$BOSON Token Smart Contract Successfully Audited by Certik
Why smart contract audits are so important
This month marked a significant milestone for Boson Protocol’s tech team — the successful audit of our smart contract for the $BOSON token by blockchain security specialists CertiK.
Why was this audit so important? While our engineering team has implemented the highest standards in development and testing, there is nothing like having a team of highly qualified security specialists who have not seen your code before scrutinize your work and probe for any vulnerabilities.
Blockchain is a special type of software. You can’t do a hotfix if something goes wrong: once deployed, it is out there for ever. One of the huge advantages of open-source software is the power of the crowd: everyone can see the code and identify any bugs, and this is a good thing because the more collaborators and pairs of eyes on the code, the higher the quality.
But it also means that any vulnerabilities are there for bad actors to spot, and once a contract is out there, it’s there forever and you can expect it will be attacked all the time — attackers have all the time in the world to do it. So it’s a steep cliff if you mess up, and it’s not an area where you can afford to compromise.
Why we used CertiK
That’s why we decided to engage CertiK to help us. They are one of the best audit companies around. They are expensive, but that is because they are so good, and we had no problem authorising the higher cost because we treat security with utmost attention.
We are happy to announce that they found no critical or major issues, and we have fixed (and had them check) the lesser issues that they found. Their audit will be added to our GitHub repository for full transparency.
We had the token contract audited at this stage because the work is complete, with no open issues, and we are not expecting it to change. However, we also asked CertiK to audit the smart contracts for Boson Protocol itself, as a checkpoint in our development process. While the contracts will not be on the main net as they are now, and we will have them audited again once they are complete, it showed they are solid, with no major issues, and we were happy to see we are on the right path.
Focus on quality and security
Obviously there is no point submitting contracts to an auditor if you are not already fully confident in your own code quality and development processes.
One of the first things we did was ensure that the baseline libraries that we use are ones that are already audited, such as OpenZeppelin. Reusing safe components that are already out there is common sense. Then, we followed security best practices to test all effects, interactions and edge cases, as well as properly documenting all the functions.
Test coverage is obviously critical. We have plenty of test coverage in place for the token contract — always aiming to get close to 100% — and we have a development pipeline in place that ensures all tests are executed before any change is merged, so any failures have to be investigated before changes are committed to the main branch. This gives developers confidence that there will be no regressions or breaking changes.
We also ran analysis with several tools internally, such as Manticore and Slither, before we submitted to audit. We did a runthrough with MythX and we are looking to see how we can integrate something like MythX into our pipelines so we could run static analysis on each test run and halt the pipeline if any critical issue is found.
We believe in open-source software
Before we submitted our work for audit, we also reached out to collaborators and friends outside the project. Having as many people as possible look at your work is really important, as I mentioned above, and that is why we are open-sourcing our code.
Open source is absolutely the key to fighting bugs — there is no money that can buy you a better security audit than having a large number of eyes on your code. Also, the simpler the contract and the fewer lines of code, the smaller the attack surface, so this was a good reminder to keep the contract code as short and simple as possible.
Now that the audit is done and was successful, the entire tech team feels relieved and confident, and it means we can look forward to building a great product on the most solid foundation.
About Boson Protocol
Boson Protocol’s vision is to enable a decentralized commerce ecosystem by funding and enabling the development of a stack of specialist applications to disrupt, demonopolize and democratize commerce.
Keen to learn more? Read our Lightpaper:
In a hurry? Check out our One Pager.
Want to dive deeper? Read our whitepaper.
Lastly, if you’re a decentralization enthusiast, please follow us here, on Medium. We will post frequently about our dCommerce journey and would love to hear your comments!