Introduction to Auditing and our smart contract audit process

1. What are smart contract audits?

  • Provide checks on the code quality and consistency
  • Analyse the code for common errors (variable types errors, compilation errors etc.)

2. Types of auditing

3. The benefits of auditing

4. Common exploits

function withdraw(uint256 amount) public returns (uint256) { require(amount <= balance[msg.sender]); require(msg.sender.call.value(amount)());
balance[msg.sender] -= amount;
return balance[msg.sender];
}
function reentrancyAttack() public payable { targetAddress.withdraw(amount); 
}
function () public payable {
if(address(targetAddress).balance >= amount) { targetAddress.withdraw(amount);
}
}
mapping(address => uint256) public balance; function transfer(address _recipient, uint256 _amount) { require(balance[msg.sender] >= _amount); 
balance[msg.sender]-= _amount;
balance[_recipient] += _amount;
}
contract Auctioneer { uint256 currentHighestBid; 
address currentHighestBidder;
function bid() payable {
//new value check
require(msg.value > currentHighestBid);
//return funds require(currentHighestBidder.send(currentHighestBid)); //modify higher bidder information
currentHighestBidder = msg.sender;
currentHighestBid = msg.value;
}
}

5. Our auditing process

  1. Review source code and scope of the audit and agree timescale and price
  2. Check the code manually to ensure that the logic is resistant to common attack vectors.
  3. Use tools to check the contracts for vulnerabilities.
  4. Debrief with team to discuss findings.
  5. Creation of an audit report that highlights any security risk to the project and its users and recommend remediation.

What we look for during an audit

Gas Optimisation

//SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;

contract multiplication {

uint256 amount = 13;
uint256 newAmount;

function multiplyAmount(uint256 multiplyBy) external {
uint256 multipliedAmount;
for (uint256 ii = 0; ii < multiplyBy; ii++) {
multipliedAmount += amount;
}
newAmount = multipliedAmount;
}

function getNewAmount() public view returns (uint256) {
return newAmount;
}
}
struct myStruct {
uint64 number1;
uint128 number2;
uint256 number3;
uint64 number4;
}
struct myStruct { 
uint64 number1;
uint64 number4;
uint128 number2;
uint256 number3;
}
string[7] daysOfTheWeek;
uint256 randomNumber = 0; 
uint256 randomNumber;
import ‘./SafeMath.sol’ as safeMath;contract SafeCalculations { function computeSubtraction(uint256 x, uint256 y) public view returns(uint256) { 
return safeMath.sub(x, y);
}
}

Tools we use to support our process

Timescales

6. Complimentary processes for ensuring code security

7. Disclaimer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Extropy.IO

Extropy.IO

Oxford-based blockchain and zero knowledge consultancy and auditing firm