Wondering if there is a “getting started” but for auditing section. I’ve looked into a few tools like slither that trail of bits uses, but wondering what the best resources for learning more.
@patrickalphac Thanks for your post.
The answer is: depends on your background. If you tell me more of your background, I could direct better. Nonetheless, I am sending a somewhat generic list of resources, which are in my opinion a “must see”:
- Ethernaut a game in which you will try to hack smart contracts
- https://www.coursera.org/projects/ethereum-smart-contract-security-exploits: an online and hands-on course on how to execute some exploits
- https://consensys.github.io/smart-contract-best-practices/: a curated list of security related-issues in smart contract development.
Hope that helps.
Thanks for the reply. I’ve done some of these, and they are helpful.
I was looking more for a step-by-step guide to auditing smart contracts, what the learning process there is. It sounds like most are a bit proprietary or not clearly defined.
Is there a standard tool that all audits should use? Or is it really just a group of humans reading line by line code trying to guess at where any attack vectors might come from.
In terms of tools, slither & mythril are the ones most widely used. However, most of the tools out there will only identify a set of generic issues that are independent of the contract logic and business rules. It is worth noting that most of these tools will report a significant amount of false positives (as one does more audits, it gets easier and faster to spot them). In summary, tools will only get you basic findings. The true value of an audit is the experience brought by the audit team. And yes, the audit team will need to read the code line by line…
The learning path to be an auditor is not necessarily a straight road and I am unaware there is even one generic program (proprietary or not). In all truthfulness, I believe auditing is something you learn by doing once you have mastered the security best practices concerning smart contract development.
Essentially, any auditing process should do two things:
- Given a specification (e.g., white paper, internal docs, external docs), verify that the code is doing what the specifications is stating. The goal here is to check whether the code is in tune with the business requirements. This is an intensive and very tedious task. You essentially read the code, understand it, and make sure it meets the given specification.
- From the previous step, you should have been able to get a mental model of the entire platform that you are auditing. Then, you start investigating more insightful things, and how one could put the pieces together in a way that developers had not thought of. Here you need to have (or develop) an attacker mindset and this experience comes with time. A good way to bootstrap that mindset is to read postmortems and replay the attack yourself. Having built a mental model of the code you are auditing, you start investigating potential threats, by means of asking questions like:
- Is it possible for any actor to put the contract in an unusable state?
- Is there a sequence of transactions that could cause the smart contract to misbehave?
- Are funds secure?
- Are there underlying assumptions made by the contract that may not hold?
- Are there interactions with external contracts? If so, are they trusted? If not, how could they exploit the current code?
Let me know if that helps. I am happy to provide more hints as you keep directing me :)
This is exactly what I was looking for. Thank you.
I’ve spoken with a few others in the field and received the same responses. Sounds like auditing, in a weird way, is almost more of an art than a science. That scares me a little bit, but such is life.
For those interested in this topic, we have written a follow-up minipost : “The art of auditing”.
Is there a list of auditors by reputation somewhere?
I guess this is all up to reputation of the auditing firms right now though…
@patrickalphac By “list of auditors by reputation” do you mean the individuals doing audits or the audit companies themselves?
Actually… both would be nice. But there likely isn’t like a leaderboard of individual human auditors. I would be surprised if any audit company released stats on their employees.
@patrickalphac For human auditors, no, there is not such a list. In fact, I don’t think it would even be ethical to do so. The closest you can get to that is to rely on the title that an auditor has in the company he works for (e.g., Senior, Principal, etc).
As for the list of companies, there is no official ranking - it does boil down to reputation as seen by the crypto community.
As a general (and informal) guide to which audit company to choose, consider assessing:
- The number of completed audits, as well as the amount of secured funds
- Number of high profile clients
- Quality of their public audits
- Team experience
- Client support in handling hacks
Thanks for the follow up here. I guess we will have to go with sites like Rekt that keep track of hacks… and the audit reports that came out with them.