How we do smart contract audit

You devote yourself to a project you believe in, and you build it by staying up all night with your team, which costs you tons of work and stress, and when your project is finally ready for release, there is a red light. You have to do one more thing. What if someone hacks us? Security is not something that can be ignored. It has a significant influence on project potential success and longevity - We understand your concerns and will help you reduce the risk and minimize code errors.

What is a smart contract audit?

A smart contract audit process is a comprehensive review and evaluation of a smart contract's code and functionality to identify any potential security vulnerabilities, bugs, or deviations from best practices according to the established checklist.

Fun fact - currently, there is no single checklist or standard on the market according to which all smart contract service providers operate - that's why most companies only perform smart contract security reviews, not audits, as it has been adopted.

We are trying to change this and help the whole space to establish practices to perform smart contract audits by developing the Smart Contract Security Verification Standard since 2019 - you can check it out here.

An audit is only one of the stages

We've already helped dozens of projects keep their products and systems secure, but we believe we can do even more. Blockchain security should be adapted to each stage of development.

The smart contract audit should take place in three situations from your perspective:

• Before the release - test of the whole protocol, including integrations between smart contract components,
• Significant changes - updates affecting the business logic of individual (and multiple) components,
• Cross-check - if the budget allows it to rotate smart contract auditing companies and test the code with several independent providers.

In other cases, it is worth using other services and smart contract audit tools such as threat modeling, security consultation, implementing monitoring, or joining the bug bounty program.

*More on Smart Contract Security Development Life Cycle we will write soon, subscribe to our newsletter not to miss it!

Smart contract security audit

If you are in one of the mentioned 3 situations, let us show you what to expect from a professional smart contract security review service, and how we approach our clients, and what properly performed smart contract audit involves.

After you contact us

To contact us, the best way is to complete the short form on our website.

After receiving a message from you, a chosen specialist will contact you within 1 business day.

You will receive our company profile so that you can get to know us better and you will be offered a short introductory meeting to better understand your situation and needs.

At this stage, expect questions such as:

• What is your goal?
• What is your business model?
• What are your current priorities?
• Do you plan to update the project?
• How have you ensured the smart contract security so far?

• We want you to get what you need.

Advice on how to prepare for a smart contract audit

If the most suitable service for you is an audit, then you will get a ready-made checklist with things that are worth doing before the security audit. To make good use of the time allocated to the audit, it is worth taking care of what needs to be done beforehand. Clearing and describing the smart contract code is crucial for the cooperation to focus on what is important and go smoothly.

• A detailed checklist is available here.

Deep understanding of the project

The smart contract code is neither bad nor good, it just does what it does. Therefore, instead of assuming your intentions, we try to get to know and understand them. We ask a number of questions such as:

• Which elements and assumptions are crucial for proper operation and smart contract deployment?
• Do you have any defined invariants?
• How does governance work now and how is it planned to work in the future?

and many others…

We do all this by communicating closely with you and your team via Slack, Telegram, Signal or any other channel you prefer.

• This allows us to dive deeper into the project faster and understand what you want to achieve.

Initial threat modeling

Thanks to the accumulated knowledge about your project, we draw a diagram with its key components and business flows.

This diagram is the basis on which an intensive 3 round thought process takes place to identify threats.

1. The first round is based on threats identified by our auditors through manual review. We rely on the experience and extensive knowledge of our smart contract auditors.
2. The second round is based on the detailed analysis of additional threats included in our constantly expanding Smart Contract Security Verification Standard.
3. The third round is based on searching the network and vulnerability databases such as Solodit for similar components to check what vulnerabilities have been identified by other smart contract auditors.

After all this, we have a well-thought-out list of threats to be verified during the security review. However, this is not the end. New ones are being added during testing.

To go even further, we often send the diagram and potential threats to the team so that they can consider the presence of potential security vulnerabilities in the code together with us and possibly supplement them with their own threats based on past experiences and audits.

We believe a smart contract audit is not about delegating security to another company. It is about teamwork with a clear goal - maximum risk minimization.

• We focus on real threats and cooperate with your team.

Automated tools testing

We complement our work with our own slither detectors and semgrep rules which are intended not only to automate the detection of repeatable security issues but, above all, to give more time to focus on personalized threats and those related to business logic or integration. In addition, we use solhint for security and style validation, and npm audit to check your dependencies.

After each security review, we discuss newly discovered vulnerabilities and automate them when it’s worth it or add them to checklists to constantly expand them.

• We effectively use the time allocated to the smart contract audit.

Manual verification

Your code is manually reviewed by at least 2 smart contract auditors.

We create our custom scripts, play with your written tests and do fuzzing in places that require it. This is the most time-consuming phase, wherein we go line by line to verify the presence of integration and business logic vulnerabilities.

• We verify attack scenarios tailored to your project.

Communication during the smart contract audit

Knowing your situation, we know whether you expect vulnerabilities to be reported as soon as they are detected and to receive an initial report or whether you prefer not to distract the team and read the final audit report when everything is ready.

It is these small details in communication that determine how cooperation proceeds. We want it to be valuable for you and consistent with your needs.

• You decide how often we update the status.

Report

Detecting vulnerabilities is not the end of our work. We focus on making the smart contract audit report an excellent source of information for your team. We make every effort to describe the problems in a comprehensible way.

The executive summary section will give you a quick insight into the most important conclusions from the audit.

• Summary of the project
• Number of audit findings and their impact on risk
• Possible consequences of an exploitation of the most relevant vulnerabilities
• Conclusions and reflections after the smart contract audit
• Actions and recommendations

The charts we use clearly show the vulnerability status after the security review.

Each vulnerability has a realistic risk assessment, a detailed description and steps that should be taken to remove them.

In addition to vulnerabilities, we also provide a number of recommendations for both the current code and long-term best security practices.

• Improve your team's security knowledge with our report.

Time for improvements

After receiving the smart contract audit report, it is your time to implement the recommendations. We stay in touch all the time. Your developers can ask questions via a joint channel, and discuss other solutions. We can even organize a joint video call with a smart contract auditor and go through the audit report together.

• Take your time to implement the changes.

Retests

After introducing the changes, we will perform a one-time verification to make sure that the recommendations from the smart contract audit report have been introduced in the right way and that the found vulnerabilities do not exist anymore.

After the retest, you can clearly see how the project status has changed.

• We double-check your security.

How much does a smart contract audit cost?

As engineers, we have to answer you - it depends.

This service is always a balance between minimizing the risk of smart contract vulnerabilities and the cost on the client's side. The price of the security audit depends on many factors, but the following have a key impact on the price.

Factors with key impact on the price:

• number of lines of solidity code (nSLOC),
• the complexity of the code,
• documentation quality and code clarity,
• whether the auditors know your protocol and the components you use,
• whether you are using standard implementations or implementing something from scratch,
• the deadline for the smart contract security audit.

If you want to minimize the cost of the audit and maximize its effectiveness, use the checklist prepared by us.

Final words

Throughout the entire process, we want to work closely with you and adapt the service to your needs.

We want to watch your project grow and take on new challenges together. Support a long-term vision and take comprehensive care of your smart contract security.

Get help at any stage of your journey.

If you have any questions or need help, contact us.

• Did you like this article? Be sure to share it on social media!

Subscribe to the newsletter to not miss any of the future articles. Composable Security 🇵🇱⛓️ is a company that increases the security of projects based on solidity smart contracts.

If you need support in the field of security or auditing smart contracts do not hesitate to contact us.