# Smart Contract Audit ## Preparation - **Background knowledge** - What's smart contract - [What Are Smart Contracts?](https://academy.binance.com/en/articles/what-are-smart-contracts) - What's Ethereum - Short and simple - [What is Ethereum](https://academy.binance.com/en/articles/what-is-ethereum) - Long and detailed - [Ethereum Yelow Paper](https://ethereum.github.io/yellowpaper/paper.pdf) - [Ethereum Beige Paper](https://github.com/chronaeon/beigepaper/blob/master/beigepaper.pdf)(a "dumbed down" version of Yellow Paper) - Common Token Standards (***this section will come in handy once you start auditing***) - [ERC20](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/) - [Official EIP](https://eips.ethereum.org/EIPS/eip-20) - [ERC721](https://ethereum.org/en/developers/docs/standards/tokens/erc-721/) - [Official EIP](https://eips.ethereum.org/EIPS/eip-721) - [ERC777](https://ethereum.org/en/developers/docs/standards/tokens/erc-777/) - [Official EIP](https://eips.ethereum.org/EIPS/eip-777) - [ERC1155](https://enjin.io/blog/erc-1155-token-standard-ethereum) - [Official EIP](https://eips.ethereum.org/EIPS/eip-1155) - Some Major Defi Pojects - [DEX(decentralized exchange)](https://academy.ivanontech.com/blog/defi-deep-dive-what-is-a-decentralized-exchange-dex) - [Uniswap](https://academy.binance.com/en/articles/what-is-uniswap-and-how-does-it-work) - [Sushiswap](https://academy.binance.com/en/articles/your-guide-to-sushiswap) - [Decentralized Lending and Borrowing](https://medium.com/dydxderivatives/decentralized-lending-an-overview-1e00fdc2d3ee) - [Compound](https://compound.finance/) - [AAVE](https://aave.com/) - [Decentralized Derivatives](https://cryptobriefing.com/decentralized-derivatives%e2%81%a0-beginners-guide/) - [dYdX](https://dydx.exchange/) - [Synthetix](https://synthetix.io/) - **Useful Security Related Resouces** - [Ethereum Smart Contract Best Practices](https://consensys.github.io/smart-contract-best-practices/): **Highly Recommended!** If time is limited, focus on these two sections: - [Secure Development Recommendations](https://consensys.github.io/smart-contract-best-practices/recommendations/) - [Known Attacks](https://consensys.github.io/smart-contract-best-practices/known_attacks/) - [SWC Registry](https://swcregistry.io/): a comprehensive list of known smart contract vulnerabilities - [Smart Contract Security Verification Standard](https://github.com/securing/SCSVS): A proposed 14-part security standard for smart contract security - [Slither's wiki](https://github.com/crytic/slither/wiki/Detector-Documentation#): a good reference doc when writing report for common vulnerabilities - [Example of security issues](https://github.com/crytic/not-so-smart-contracts): a repo for common Ethereum smart contract vulnerabilities - [Blocksec incident report](https://github.com/openblocksec/blocksec-incidents): a curated list of blockchain security incidents - [BlockThreat](https://blockthreat.substack.com/): a weekly writeup of recent blockchain security related topics - [Code 423n4](https://code423n4.com/): a community driven smart contract audit bug bounty platform - **Development/Test** - language: - [Solidity Official Docs](https://docs.soliditylang.org/en/latest/) (*don't read the whole thing, but use it as a reference manual*) - If you are a complete beginner, here are two little games that can get your feet wet: - [A Tour of Solidity](https://solidity-tour.certik.org/Basics/1) - [Crypto Zombies](https://cryptozombies.io/) - Integration: - [Remix IDE](https://remix.ethereum.org/) - Deployment and Testing Environment: - [Truffle](https://www.trufflesuite.com/): The most commonly used framework by far - [Hardhat](https://hardhat.org/): Hardhat has gained some traction recently and is the go to framework for some big players i.e. Synthtix, UMA - [Brownie](https://github.com/eth-brownie/brownie): If you like Python more than Javascript - Audit Tools - Vulnerability detection - [Slither](https://github.com/crytic/slither): static analysis framework with detectors for many common Solidity issues. - Code visualization - [SÅ«rya](https://github.com/ConsenSys/surya): utility tool for smart contract systems, offering a number of visual outputs and information about the contracts' structure. - Decompiler - [ethervm.io](https://ethervm.io/decompile) - IDE plugin - [Solidity Visual Auditor for VSCode](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-visual-auditor) - **Library** - [OpenZeppelin](https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/contracts) - [PancakeSwap](https://github.com/pancakeswap)/[UniSwap](https://github.com/Uniswap) ## Audit Workflow ### Estimations - How long will it take to deliver the preliminary report? - How many lines of code? - What are the contract types/patterns (is there any template)? - What are the dependencies? ### Audit process - Preliminary Report - Read the client project's doc/white paper, understand their logic and how they set up their project (tokenomics); - Deploy their code and do some simple unitest (recommended) ; - Add Findings: read through the code and find out all the issues (by mannual/static analysis); - Common issues: - Anti-hacker: attack vectors (e.g. reentrancy, flashloan, access control, sandwitch attack); - Anti-client: potential rugpull; previleged functions; - Logical errors: inconsistency with the white paper; project design issues; return values; - Volatile code: corner cases; input validation; - Mathematical issues: rate/reward calculations; division before multiplication; - Optimizations: gas optimization, unused code/logic. - Discussion: - Concern about the project's logic - Need client's confirmation/clarification. - Complete Review Note (external dependency, previleged function) and generate report. - Client review - Open a discussion with the client when they raise questions; - Keep arguing before reaching a consensus. - Finalize - Check the client code base to see if there has been - Any mitigations to our findings; - Any modifications to their code other than the measures taken for the purpose of mitigation i.e., client might add new features or change implementations - If there are added features, confirm with the reviewer/BD about whether the added features are within audit scope. - Update the alleviation section - Centralization risk at most can be marked as partial resolved; - Client's response can be added in alleviation to help them clarify their position. It is better to add a comment as reply to their response. - Update finding status - Acknowledged/Partial Resolved/Resolved - Final check - Ask the reviewer to perform a final check and modify the report state. ## Appendix ### Accelerator Tool Usage - Accelerator Manual will be published soon. ### Others - CTF challenges: - [Ethernaut](https://ethernaut.openzeppelin.com/) **Highly Recommended!!!** - [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/) - [Capture the Ether](https://capturetheether.com/)