The current blockchain technology and applications are still in the initial stage of rapid development, and they face a wide variety of security risks, from the security of blockchain ecological applications, to the security of smart contracts, the security of consensus mechanisms, and the security of underlying basic components. Security issues are widely distributed and the risk is high, and it poses a new test to the overall development of the ecosystem, security audit, technical architecture, privacy data protection and infrastructure.
Introduction to smart contract audit process
In order to check the security of the smart contract, a variety of attacks are generally tested, a variety of attack scenarios are simulated, and security reviews are conducted through the standard audit process to ensure that the contract is safe.
The normal audit process should include communication on the requirements of the application audit in the early stage, such as the content of the audit contract, audit time, audit budget, etc.; after the audit requirements are determined, an agreement needs to be signed and a consensus reached; then the security team starts the security audit, and the output of the audit report, the development team To fix the security issues in the report, the security team assists in retesting after modification to ensure that the security issues have been fixed and improve the security of the contract.
Smart contract code audit method:
Understand the logical operation process of the smart contract protocol
Analyze smart contract logic design specifications and design goals
Tools to test the security risks of smart contracts
Test common attack methods against smart contracts
Carry out simulation algorithm vulnerability testing according to the project process
What are the general vulnerabilities of smart contracts?
1) Ethereum smart contract
Reentrancy Attack
Floating Point and Numeric Precision
Unexpected Ether
Integer Overflow
Reentrancy Attack
Floating Point and Numeric Precision
Default Visibility
Tx.Originauthentication
Wrong Constructor
Unvalidated Return Value
Insecure Random Number
Timestamp Dependency
Transaction Order Dependent
Delegatecall Call
Call Call
Denial of Service
Logic Design Flaws
Fake Recharge Vulnerability
Short Address Attack
Uninitialized Storage Pointer
Token Issuance
Freeze Account Bypass
Contract Gas Optimization
Variable Coverage
Malicious Backdoor
2) EOS contract
Permission Check Vulnerability
Transfer Notification Forgery Vulnerability
Apply Function Permission Verification Vulnerability
Integer Overflow Vulnerability
Permission Check Vulnerability
Transfer Notification Forgery Vulnerability
Apply Function Permission Verification Vulnerability
Weak Random Number Seed Vulnerability
Freeze Account Bypass Vulnerability
Denial Of Service Vulnerability
Code Logic Vulnerability
Counterfeit Money Attack
Rollback Attack
Replay Attack
Malicious Backdoor
Structure of smart contract audit report
1) Cover of the audit report:
The cover of the audit report reflects the name of the audit object, the audit team and the release date of the report.
2) Audit overview and project background:
The overview and project background are carefully divided to make the audit report clearer, and the project background introduces the project introduction and audit scope in detail.
3) Contract structure analysis:
Describe the project contract file and the main method parameters of the corresponding contract through the directory structure and contract details.
4) Audit details:
In the audit details, the relevant risks in the contract audit process are mainly introduced through risk distribution and risk audit details, including information such as risk name, vulnerability description, risk level, security recommendation, repair status, and audit results.
As an investor who cares about the security of the project party, you can basically understand how to review the project through the above parts; the rest of the part is the introduction of the security audit tools of the audit team, disclaimer and basic information of the security audit team.
A smart contract audit report is not a legal document to verify the security of the code; no one can be 100% sure that the code will not make mistakes or create vulnerabilities in the future. The audit report of the audit team on the project only certifies that your code has been reviewed by professionals and is generally secure because the audit team only did a security assessment on the project. The right to choose is ultimately in the hands of the project party and investors.
