What are the key challenges in the auditing industry?
Decentralized applications (DApps) handle user assets through on-chain transactions, making projects with vulnerabilities in their governing smart contracts susceptible to critical risks, such as unauthorized extraction of user or pooled assets. As a preventive measure, smart contract audits are conducted. However, users of existing major audit firms face several challenges:
- The cost of traditional audit firms is very high, ranging from tens to hundreds of thousands of dollars.
- There’s an overemphasis on obtaining a “stamp of approval” from major audit firms, often sidelining the primary goal of enhancing security.
- Engaging an audit firm can delay product launches and token listings due to the time taken for audits.
- The accuracy of reports and communication costs can vary significantly depending on the auditor handling the audit.
These challenges are attributed to the fact that audits are conducted by humans. For instance, a significant portion of the high costs charged by audit firms go toward professional auditors’ fees. Furthermore, human auditors can overlook details, and the process can be time-consuming. As a solution, audit firms powered by artificial intelligence (AI) have started to emerge.
What exactly does an audit check?
The work of audit firms can generally be categorized in two:
- A: Identifying vulnerabilities by comparing clients' contracts against known vulnerability patterns.
- B: Pointing out project-specific logic vulnerabilities and operational inconsistencies.
Normally, humans review the smart contract’s source code to check for vulnerabilities. However, knowledge and detection capabilities of vulnerability patterns vary among auditors, leading to potential oversights due to human error. So, that begs the question: How can AI address these issues?
The significance of using AI for smart contract audits
A: Comprehensiveness of audit perspectives
As a prime example of AI-based audit firms, Bunzz Audit boasts a database covering a vast range of vulnerability patterns, adopting an auditing approach that scans code from every possible angle. This method allows for comprehensiveness and accuracy in pointing out vulnerabilities that would be physically impossible for humans.
The Bunzz team states:
"Our research and development results have led us to conclude that a database plus AI approach is more suited for detecting vulnerability patterns than humans."
Bunzz Audit has published a comparison between AI-based audits and human audits.
This is an AI-based report on the audit of a protocol named Lockon, which allows for index investments in crypto. The report was generated in approximately 48 hours. The Lockon team was surprised to learn that this was an AI-based report because they found the points about vulnerabilities to be accurate.
B: Cost and duration of audits
Traditional audit firms employ dozens of professional auditors, whereas AI-based audit firms do not have “auditors” in the traditional sense. Instead, a few smart contract professionals review the results produced by AI, significantly reducing audit costs to about one-tenth of traditional firms. Audit agencies can complete audits in 24 to 48 hours, compared to about two weeks for traditional firms, thus compressing the audit period by a factor of ten.
However, are AI-based audits the best solution? There are weaknesses as well.
Areas Where AI Falls Short
Audits include pointing out project-specific logic vulnerabilities and operational inconsistencies that pertain to the project’s context. This context is not programmed into the contract’s source code but exists in off-chain information such as white papers and documentation.
Without inputting this into the AI, checks on project-specific logic cannot be conducted. Therefore, some AI-based audit services only address this aspect through human auditors, providing a more comprehensive audit.
How to benefit from AI tools
While AI-based audits are not yet perfect, they offer significant benefits for projects looking to reduce audit costs. They are also increasingly used as a “Pre Audit” before engaging traditional audit firms, as identifying critical bugs in advance can reduce the costs paid to audit firms. Moreover, integrating AI-based audit services into the CI/CD process is beginning to be seen as a way to improve code quality.
The Future Evolution of AI Audits
In February 2024, Vitalik Buterin highlighted the potential of AI in aiding formal verification of code and bug finding. “One application of AI that I am excited about is AI-assisted formal verification of code and bug finding,” he stated, adding:
“Right now, Ethereum’s biggest technical risk probably is bugs in code, and anything that could significantly change the game would be amazing.”
Formal Verification addresses the identification of project-specific logic vulnerabilities and operational inconsistencies. Advancements in Formal Verification technology could make on-chain protocols more trustless.
Trustworthy, automation-based, on-chain ecosystems could evolve significantly, potentially matching the impact of advancements in ZK technology. Overcoming the major barrier of perfecting product specifications, which is costly for humans, could be significantly improved with the use of AI, as believed by Vitalik Buterin and front-runners like Bunzz Audit.
Disclaimer. Cointelegraph does not endorse any content or product on this page. While we aim at providing you with all important information that we could obtain in this sponsored article, readers should do their own research before taking any actions related to the company and carry full responsibility for their decisions, nor can this article be considered as investment advice.