# Internal audit General audit phase : - Automatic tools scan - [x] Slither - [ ] Echidna(fuzz-testing) - [ ] Slither(static analysis) - [ ] Manticore(Symbolic execution) - Manual Review - Grammar bug - Business logic bug ### Audit scope The audit content includes : - SMASP.sol , - Verifier.sol , - Compilance.sol, - SVault.sol ### Basic error types - [x] Overflow and underflow Since solidity above 0.8.0 already has safe check for such , and Silent contract uses solidity 0.8.4 , this shall not be be an issue if the contract got compiled successfully . In compilance.sol , we are using uint16 for index , this would introduce the risk of overflow . - [x] Function visibility Ensure that public , private , internal , external are correctly placed . - [x] Avoid problematic features - [x] send - [x] low-level functions call , delegatecall , callcode , inline assembly They didn't introduce these problematic features in the audit scope files . - [x] Access control - [x] OnlyOwner Modifier - [x] DAO gots the ownership of initilization of SMASP pool - [x] PublicKey Management - [ ] External Call - [ ] check reentrancy - [ ] Proper inilization of SMASP pool - [ ] Time Manipulation - [ ] Prevent unbounded loop - [ ] Validate inputs of external/public functions - [x] Return value check #### Cmpliance.sol The return value type of index variable in compliance.sol is uint16 , i.e. function getIndexOfPublicKey . This would somehow introduce the risk of overflow - [x] Prevent using tx.origin as an authemtication mechanism ### Gas optimization - [x] Follow variable packing rules https://fravoll.github.io/solidity-patterns/tight_variable_packing.html - [x] Avoid accessing storage data in interations - Access data from memory , not from storage https://marduc812.com/2021/04/08/how-to-save-gas-in-your-ethereum-smart-contracts/ - [ ] Storing data that can be pre-computed off-chain ### Function modular check - [x] Register Note : In compilance.sol , we set the deployer as the owner of this contract . And the register function can only be called by this deployer. With this , the deployer of DAO can add group member to whitelist . Some code are strange but correct , like ```function getIndexOfPublicKey(uint256 yPubKey) public view returns (uint16) { for (uint16 i = 0; i < registeredKeys.length; i++) { if (registeredKeys[i][1] == yPubKey) { return i; } } return 65535; }``` registeredKeys are defined as an array of uint256[2] , and this function finds if there is second element of i-th slot that is equal to yPubKey . - [ ] Deposit - [ ] the amount of funds received is correct - [ ] all accounts are randomized with the same randomness - [ ] Withdraw - [ ] Secret Transfer ### Testing and software engineering - [ ] Test coverage - [ ] Unit Tests - [ ] Integration Tests - [ ] Code Freeze