Smart Contracts are at the heart of blockchain. By automating the execution of actions or business agreements, they ensure that transactions are accurately recorded on the distributed ledger by authorised parties.

The European Blockchain Services Infrastructure (EBSI) has always aimed at bringing the power of blockchain beyond the hype, particularly by investing time in exploring viable use cases for distributed ledger technology. To make this transformation of EU public services a reality, EBSI relies on Smart Contracts.

EBSI’s most important use case so far is the verification of information, a relevant challenge for organisations and individuals alike, across all sectors. Think, for example, of a university diploma: to know whether the diploma you are presented with is authentic, you will want to know that it has been issued by a reputable university, and therefore is not a fake. This kind of instant, reliable and cost-effective verification is made possible thanks to EBSI’s Verifiable Credentials (VC) Framework.

Smart Contracts are an essential cornerstone of this framework, which is why EBSI cannot underestimate the importance of keeping them secure and reliable. As such, EBSI recently partnered with blockchain security auditor, Hacken, to perform a thorough audit of EBSI’s Smart Contracts, with the goal of recognising and remedying any possible vulnerabilities.

Who is Hacken?

Hacken is a blockchain security auditor established in 2017 in Kyiv, Ukraine, with a vision for transforming Web3 into a safer place. With 5+ years of experience, hundreds of blockchain partners, and thousands of secured crypto projects, Hacken protects businesses and crypto communities worldwide with one of the most competitive suites of professional cybersecurity services.

What are smart contracts and why are they crucial to EBSI?

Let’s return to our previous example: an organisation needs to check the validity of a new employee’s diploma. To do so, they have options such as contacting the university, verifying the document for evidence of tampering, or relying on their gut feeling about the person in front of them.

But these verification methods take time and are far from foolproof. Enter EBSI’s Verifiable Credentials Framework.

The university diploma is presented as a Verifiable Credential (VC) – a digital attestation – that holds key information about the issuer within it. The issuer’s unique identifier and keys are stored in this credential. When presented with the diploma, the employer will be able to verify this information – and confirm that the university that issued it is properly accredited on EBSI’s ledger. Only trusted universities are able to record their keys and identifiers on EBSI’s ledger.

To record an accreditation on the ledger, the university would have had to call on an API that, in turn, will call upon Smart Contracts to perform operations and record transactions on the EBSI ledger. These Smart Contracts are the gatekeepers, ensuring that operations only proceed when necessary conditions are met – in this case, being a trustworthy university. EBSI has tight control over these contracts, ensuring that only legitimate operations go through. This is one of many uses for Smart Contracts in EBSI, and as is evident, their integrity is paramount to ensure only trusted information ends up being recorded on the blockchain – otherwise… well, as they say, ‘garbage in, garbage out’.

What is smart contract auditing?

EBSI’s heavy reliance on Smart Contracts necessitates a comprehensive approach to their security and reliability – without this, Verifiable Credentials can no longer be verified. Thorough Smart Contract auditing can ensure this level of trust, integrity, and the seamless operation of a platform, but it must go beyond simply checking code.

Hacken’s Solidity audit encompassed 63 of EBSI's Smart Contracts, vital for services like authenticating transactions, guaranteeing the integrity of tamper-proof registries, enabling interactions through EBSI’s APIs, and maintaining the decentralisation of EBSI’s ledger.

Hacken’s methodology for auditing EBSI’s Smart Contracts was both systematic and rigorous, incorporating the following principles:

• Thorough analysis: A deep dive into each smart contract to understand its functionality and design.

• Automated Scanning: Using advanced tools to scan for common vulnerabilities.

• Manual Review: To catch complex, logic-based vulnerabilities that automated tools might miss.

• Continuous Feedback: Engaging with the EBSI team to discuss potential concerns and ensure alignment.

The audit included several phases, including a pre-audit stage, an overall review, an automated tool scan, the drawing of data flow diagrams, the testing phase, and the outlining of remediation strategies, culminating in a comprehensive report and a security score which were presented to EBSI.

The final Smart Contracts audit score: 9.6/10

For security reasons, specifics about the audit and vulnerabilities cannot be shared, however, Hacken confirmed that their findings played a significant role in strengthening the security and functionality of EBSI’s operations and asserted that the EBSI team was quick and decisive in addressing any identified issues.

The final scores determined by Hacken are considered ‘exceptionally high for all the audited services’, with an average score of 9.6 out of ten across all domains.

Testimonial from the Hacken team:

“After our comprehensive audit of EBSI's Smart Contracts, it's clear that their platform excels in both security and performance. Notably, they achieved a perfect average security score of 10 across all smart contracts involved, an exceptional accomplishment in this field. Coupled with an overall audit score of 9.6 out of 10, EBSI's prompt and effective actions in addressing audit findings demonstrate an unparalleled commitment to trust, integrity, and operational excellence.”