Audit Research

The following information is always in draft status and should be used as a guide. If you are a security professional, please join our research and contribute to our ongoing effort!

Risk Associated Questions to Consider

The associated risk (potential threat level) of a smart contract will dictate the level of auditing it needs to go through. Here are a few questions you can ask yourself to ascertain its associated risk level:
  1. 1.
    Does it control funds?
  2. 2.
    Are official decisions derived from it?
  3. 3.
    What potential network effect impacts could it have?
    • network congestion
    • associated costs of usability depending on current network congestion
    • Examples in the wild to learn from?

Levels of Auditing

Once you have figured out the risk of a given smart contract, then you can decide what type of auditing it should go through for deployment.
  • Internal Review - within working group
  • Internal Review - including internal auditor outside working group
  • 1 round of external 3rd party auditing
  • $n$ rounds of external 3rd party auditing

Topics to be Audited

Here is a list of topics to be aware of when performing audits:
  • Unit tests passing
  • Compilator warnings
  • Race Conditions. Reentrancy. Cross-function Race Conditions. Pitfalls in Race Condition solutions
  • Transaction-Ordering Dependence (front running)
  • Timestamp Dependence
  • Integer Overflow and Underflow
  • DoS with (unexpected) Revert
  • DoS with Block Gas Limit
  • Methods execution permissions
  • Oracles calls
  • Private user data leaks
  • Forcibly sending ether to a contract
  • Ownership of the deployed contract