Smart contract audit - our approach

You devote yourself to a project you believe in, and you build it by staying up all night with your team, which costs you tons of work and stress, and when your project is finally ready for release, there is a red light. You have to do one more thing. What if someone hacks us? Security's not something that can be ignored. It has a significant influence on project potential success and longevity - We understand your concerns and will help you minimize the risk.

What is smart contract audit?

A smart contract audit is a comprehensive review and evaluation of a smart contract's code and functionality to identify any potential security vulnerabilities, bugs, or deviations from best practices according to the established checklist.

Fun fact - currently, there is no single checklist or standard on the market according to which all auditors operate - that's why most companies only perform smart contract security reviews, not audits, as it has been adopted.

We are trying to change this by developing the Smart Contract Security Verification Standard since 2019 - you can check it out here.

An audit is only one of the stages

We've already helped dozens of projects keep their products and systems secure, but we believe we can do even more. Security should be adapted to each stage of development.

The audit should take place in three situations from your perspective:

• Before the release - test of the whole protocol, including integrations between components,
• Significant changes - updates affecting the business logic of individual (and multiple) components,
• Cross-check - if the budget allows it to rotate audit companies and test the code with several independent providers.

In other cases, it is worth using other services and tools such as threat modeling, security consultation, implementing monitoring, or joining the bug bounty program.

*More on Smart Contract Security Development Life Cycle we will write soon, subscribe to our newsletter not to miss it!

Smart contract security audit

If you are in one of the mentioned 3 situations, let us show you what to expect from a professional smart contract security review service.

Advice on how to prepare for an audit

You will get a ready-made checklist with things that are worth doing before the audit. To make good use of the time allocated to the audit, it is worth taking care of what needs to be done beforehand. Clearing and describing the code of smart contracts is crucial for the cooperation to focus on what is important and go smoothly.

• A detailed checklist is available here.

Deep understanding of the project

It is important to us to understand: How is your project supposed to work? What is your business model? And which elements and assumptions are crucial for proper operation?

• This allows us to give you much better advice and better suit your needs.

Initial threat modeling

Based on many years of experience, we focus on the most important threats during the audit. In addition to standard security issues, we extend our tests to include potential attack scenarios designed specifically for your project.

• We focus on real threats.

Automated tests

We complement our work with checklists, custom scripts, and tools (like e.g. Slither). It quickly gives us information about the general condition of the codebase and standard vulnerabilities.

• We effectively use the time allocated to the audit.

Manual verification

Your code is manually reviewed by auditors. The most time-consuming phase, during which we go line by line to verify the presence of integration and business logic vulnerabilities.

• We verify attack scenarios tailored to your project.

Report

Detecting vulnerabilities is not the end of our work. We focus on making the report an excellent source of information for your team. We make every effort to describe the problems in a comprehensible way. The report, among others, distinguishes executive summary, vulnerability, and recommendations sections.

• Improve your team's security knowledge with our report.

Time for improvements

After receiving the report, it is your time to implement the recommendations. We stay in touch all the time, open to discussions regarding the report.

• Take your time to implement the changes.

Retests

After introducing the changes, we will perform a one-time verification to make sure that the recommendations have been introduced in the right way and that the found vulnerabilities do not exist anymore.

• We double-check your security.

How much does a smart contract audit cost?

As engineers, we have to answer you - it depends.

This service is always a balance between minimizing the risk of vulnerability and the cost on the client's side. The price of the audit depends on many factors, but the following have a key impact on the price.

Factors with key impact on the price:

• number of lines of solidity code (nSLOC),
• the complexity of the code,
• documentation quality and code clarity,
• whether the auditors know your protocol and the components you use,
• whether you are using standard implementations or implementing something from scratch,
• the deadline for the audit.

If you want to minimize the cost of the audit and maximize its effectiveness, use the checklist prepared by us.

Final words

Throughout the entire process, we want to work closely with you and adapt the service to your needs. We like to communicate directly with your team (e.g. through Slack or Telegram).

We do it all because we believe in DeFi and innovation. We want to do our best to help you build the future with minimized risk.

If you have any questions or need help, contact us.

• Did you like this article? Be sure to share it on social media!

Subscribe to the newsletter to not miss any of the future articles. Composable Security 🇵🇱⛓️ is a company that increases the security of projects based on solidity smart contracts.

If you need support in the field of security or auditing smart contracts do not hesitate to contact us.