Tezos Blockchain: In-depth Analysis from the Audit Perspective 

Tezos Blockchain: In-depth Analysis from the Audit Perspective 

Tezos Blockchain: In-depth Analysis from the Audit Perspective 

Tezos Blockchain: In-depth Analysis from the Audit Perspective 

Tezos Blockchain: In-depth Analysis from the Audit Perspective 

Read Time: 5 minutes

Tezos blockchain project had a splendid start by raising $232 million with the Initial Coin Offering, obtaining second place in receiving the biggest funds among the 20 largest ICOs.

Amongst the most popular blockchain networks, such as Ethereum or Bitcoin, how was Tezos able to gain all the hype? To find out the answer, let’s take a closer look at the distinctive attributes of Tezos that have attracted hordes of supporters. 

While the blockchain that emerged during its times worked on Proof-of-Work(PoW) consensus, Tezos blockchain was innovative in using Proof-of-Stake(PoS) based consensus with a self-amending mechanism and on-chain governance

As a result of which, Tezos got into the limelight as the perfect alternative for building eco-friendly DeFi applications that require substantially less energy and low costs. So, how does the Tezos infrastructure equates to the flexibility in implementing upgrades much more easily?

That gets us to learn about the architectural set-up, which adds value to the Tezos.

Smart Contracts on Tezos

Smart contracts are executable contracts programmed to process the exchange of tokens between two parties without requiring either of the parties to trust the other. 

When it comes to Tezos, it is uniquely written using the Michelson programming language. Furthermore, Tezos employs formal verification to ensure the correctness of the code, which makes it more secure and reliable. 

Enumerating The Specifics of The Tezos Blockchain

The highlights of the Tezos are given here for a better understanding of its configuration and uniqueness. 


Tezos, which validates blocks operating on the consensus algorithm, is built-in with a self-amendable mechanism. Any amendments to the protocol, such as switching to a different consensus, modifying the reward system, adding transactions, etc., are implemented based on the on-chain voting system. 

Any minor to major changes in the Tezos economic protocol is triggered by the on-chain voting procedure. This self-amending protocol has the upper hand in avoiding the forks or splitting in the community.

On-chain governance

Tezos stands contrary to Bitcoin and Ethereum, which followed the non-formalized governance systems which led to the blockchain splits (Bitcoin Cash and Ethereum classic). 

The on-chain governance in Tezos facilitates the “Bakers”, aka Miners, to propose and cast votes on protocol upgrades. The on-chain methodology in Tezos is designed to automatically implement the upgrades in the underlying protocol’s code without going through a centralized director. 

Proof-of-stake consensus: The PoS

The PoS consensus in Tezos allows anyone to participate. In order to be a Tezos baker who validates the block and enables consensus building, the baker should possess a minimum holding of XTZ(native) tokens. 

It also adopts a method where if the user doesn’t have enough to spare for baking, they can delegate XTZ tokens to a baker with a big Tez bankroll. In turn, the rewards earned by the baker are re-distributed to the delegators. 

Exploit grounds found in Tezos smart contracts

One of the audit reports revealed errors in the message-passing architecture of Tezos smart contracts. We shall decode them here now. 

Message passing architecture

An external contract which is supposed to be called during the execution of the function is instead queued in a list of calls to be executed in the Tezos contract. 

The order found in Tezos contract is, 

  • Execute a() # Next calls: [b, d]
  • Execute b() # Next calls: [d, c]
  • Execute d() # Next calls: [c]
  • Execute c() # Next calls: []

Wherein you can see that code d() is executed before code c().

This type of execution has the possibility for two types of vulnerabilities,

Callback Authorization Bypass

The architecture of Tezos is built to prevent the contract from reading the return value of an external call using the callback function. But here, since there’s no restriction, the use of callback may lead to access control issues. 

Call Injection

It offers scope for the attacker to compromise the contract by injecting calls between a function and an external call generated. 

On the execution of the functions, the generated calls are queued in the list of calls to be executed. An attacker can gain an advantage by placing their call in the queue and executing the code between the end of the executed function and the generated calls. 

When the attacker’s call is executed, the contract’s balance or the memory of the contract goes to an invalid state, and the attacker successfully achieves the call injection. 

Precautions To Be Observed While Coding Tezos Smart Contract Using Michelson

Michelson programming language is a go-to option for writing secure contracts resistant to data leaks and fund thefts. Although the programming language is so strong, there is a list of mistakes that can appear in the contract. 

Let’s understand the common mistakes and the ways to rule out the errors.

Refunding To A List Of Contracts

This is a condition wherein a group of people’s funds are refunded at once. It occurs on accepting arbitrary contracts where a malicious user initiates such an issue. 

The possible issues from this error are a contract swallows all the gas through a series of callbacks, the ‘FAIL’ instruction is called that stops all computation, reentrancy errors and so on. 

What’s the solution?

Default accounts do not execute the code; therefore, the above issue can be sorted by creating a default account from people’s keys. Also, it can be programmed to have users pull their funds individually. 

Not Setting State Before Transfer

Reentrancy is a common hurdle in the blockchain. When the contract calls to another external contract for making transfers, the arbitrary gains an upper hand in making further transfers if the state is not updated after each transfer.

It causes multiple withdrawals of funds from the contract. 

What’s the solution?

Be careful while making calls to external contracts, and make sure that their behaviour cannot be modified. To forbid reentrancy, flag in the storage so that users cannot reenter unless they have a good reason. 

Storing Or Transferring Private Data

The data which is published could be viewed explicitly. That means the private information becomes visible to everyone when the transaction is broadcasted. This gives a chance for the malicious node in the system to manipulate the unsigned transaction by delaying or modifying them. 

What’s the solution?

Sign the transactions that contain sensitive information. Using counters to enforce transaction orders can solve the issue. 

Ensure Pro Protection To Projects Through Tezos Smart Contract Audits

Tezos built with a self-amending structure offer better scalability and reliability, but although security is always a matter of question for blockchain-based applications. The smallest of issues can cause the biggest fund loss. 

And that’s where QuillAudits takes a step forward to protect the assets from the grip of bad actors. We give them no chance of exploiting the contract as we recognize and fix those issues by conducting thorough Tezos smart contract audits. 

Have a free consultation with our experts to learn about our auditing services. 


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+