Audit of smart contracts

Analysis and verification of specifications and source code of smart contracts

We assess the security of smart contracts and find their weaknesses and potential vulnerabilities. We complement our findings with recommendations that mitigate the risk of future attacks or loopholes.

Learn more about the problems that we solve, the methods and tools we use, and the deliverables we provide.


The problems with smart contracts

  1. Inconsistency between specification and implementation.
  2. Flawed design, logic, or access control.
  3. Arithmetic overflow operations (integer overflow and underflow).
  4. Reentrancy attacks, code injection attacks, and Denial of Service attack.
  5. Exceeded limits on bytecode and gas usage.
  6. Miner attacks on timestamp and transaction ordering, transaction-ordering dependence (TOD).
  7. Race conditions, other known attacks, and access control violations.
Image - Audit of smart contracts

Requirements, methods and tools

Our audits of smart contracts comply with the following requirements:

  • The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
  • The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
  • The smart contract audit includes the following stages:
    • An overall analysis of the code and application.
    • Documentation review.
    • Brief code overview: quick analysis of the smart contract functionality, main .sol classes, etc.; analysis of cryptography, third-party modules, and library structure.
    • Detailed analysis of the application, each of its actions, all requests, input fields, and nested modules.
    • Bug scanning: scanning the application on appropriate binary and source-code levels to identify potential deviations from coding guidelines and security practices.
    • Scanner results verification: in this phase, the team reviews the scan results to identify which of them are false positives and which of them can affect the application’s security.
  • The tests are conducted by a team of specialists with more than 17 years of experience in different IT security domains; CISSP, OSCP, CISA, and CEH certification holders.
  • In general, the code review follows the best practices: Solidity Style Guide and Ethereum Smart Contract Security Best Practices.

The tools we use:

Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Geth, Ganache, Mist, Metamask, solhint, mythx, etc.


Deliverables

Project deliverables include the Report on Audit of Smart Contract with a structure similar to the following sample:

  1. Executive summary
  2. Project approach
    • Rules of Engagement
    • Description of security audit methodology
    • Scope description
  3. Findings and recommendations
  4. Workflow of security audit
  5. Further information on findings and detailed recommendations
  6. Conclusion
  7. Summary recommendations and further steps

Check out our additional services and business cases. Send the form below to request an audit of smart contract. Get a free consultation.

Business cases of projects we completed

Information security incident response and investigation
Managed security and compliance (ISO 27001, etc.)
Security analysis of software source code
Security assessment: audits and penetration tests
Security Operations Center cases