Audit Research

Last updated 4 months ago

The following information is always in draft status and should be used as a guide. If you are a security professional, please join our research and contribute to our ongoing effort!

Risk Associated Questions to Consider

The associated risk (potential threat level) of a smart contract will dictate the level of auditing it needs to go through. Here are a few questions you can ask yourself to ascertain its associated risk level:

  1. Does it control funds?

  2. Are official decisions derived from it?

  3. What potential network effect impacts could it have?

    • network congestion

    • associated costs of usability depending on current network congestion

    • Examples in the wild to learn from?

Levels of Auditing

Once you have figured out the risk of a given smart contract, then you can decide what type of auditing it should go through for deployment.

  • Internal Review - within working group

  • Internal Review - including internal auditor outside working group

  • 1 round of external 3rd party auditing

  • $n$ rounds of external 3rd party auditing

Topics to be Audited

Here is a list of topics to be aware of when performing audits:

  • Unit tests passing

  • Compilator warnings

  • Race Conditions. Reentrancy. Cross-function Race Conditions. Pitfalls in Race Condition solutions

  • Transaction-Ordering Dependence (front running)

  • Timestamp Dependence

  • Integer Overflow and Underflow

  • DoS with (unexpected) Revert

  • DoS with Block Gas Limit

  • Methods execution permissions

  • Oracles calls

  • Private user data leaks

  • Forcibly sending ether to a contract

  • Ownership of the deployed contract