Audit of Smart Contracts
We review and verify project specifications and the source code of smart contracts to assess their overall security, with a focus on weaknesses and potential vulnerabilities. We complement our findings with solutions that mitigate the risk of future attacks or loopholes.
Problems of Smart Contracts
- Inconsistency between specification and implementation
- Flawed design, logic, or access control
- Arithmetic overflow operations (integer overflow and underflow)
- Reentrancy attacks, code injection attacks, and Denial of Service attacks
- Exceeded limits on bytecode and gas usage
- Miner attacks on timestamp and ordering, transaction-ordering dependence (TOD)
- Race conditions, other known attacks, and access control violations
Methods and Tools
Our audits of smart contracts comply with the following requirements:
- The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
- The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
- The smart contract audit includes the following stages:
- Overall analysis of the code and application
- Documentation review
- Brief code overview: quick analysis of the smart contract functionality, main .sol classes, etc.; analysis of cryptography, third-party modules, and library structure
- Detailed analysis of the application, each of its actions, all requests, input fields, and nested modules
- Bug scanning: scanning the application on appropriate binary and source levels to identify potential deviations from coding guidelines and security practices
- Scanner results verification: in this phase, the team reviews the scan results to identify which of them are false positives and which of them can affect the application's security
- The tests are conducted by a team of specialists with more than 17 years of experience in different IT security domains; CISSP, OSCP, CISA, and CEH certification holders.
- In general, the code review follows the best practices: Solidity Style Guide and Ethereum Smart Contract Security Best Practices.
The tools we use: Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Geth, Ganache, Mist, Metamask, solhint, mythx, etc.
Project deliverables include the Report on Audit of Smart Contract with a structure similar to the following sample:
- Executive summary
- Project approach
- Rules of Engagement
- Description of security audit methodology
- Scope description
- Findings and recommendations
- Workflow of security audit
- Further information on findings and detailed recommendations
- Summary recommendations and further steps