Our Auditing Services

Introduction

What are smart contract audits?

  • Provide checks on the code quality and consistency
  • Analyse the code for common errors (variable types errors, compilation errors etc.)
  • Security audits are necessary as frequently smart contracts deal with financial assets and therefore rigorous checking needs to take place to ensure the safety of those assets.

Types of auditing

  1. Manual Auditing
  1. Automated Auditing

The benefits of auditing

  • Risk Identification
  • Highlighting any security issues in the contract before it is launch on the blockchain. This can then be address proactively before any serious issues arise (ie. exploits).
  • Code Improvements
  • Checking the quality of the code including adherence to best practices ensures that code is easily readable and maintainable. It also helps to produce a more secure and robust contract.
  • Gas Optimisation
  • An audit can check to see how efficient the contract is with gas and help to provide solutions to improve gas costs.
  • Performance
  • Checking contract executions and any variations that may occur can check for possible unintended outcomes that may arise and to enhance performance
  • Credibility
  • Showing that your contract has passed an audit can offer some credibility to users that the contract is working as intended (however this should not be taken as a guarantee)
  • Compliance
  • A smart contract may need an audit as part of compliance on performing regulated activity(Cryptoassets: AML/CFT regime)

Our auditing process

  • We review the source code and scope of the audit and agree timescale and price
  • We check the code manually to ensure that the logic is resistant to common attack vectors.
  • Use tools to check the contracts for vulnerabilities.
  • Debrief with the development team to discuss findings.
  • We create a number of audit reports that highlight any security risk to the project and its users and recommend remediation. As the client fixes the issues we re test and create a new report.

What we look for during an audit

  1. Sound architecture
  • Critical Issue ranked as very serious and dangerous for users and the secure working of the system. It is likely to lead to risk of exposure of sensitive information and of serious financial ramifications for the client and user. Needs immediate improvements and further checking to ensure it has been remedied.
  • High Issue ranked as serious which could lead to unreliable working of the system and has potential to cause moderate financial impact and/or sensitive information leaks. Needs immediate improvements and further checking to ensure it has been remedied.
  • Medium Issue ranked as a medium risk could lead to a potential for a financial loss and a risk of leaking sensitive client and user information. Should be addressed.
  • Low Issue ranked as low has a relatively small chance of being exploited. The issue does not pose an immediate operational threat however it is not in line with best practices.

Tools that we use for Solidity Audits

  1. Established Checklists
  • SWC–132: Unexpected Ether balance
  • SWC–131: Presence of unused variables
  • SWC–128: DoS With Block Gas Limit
  • SWC–122: Lack of Proper Signature Verification
  • SWC–120: Weak Sources of Randomness from Chain Attributes
  • SWC–119: Shadowing State Variables
  • SWC–118: Incorrect Constructor Name
  • SWC–116: Timestamp Dependence
  • SWC–115: Authorization through tx.origin
  • SWC–114: Transaction Order Dependence
  • SWC–113: DoS with Failed Call
  • SWC–112: Delegatecall to Untrusted Callee
  • SWC–111: Use of Deprecated Solidity Functions
  • SWC–108: State Variable Default Visibility
  • SWC–107: Reentrancy
  • SWC–106: Unprotected SELFDESTRUCT Instruction
  • SWC–104: Unchecked Call Return Value
  • SWC–103: Floating Pragma
  • SWC–102: Outdated Compiler Version
  • SWC–101: Integer Overflow and Underflow

An Example of a failed verification from Scribble

Fuzz testing

  1. Help find edge cases and improve coverage
  2. Remove any assumptions that the tester and developer may have had about the functionality, assumptions that an attacker might not share.

Cairo Audits

London Blockchain Security Group

Contact Us

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Extropy.IO

Oxford-based blockchain and zero knowledge consultancy and auditing firm