menu
The Ultimate Guide to Auditing a Smart Contract + Most Dangerous Attacks in Solidity
The Ultimate Guide to Auditing a Smart Contract + Most Dangerous Attacks in Solidity
You can learn it yourself or you can use this helpful step-by-step guide to learn exactly what to do, at what time and audit these contracts.

Ever wonder how to audit a smart contract to find security breaches?

You can learn it yourself or you can use this helpful step-by-step guide to learn exactly what to do, at what time and audit these contracts.

 

I've been researching several Smart Contract audits and learned the most common steps they take to extract all the essential information from any contract.

 

You will learn the following:

·         Steps to take to fully audit a Smart Contract to generate a pdf with all conclusions.

·         The most important types of attacks you need to know about as an Ethereum Smart Contract Auditor.

·         What to look for in a contract and helpful tips you won't find anywhere else but here.

Let's cut to the chase and start auditing the contracts:

 

How to audit a Smart Contract

To teach you exactly how to do this, I'm going to audit one of my own contracts. This way you will see a real world audit that you can apply for yourself.

 

Now you may ask: what is a Smart Contract audit?

 

A Smart Contract audit is the process that carefully investigates a piece of code, in this case a Solidity contract to find bugs, vulnerabilities and risks, before the code is deployed and used on the Ethereum mainnet, where it will not be modifiable. It is for discussion purposes only.

Note that an audit is not a legal document that verifies that code is secure. No one can guarantee 100% that the code will not have future bugs or vulnerabilities. It is a guarantee that your code has been reviewed by an expert and is secure.

 

To discuss possible improvements and especially to find bugs and vulnerabilities that could risk people's Ether.

 

Once that's clear, let's take a look at the structure of a Smart Contract Security Audit:

1.    Disclaimer: Here you will say that the audit is not a legally binding document and that it does not guarantee anything. 

2.    Audit overview and legal features: A quick view of the Smart Contract that will be audited and good practices found.

3.    Attacks made on the contract: In this section you will talk about the attacks made on the contract and the results. Just to verify that it is, in fact, safe.

4.    Critical vulnerabilities found in the contract: Critical issues that could severely undermine the integrity of the contract. Some bugs that would allow attackers to steal Ether are a critical issue.

5.    Medium vulnerabilities found in the contract: those vulnerabilities that could damage the contract, but with some kind of limitation. Like a bug that allows people to modify a random variable.

6.    Low-Severity Vulnerabilities Found: These are the issues that don't really break the contract and that could exist in the deployed version of the contract.

7.    Line-by-line comments: In this section, you'll review the most important lines where you see potential improvements.

8.    Audit Summary: Your opinion on the contract and final conclusions about the audit.

Store this framework somewhere safe because that's all you need to really audit a Smart Contract securely. This will really help you find those hard-to-find vulnerabilities.

 

I recommend that you start with point 7 "Line-by-Line Comments" because when analyzing the contract line by line, you will find the most important issues and see what is missing. What could be changed or improved.

 

I'll show you a Disclaimer that you can use like this for the first audit step. You can go to point 1 and go down from there until the audit is complete.

 

Then I'll show you my personal audit I did for one of my contracts using this framework with these steps. You will also see a description of the most important attacks that can be made on a Smart Contract in step 3.