###### tags: `Documentation and Standardization` # D&S: Report style guide Spearbit uses a markdown based template to collaboratively write the final report for security reviews. This markdown file is then converted to a PDF with minimal additional modifications. - Use hackmd.io to collaborate on reports. - Example of the markdown file: [Brink security review (engagement 2)](https://hackmd.io/@spearbit/HkddPdwtY). - Example of a rendered [pdf](https://raw.githubusercontent.com/spearbit/portfolio/master/pdfs/Brink-Spearbit-Security-Review-Engagement-2.pdf). - An example issue can be found in [Appendix](#Appendix-Example-finding-from-Brink-security-review). # General suggestions - The issue description should be detailed. Ideally, someone who is outside of the project and the security review team should be able to understand the issues, merely by reading the issue description. - Sort by highest to lowest severity. For example, a critical bug that steals all the funds should appear before a generic suggestion such as floating pragma. - Don't number issues; the LaTeX template will generate section numbers. - For issues with the same severity, the most unique and specific one should appear first. For example, a specific gas optimization should come before a generic one such as change `memory` to `calldata`. - Group issues together, whenever that's relevant. For example, if a certain gas optimization is relevant throughout the codebase, keep it as a single issue. - Avoid screenshots. Prefer text whenever possible, for example, for code snippets, specification, etc. - Consider minimizing code examples for the most relevant parts. - For links to a hosted git source code, use permalinks (to specific commit hashes). - Avoid raw links if possible, i.e, prefer [`NoDelegateCall.sol#L18`](https://github.com/Uniswap/v3-core/blob/62d65bf88c4fb23671104c28f5bcae566274cb15/contracts/NoDelegateCall.sol#L18) instead of https://github.com/Uniswap/v3-core/blob/62d65bf88c4fb23671104c28f5bcae566274cb15/contracts/NoDelegateCall.sol#L18. - Consider using diffs while making code recommendations: ```diff modified brink-core/contracts/Account/Account.sol @@ -160,7 +160,7 @@ contract Account is EIP712SignerRecovery, EIP1271Validator { function proxyOwner() internal view returns (address _proxyOwner) { assembly { extcodecopy(address(), mload(0x40), 0x2d, 0x14) - _proxyOwner := mload(sub(mload(0x40), 0x0c)) + _proxyOwner := shr(0x60, mload(mload(0x40))) } } ``` - Highlight any references to code (function names, variable names, etc.) as code text (i.e. denoted with backticks). # LaTeX - A typical latex issue is `\textt` overflowing the margins (equivalent of `backticks` in markdown). For example `aVeryLongVariableName` might overflow the margin. A trivial fix is to manually add hyphen after looking at the PDF output, say `aVeryLongVariable-Name`, which would make LaTeX prevent this overflow. # Appendix (Example finding from Brink security review) ### Risk of replay attacks across chains **Severity**: Medium Risk, Gas Optimization **Context**: [`EIP712SignerRecovery.sol#L12-L14`](https://github.com/brinktrade/brink-core/blob/c5b831d9e0239ff119034403bb93cae17ddd4590/contracts/Account/EIP712SignerRecovery.sol#L12-L14) Currently, for deploying on EVM compatible chains, the unique identifier `_chainId` is specified by Brink. The users need to trust the deployer, i.e. Brink to have unique values of `_chainId` for different chains. If the deployer violates this condition, there is a risk of replay attacks, where signed messages on one chain may be replayed on another chain. ``` solidity constructor(uint256 _chainId) EIP7125SignerRecovery(chainId_){ ... } ``` **Recommendation**: Read `_chainId` on chain directly, using `block.chainid` (available from Solidity 0.8.0) or using `chainid()` in inline assembly for older solidity versions, rather than as a constructor parameter. It is also a gas optimization (saves 1 gas). **Brink**: Fixed in commit [feef7d9](https://github.com/brinktrade/brink-core/commit/feef7d92d2888e1ee062038f55a7301a2300ba3e). There is potential risk that a chain could hardfork a change to the `chainID` value, which would invalidate all signed messages. The main benefit and reason for the fix was so the `Account.sol` address can be consistent across all chains. Since `Proxy.sol` now sets this address to the `ACCOUNT_IMPLEMENTATION` constant, this keeps all Proxy addresses consistent across all chains as well. **Spearbit**: Resolved. We think that a hardfork / protocol-upgrade that changes the value of `chainid` is extremely unlikely on almost all big chains, therefore this risk is acceptable. <br>
Last changed by  
Spearbit
1362

Read more

Brink Security Review (engagement 2)

Spearbit Spearbit is a decentralized network of expert Web3 security engineers. Together, we help secure the Web3 ecosystem. We offer security reviews and related services to Web3 projects. Our network has experience at every part of the stack, including protocol design, smart contracts, and the Solidity compiler itself. Spearbit brings in untapped security talent: expert freelance auditors want flexibility to work on interesting projects together. Learn more about us at https://spearbit.com. Introduction The Brink protocol is designed for automating conditional orders on EVM compatible chains. For an introduction to the basic mechanics, one can consult the report from Spearbit's first security review of Brink. This follow up specialized review by Spearbit focussed on a unique extension of "EIP-1167: Minimal Proxy Contract". The Brink protocol designed a gas efficient proxy implementation, based on EIP-1167 that also stores the address of the owner in the proxy. Details can be found in the section: "custom proxy code". In short, the address of the owner is appended at the end of the runtime code, and read using a extcodecopy of the relevant bytes in code; let's call this the data section. The focus of the security review was on the following:

5/3/2023
Spearbit vCISO and Security as a Service 🦾

About Us The Role If your Chief Information Security Officer (CISO) role is vacant or you need a project-based executive expertise then our community of vCISO's is the solution for you. Our vCISO's serve as a technology leader responsible for advising on high-level technical guidance, smart contract best pracitces, architectural review and development/testing framework during your software development lifecycle by directly reporting to the CTO, CEO, and Founders. By embedding this individual or pairing of vCISO's onto your team this allows you to prepare for external reviews, execute on technical development and reduce risk. World Class Leaders Spearbit has to date built one of the largest communities of security personel in the blockchain space.

1/26/2023
Spearbit Technical Account Manager Job Description

Spearbit is a DAO for web3 security researchers. Web3 projects often have to decide between waiting months for a security review or shipping unaudited code to keep up with the competition. Spearbit fixes this through a freelance marketplace of vetted security researchers who pair on collaborative teams. We’re looking for an Account Manager to assist with our audit marketplace. This person will assist with the matching of qualified security researchers to prospective clients that want to engage with our community. Once the security review begins, the Account Manager will be responsible for ensuring quality service delivery through effective project management. During the security review, the account manager will utilize their high level knowledge of developer security to flag process errors and breakdowns in communication between clients and security researchers. This position isn’t technical in the sense that you won’t be engaging in manual code review, but does require a knowledge of DevSecOps best practices and how to effectively integrate security researchers into the development lifecycle of clients. A background that would prepare you for this role could include having a project management role at a major web3 security auditing firm or a PM role at a major crypto protocol who has worked with security audit firms. Benefits Competitive compensation: $150-200K/yearly salary + equity or $150/hr on contract basis (dependent on your preference, we're fine with this being a contract job or a salaried position) Option of getting paid in digital currency Our Values

3/3/2022
Spearbit Technical Copy Writer Contractor

Spearbit is a DAO for web3 security researchers. Web3 projects often have to decide between waiting months for a security review or shipping unaudited code to keep up with the competition. Spearbit fixes this through a freelance marketplace of vetted security researchers who pair on collaborative teams. Spearbit is growing and needs a talented technical copywriter to help write our audit reports as well as content for our community. This person will work with our security researchers to copy edit and format our audit reports. Benefits Competitive compensation: This is a contract position at $100/hr Option of getting paid in digital currency Our Values

2/22/2022
Read more from Spearbit
Published on HackMD