Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
43 lines (32 sloc) 1.68 KB

Audit Research

The following information is always in draft status and should be used as a guide. If you are a security professional, please join our research and contribute to our ongoing effort!

Risk Associated Questions to Consider

The associated risk (potential threat level) of a smart contract will dictate the level of auditing it needs to go through. Here are a few questions you can ask yourself to ascertain its associated risk level:

  1. Does it control funds?
  2. Are official decisions derived from it?
  3. What potential network effect impacts could it have?
    • network congestion
    • associated costs of usability depending on current network congestion
    • Examples in the wild to learn from?

Levels of Auditing

Once you have figured out the risk of a given smart contract, then you can decide what type of auditing it should go through for deployment.

  • Internal Review - within working group
  • Internal Review - including internal auditor outside working group
  • 1 round of external 3rd party auditing
  • $n$ rounds of external 3rd party auditing

Topics to be Audited

Here is a list of topics to be aware of when performing audits:

  • Unit tests passing
  • Compilator warnings
  • Race Conditions. Reentrancy. Cross-function Race Conditions. Pitfalls in Race Condition solutions
  • Transaction-Ordering Dependence (front running)
  • Timestamp Dependence
  • Integer Overflow and Underflow
  • DoS with (unexpected) Revert
  • DoS with Block Gas Limit
  • Methods execution permissions
  • Oracles calls
  • Private user data leaks
  • Forcibly sending ether to a contract
  • Ownership of the deployed contract