditing takes. The quick answer is ‘it depends‘, however in this post we’ll try to give you some guidance on how to plan for your audit.

Plan Ahead

Smart contract auditing should be included in your development plan from the very beginning. Too often, the decision to have an audit conducted is made at the last minute and it ends up costing more because of priority-rush charges.

We’re happy to work with you to turn an audit around quickly, but the best audit occur when all parties have plenty of time. We maintain high quality reviews in all cases, however when we have more time to work with our clients, it creates the best learning opportunities. Yes, it’s important to uncover vulnerabilities in smart contracts, but our goal is to help you learn from patterns we uncover so that future mistakes are prevented. Let us know before you’re ready and we can get you on our schedule ahead of time.

Audit Engagement

Once you’re ready for the audit, it takes a few days to initiate the project, finalize scoping, and sign our contact. You will be assigned a lead auditor and the audit of an average smart contract will take 2-14 days. This is completely dependent on the smart contract’s size and complexity. We’re happy to give time estimates before the project starts.

After we present you the audit findings, we will give you a remediation period and spend a couple days conducting remediation testing. Once all testing is complete, we will issue your public and internal reports.

This process can be completed from beginning to end in a about a week for simple contracts and up to a month for complex ones.

Smart Contract Audit

Since we launched our Smart Contract Audit service we’re constantly asked what information is needed to provide an accurate quote. The most significant piece of information we need is language and number of lines of code. That information alone will make a few assumptions and provide you back a quote quickly.

Here are few common questions we ask:

  • Please provide a brief overview of your project.
  • Do you have any hard deadlines for completion?
  • Can you give us a little more information on scope?
  • What version of Solidity are you using?
  • Does your contract rely on any external contracts?
  • Do you use any Solidity static code analyzers?
  • Do you have Solidity unit, and/or functional tests?

It’s ok if you don’t have all the answers. We’re here to help. If you’d like more information about our services, you can request a smart contract audit quote here.

SOC 2 Change Management Mock Audit Webinar

Change management is one of the first processes companies should focus on in a SOC 2 readiness project. Topics such as authorization, peer review, quality assurance, and documentation can be approached many different ways. Change management is a “daily process” in most organizations and can have a significant impact on the success of a SOC 2 audit. Additionally, change management procedures impact a number of employees include developers, quality assurance, and product management personnel. It’s critical “get it right.”

In this webinar we cover the key processes that should be focused on when planning for change management. We help you learn to think like an auditor and be fully prepared for anything that may come up. We review sample audit requests and then cover the details audited in change tickets.

Topics in this webinar include:

  • Change Management Policy
  • Change Management SDLC Documentation
  • Mock Audit Questions
  • Change Management Toolset
  • Audit Gotchas

Continue reading SOC 2 Change Management Mock Audit Webinar

SOC 2 Prioritization Webinar

One of the most important aspects of a SOC 2 readiness project is ensuring that the right steps are prioritized. The requirements are numerous and SOC 2 newbies often struggle in determining what to tackle first. After years of experience we’ve developed a preparation approach that will guide you to doing the right things at the right time.

In this webinar we cover the key processes that should be the focus of your first few weeks of SOC 2 preparation. We look at the business processes that occur most frequently as well as approaches to mitigate security risks early. Too often organizations get caught up in checking the boxes trying to be “compliant” and fail to step back and address true security risks.

Topics in this webinar include:

  • The SOC 2 Timeline
  • Change Management Requirements
  • HR Requirements
  • Vulnerability Management Requirements
  • Risk Management Requirements
  • Conducting a SOC 2 Gap Analysis

The webinar was recorded in April 2018 and we’ve made it available for download by filling our the form below.

Continue reading SOC 2 Prioritization Webinar

A Dime of Every ICO Dollar has Already Been Stolen

Over half of all the ICOs optioned in 2017 have already failed, according to analysts, and no small portion of those failures have been due to the scandalous 10% theft rate amongst ICOs.

Of the $3.7 billion raised to fund ICOs so far, around $400 million have been stolen, mostly by very basic phishing techniques that rack up over $1.5 million per month in pilfered cryptocurrency.

While many ICOs fail simply because the companies behind them aren’t sound (or the ICOs are designed to fail as good, old-fashioned “exit scams” for nefarious founders), ICO security is emerging as a cause for concern amongst savvy cryptocurrency investors.

After all, part of the appeal of cryptocurrency is that high-grade encryption and security are integral to the technology. If simple phishing attacks can scam one in 10 customers out of your virtual currency, that’s a perfectly valid reason for investors to pass on your ICO. Even if the phishing isn’t “your fault” — some customers are going to get scammed simply because they are dumb customers, regardless of how you try to protect them — it still creates a customer service and public relations problem if your theft rate is very high.

This problem grows worse when a typical response to ICO adversity is to simply ghost on your investors and customers, in what Bitcoin.com calls a pattern of “abandoned Twitter accounts, empty Telegram groups, websites no longer hosted, and communities no longer tended.”

Investors want to know you have processes in place not just to prevent hacks, but to adequately and professionally respond when hacks occur and times are tough. Proving you have basic internal controls and professional processes in place will soon be a standard part of ICOs, just like it is for any viable investment practice.

If you want to be sure you’re taking every reasonable professional measure to make your ICO secure and sustainable, you need an ICO security audit. An audit can demonstrate to your investors (and yourself) that you won’t be part of the 10% of ICOs that get easily hacked, which will help you stay out of the 59% percent of ICOS that fail.

Get your ICO security audit today.

Is Your ICO Prepared for a “51% Attack”…?

Blockchain-based technologies are appealing because they theoretically offer decentralized transactions with no corruptible (or hackable) central management authority — but the reality of blockchain is proving somewhat different than the theory. If your ICO is built on the same basic principles as Bitcoin or Ethereum, you need to be prepared for the fallout of a possible “51% attack.”

As outlined here, a 51% attack is a case where 51% of all the miners in blockchain ecosystem are aligned with a single hashpool, or consortium of centrally controlled miners. (You could actually enact this attack with any absolute majority of miners in an ecosystem, so anything above 50%.) With a majority of miners under one controlling authority, the entire blockchain ledger is vulnerable to manipulation.

Now, blockchain was ostensibly designed to not require a central authority, but it doesn’t prevent anyone from creating one by cornering the market on miners. Recent research has shown that greater than 50% of mining on both Bitcoin and Ethereum is performed by four of fewer miners.

In a way, blockchain encourages centralization, as the more miners you control, the less variance in mining occurs — because you increase the likelihood that any transaction in the ecosystem will be routed to your miners for initial authentication. While “paying” miners in Bitcoin should theoretically encourage a diverse group of miners to all get in on the action, in reality it simply encourages the creation of bulk mining operations to get a nice stable chunk of the Bitcoin output available.

Similar unexpected externalities also seem to be encouraging the physical collocation of several blockchain mining operations. Hydro Quebec, a Canadian hydroelectric utility, ran a campaign to encourage tech companies to set up data centers in its service area, as cold weather and cheap power are ideal for inexpensive server farms. Instead of tech startups, they attracted Bitcoin miners. As a result, any major outage or disaster to befall Hydro Quebec could now have a non-trivial effect on the entire cryptocurrency ecosystem.

Most developers and investors assume that a blockchain ecosystem will be naturally decentralized and thus naturally resistant to any brute force attack or natural disaster. It turns out that the real-world implementation of blockchain – especially blockchain as it is implemented under Bitcoin – perversely encourages centralization in unexpected ways. And, because there is no Bitcoin version of the Federal Reserve to oversee these market-cornering mining operations, the risks posed by blockchain centralization are hard to assess and harder still to thwart.

That’s why every ICO needs to perform a full security and operational audit to ensure your blockchain-type technology is hardened against these unexpected brute-force attacks, and to establish protocols to respond if your blockchain is targeted for 51% majority manipulation.

If you want the market to have confidence in your ICO, you must ensure your ICO is hardened against market manipulation. Sign up for an ICO audit today.

The Security Risks of the “Junk Food ICO” Trend

One of the most dangerous aspects of an ICO is the general ignorance regarding blockchain amongst not just the public, but investors as well. The public views blockchain tokens as some sort of weird hybrid of fairy dust and gold bouillon, in that you can sprinkle blockchain on an ordinary product and suddenly it becomes immensely valuable.

For example, the Long Island Iced Tea company saw its stock value triple when it changed its name to Long Blockchain. No one knows what, if anything, Long Blockchain will actually use blockchain tech for, but the name change alone was assumed to be valuable.

By the same token (pun intended), a major Hooters franchisee is planning to convert its customer loyalty system to a blockchain rewards program, so that you can now literally measure the value of certain tokens in chicken wings and hamburgers.

The problem with these gimmicks isn’t that they are fleecing investors who still think of Bitcoin as a conventional currency. The danger is the huge risks posed by tacking on blockchain as a cash-grab, rather than as a fully secured technology. These “Junk Food ICOs” — so called not because they involve fast food companies, but because they treat blockchain as something you can just grab as quick-profit takeout food — pose real “health risks” to their parent companies.

Blockchain in general, and Bitcoin in particular, can’t be counterfeited, but can very easily be lost or stolen. And if your ICO investors assume that your tokens can be used like a conventional currency, and that they have the same protections and conveniences as modern credit cards, you’re setting yourself up for some serious customer dissatisfaction the moment the first cache of your tokens gets misplaced or social-engineered away.

Conventional currency has a safety net built in. The amount of cash in circulation is regulated by central banks, most American consumer bank accounts are insured by the FDIC, mainstream credit cards have built-in fraud protections, and American investment vehicles are regulated by the Securities and Exchange Commission. If something goes wrong, there are established protections to limit the damage and protocols for seeking restitution.

Blockchain tokens don’t have this same mature security ecosystem, and the public (nor investors nor corporations) clearly doesn’t appreciate the risks that entails. Thus, it is incumbent on you to build security into your blockchain ecosystem prior to any ICO — if only to prevent a wave of customer and partner backlash should anything go wrong.

Moreover, at some point a major consumer blockchain play is going to go bad, and the public will demand proof that any other token offering has better protections in place. The companies that invest in ICO security and compliance now will have a head start on every other blockchain firm when the public finally starts to take token security and management seriously.

Initial Coin Offerings are the Wild West of technology and investment — which means you might strike gold, or you might get robbed by bandits — but it also means that those who build their ICOs on secure foundations are best positioned to survive the chaos ahead.

If you want to ensure the security of your token technology, sign up for an ICO security and compliance audit today.

The Other “Security Problem” with ICOs

Independent Coin Offerings are called “ICOs” and not “token sales” precisely because they want to appear similar to investor-friendly initial public offerings of stock (IPO) — which raises a catch-22 compliance problem many startups and investors haven’t much thought about. Specifically, ICOs represent a gray area in U.S. Securities Exchange and Commission (SEC) regulations, and that could make investing in an ICO a compliance minefield for many investors.

The main question in any ICO is this: do the tokens in the sale qualify as a financial security?

If so, then the ICO must follow some very specific rules to govern the sale, many of them identical to a conventional stock IPO. If your tokens are securities, your ICO must be registered with the SEC, and must be overseen by a registered broker. This is no small undertaking, but it has the advantage of laying out some clear rules to handle the token sale.

Many times, however, the SEC simply refuses to comment on whether an ICO is actually selling a qualified security. This means that — at some undetermined point in the future — your tokens could be retroactively classified as any of several asset classes, which in turn means that any initial investors are taking a risk beyond just the normal possibility of coins declining in value.

Anyone can buy a publicly traded stock, but if the SEC doesn’t consider your token equivalent to a public stock, it limits who is allowed to buy your coins under U.S. law. In theory, investors could be forced to divest themselves of their coins should the SEC later decide that your ICO sold an asset class that your investors weren’t qualified to buy — even if that divestiture causes a serious financial loss. Your investors could be forced to sell their tokens when their price is at rock bottom, all based on some unforeseen SEC decision.

This limitation applies even to sophisticated investors. For example, while hedge funds and accredited individual investors can buy pretty much anything, many mutual funds or retirement funds can only hold public stocks or bonds, and many venture capital funds can only hold stock in companies that have not yet issued an IPO. (Once a stock goes public, a VC fund usually has a window to divest, but can’t hold the publicly-traded stock for very long.)

Complicating matters further, unless your ICO qualifies as a crowdfunding instrument, it may be impossible for non-accredited investors — which is to say, average people who don’t have high net worth — to buy tokens during your sale. No one has stopped non-accredited investors from buying Bitcoin, but there’s no legal standard to prevent the SEC from treating your ICO differently.

Both the SEC and FINRA have issued investor guidelines for participating in ICOs. This is the playbook that smart coin-buyers will be following, and the standard your firm must be ready to meet.

Before issuing an ICO, it’s critical that your organization review the legal structure underpinning your token sale, both to prevent it from running afoul of regulatory guidance, and to protect yourself from investor backlash should the SEC decide to reclassify your tokens as a highly regulated asset class at some point in the future.

12 Critical Due Diligence Questions to Ask ICOs

Many of the most innovative companies today are choosing to raise money through token sales. Cryptocurrencies seem to be flowing more freely than investments through traditional VC route. Additionally, we’re seeing participation on a worldwide scale. It’s exciting! Who doesn’t want to earn 25x on their money? Yes, it’s fun to throw a few Ethereum at a “too good to be true” deal, but the risks are extraordinary. It’s almost certain you’ll end up losing money.

Some deals are better than others, and it’s up to you to find the good ones. Due diligence shouldn’t be reserved just traditional investors. To support the long time viability of ICOs as a funding model, it’s critical that we start being selective into which project we back. A focus on diligence and quality will raise make it nearly impossible for a scam to be successful.

Below I’ve assembled a list of key questions to consider when evaluating a token sale. If the company’s whitepaper or website doesn’t provide enough detail, I encourage you to ask the founders directly. You’ll quickly be able to determine which companies are mature enough to deserve your hard earned money.

Is the business entity properly structured? – Is there a formed business entity? What jurisdiction does the entity reside? Is it managed by a board of directors or foundation? How is the business structured?

How experienced are the founders? – Have the founders built companies or tremendous value in the past, or is this the first time? What makes the founders unique for this opportunity?

How experienced is the engineering team? – Are there industry leading experts on the team? Is key development being outsourced?

Do you have a personal connection with any on the executive team? – Do you have any close connections on LinkedIn with any key management? Is the team completely outside of your professional network?

How does the company approach risk management? – Is the company simply reactive to business and information security risks? Have contingencies been planned in detail? Are all attack vectors documented and managed?  Does the company have a culture that emphasizes security over convenience?

What are the internal fraud prevention controls? – Have segregation of duties been setup around key financial processes? How are funds moved and managed on a day by day basis? Does the company have a documented code of ethics?

How are key internal processes managed? – Is there an information security policy? What is the business continuity plan? Is there any incident response plan?  How is customer support managed?

Have you audited your smart contracts? – Have smart contracts and other code been audited by a third party? What are the internal processes for code quality and static analysis?

How are information security vulnerabilities managed – Is there internal vulnerability scanning? Are external endpoints pentested by a third party?  Have all medium and higher identified vulnerabilities been remediated?

How mature is the system architecture? – Are key components properly segregated to minimize risk? Can the system architecture be clearly described in a diagram? Has external exposure been minimized?

Is there a communication plan? — How are you notified if there are problems in the system or offering?  What are the scenarios in which token buyers would not be contacted?  What is the breach notification policy?

How transparent is the company? — How much information was provided up front? How did the company respond with regards to their weaknesses?

This is just a small sample of the questions you should be asking when evaluating an ICO.  If you’re planning an ICO, giving this type of information up front will help buyers evaluate the risks involved with yours company.  Building trust does not come easy.

As a token buyer, ICOs are a great way to participate in blockchain technology.  Asking the right questions will help you minimize risk.

Security for ICOs and Token Sales


Last week, we introduced the ICO Information Security Framework (IISF) to assist companies in the process of a token sale by improving information security practices.

ICOs and token sales have recently attracted a lot of attention from hackers/fraudsters due such large values at stake. If you’re considering a token sale, it’s important that you protect your own environment and communication channels to ensure that funds are not stolen. The IISF was created to so that you can have high assurance that your company’s internal processes are in-line with information security best practices and reduce the risk of a compromise.

Additionally, it’s extremely important to build a strong information security foundation so that you can gain a high level of trust with investors and/or potential token buyers. ICOs are usually opaque at best, we help companies prepare their security practices and communicate trust to all parties involved.

The ISO Information Security Framework™ has been developed with the core purpose of enabling companies that are planning an ICO or token sale to build a strong foundation of information security and compliance. This is important to increase investor and customer confidence and improve the maturity of the business processes under control by the company. The IISF can serve as a due diligence function for those wishing to buy tokens.

If you’re considering an ICO or token sale and are looking for guidance on how to improve your information security practices, please don’t hesitate to reach out.