How do I audit Solidity smart-contracts

Written by

1. Preparing a smart contract for audit is performed by the client himself:

  • Preparation of documentation for the smart contract (documentation must be provided by the client):
    • teсhnical task on the basis of which this smart contract was developed;
    • technical description – description of the final result: what function is intended for what, what user roles exist in this smart contract (for example, owner, admin, ordinary user), what actions with the smart contract should be available for each specific role;
  • Covering the smart contract with unit tests (hardhat files of the project with already written unit tests are provided by the client);
  • Checking that the smart contract code is 100% covered by tests;

2. Pre-reading the smart contract, checking the code for obvious problems

  • At this stage, the smart contract can be returned for revision with a brief comment;

3. Smart contract code analysis

  • Running unit tests, checking the compliance of the work results with the technical description of the smart contract;
  • Filling out a preliminary report on the compliance of the real work of the smart contract with its technical description, at this stage the contract can be returned to the developers for revision along with the preliminary report;
  • Scanning a smart contract with automatic tools (Slither, Mythril, Solgraph, Echidna);
  • Manual verification of the smart contract code for compliance with security requirements https://entethalliance.github.io/eta-registry/security-levels-spec.html
  • Filling out a report on the part of the found well-known vulnerabilities https://swcregistry.io/docs/SWC-100, as well as a number of additional ones. Gradation of found vulnerabilities and problems by category (critical, medium, minor).
    At this stage, the contract, together with the draft report, can be returned to the developers for revision;

4. Compilation of the final report

Leave a Reply

Your email address will not be published. Required fields are marked *