DERUUA

Audit of Smart Contracts

We review and verify project specifications and the source code of smart contracts to assess their overall security, with a focus on weaknesses and potential vulnerabilities. We complement our findings with solutions that mitigate the risk of future attacks or loopholes.

Learn more about the problems that we solve, the methods and tools we use, and about the deliverables we provide.


smart contract metaphor
 

Problems of Smart Contracts

  • Inconsistency between specification and implementation
  • Flawed design, logic, or access control
  • Arithmetic overflow operations (integer overflow and underflow)
  • Reentrancy attacks, code injection attacks, and Denial of Service attacks
  • Exceeded limits on bytecode and gas usage
  • Miner attacks on timestamp and ordering, transaction-ordering dependence (TOD)
  • Race conditions, other known attacks and access control violations
 

Methods and Tools

Our audits of smart contracts comply with the following requirements:

  1. The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
  2. The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
  3. The smart contract audit includes the following stages:
    • Overall analysis of the code and application
    • Documentation review
    • Brief code overview: quick analysis of the smart contract functionality, main .sol classes, etc.; analysis of cryptography, third-party modules, and library structure
    • Detailed analysis of the application, each of its actions, all requests, input fields and nested modules
    • Bug scanning: scanning the application on appropriate binary and source levels to identify potential deviations from coding guidelines and security practices
    • Scanner results verification: in this phase, the team reviews the scan results to identify which of them are false positives and which of them can affect the application's security
  4. The tests are conducted by a team of specialists with more than 17 years experience in different IT security domains; CISSP, OSCP, CISA and CEH certification holders.
  5. In general, the code review follows the best practices: Solidity Style Guide and Ethereum Smart Contract Security Best Practices.

The tools we use: Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Geth, Ganache, Mist, Metamask, solhint, mythx, etc.

 

Deliverables

Project deliverables include the Report on Audit of Smart Contract with a structure similar to the following sample:

  1. Executive summary
  2. Project approach
    • Rules of Engagement
    • Description of security audit methodology
    • Scope description
  3. Findings and recommendations
  4. Workflow of security audit
  5. Further information on findings and detailed recommendations
  6. Conclusion
  7. Summary recommendations and further steps

We are passionate about what we do because we believe that we make this world safer and give people reassurance and confidence.




Who we are, what we do and what we offer.

About penetration tests.


Our certificates:

(ISC)2
CISSP
ISACA
CISA
CISM
Offensive Security
OSCP
PECB
LPTP
Microsoft
Qualys
BSI