Smart Contract Auditing

Note: This section is a work in progress (WIP) and will be expanded in the near future.

Introduction to Web3 Auditing

Overview of Auditing : Definition and importance of security assessments in Web3 projects.
Scope of Audits : Differentiating between on-chain smart contract code and off-chain components.
Target Audience for Audits : Understanding who benefits from the audits.
Expectations : Understanding what audits aim to achieve and their limitations.
Ethical and Professional Standards in Auditing : The importance of ethical and professional standards in the auditing process.

Choices and Considerations

Differentiating Audit Types : New, repeat, fix, retainer, and incident audits.
Phases of the Smart Contract Audit Process : The stages of a typical audit process.
Auditing firms and Independent Auditors : A look at the industry and the participants.
Decentralized Auditing : Gameified systems like Code4rena, Sherlock, Codehawks, Hats.finance
Guidelines on Audit Selection : Guidelines for project teams on selecting the audit type based on a project’s stage and needs.

Preparation and Initialization

Audit Prerequisites : Essential elements and documentation required before starting an audit.
Audit Checklist : A comprehensive list to prepare projects for security audits.
Initial Code Walkthrough : The importance of a preliminary code review before the audit begins.
Communication Channels : Messaging Channels and regular meetings for updates via Video Conference are normal, there may be barriers due to languages and time zones. Ongoing communication is key to a successful audit.

Audit Reports

Components of an Audit Report : Detailed explanation of what is included in audit reports.
Interpreting Audit Findings : How to understand and act on the findings presented in the report.
Recommendations and Remediations : Addressing and mitigating the identified issues and vulnerabilities.

The Basics

Security Researcher’s Toolbox: Tools & Smart Contract Development Basics - IDEs, Plugins, AuditWizard, AI (ChatGPT),
Overview of Audit Techniques : The process of auditing smart contracts and the techniques used.
Secure Smart Contract Design The principles of secure smart contract design, such as minimizing attack surface, using tested and proven libraries, access control, and following security specific design pattern
NatSpec and Documentation : The importance of documentation and the NatSpec standard for smart contracts.

Smart Contract Auditing Tools

Foundry Forge : A Rust based Development Framework that includes many useful tools for understanding and testing smart contract including a stateless and stateful (Invariant) fuzzer
Mythril : A security analysis tool for Ethereum smart contracts. It uses concolic analysis (dynamic symbolic execution), SMT Solving taint analysis, and control flow checking to detect a variety of security vulnerabilities.
Slither : A static analysis framework that can detect common issues such as re-entrancy, suicidal contracts, and incorrect visibility.
Echidna : A property-based fuzzer that can be used to find bugs in smart contracts.
Certora : Formal verification tool for smart contracts.
MythX : A SAAS security analysis platform for Ethereum smart contracts.

Smart Contract Testing

Unit Testing : Unit tests for auditors individual components of your contract function as expected.
Integration Testing : Testing multiple components of a contract together to ensure they work correctly in unison.
Creating POCs : Creating Proof of Concepts to demonstrate the vulnerabilities found in the audit.

Fuzzing

Stateless vs Stateful Fuzzing : The difference between stateless and stateful fuzzing and when to use each.
Stateless Fuzzing with Foundry : How to use stateless fuzzing tools such as Foundry
Stateful Fuzzing with Echidna : How to use stateful fuzzing tools such as Echidna
Identifying Invariants in Smart Contracts : How to identify invariants for stateful fuzzing in smart contracts

Formal Verification

Benefits and Limitations of Formal Verification : Discusses the benefits and limitations of formal verification and how it can be used to improve the security of smart contracts.
Introduction to Formal Verification Tools : Introduces formal verification tools such as Certora and how they can be used to verify the correctness of smart contracts.
Real World Examples : Provides real world examples of how formal verification has been used to find and fix vulnerabilities in smart contracts.
Best Practices for Formal Verification : Discusses best practices for using formal verification tools and how to get the most out of them.
Challenges and Future Directions : Discusses the challenges in adoption and the future directions of formal verification for smart contracts.

Mastering the EVM and Low-Level Programming

Data Structures in the EVM : Types of data locations in the EVM, such as stack, memory, storage, and calldata
The Yul language and Inline Assembly : Low-level intermediate programming for the EVM
Auditing inline Assembly : How to audit smart contracts that use inline assembly and Yul
Calldata specifics: decoding a complex call data example and how to use the abi coder library
The Huff Language : A brief introduction to Huff, a low-level language for the EVM that uses macros

Identifying Vulnerabilities

Understanding Business Logic : Understanding the business logic and the intended interactions within and between contracts is paramount.
Technical Review Process : The process of identifying vulnerabilities in smart contracts.
Developing Heuristics : Develop and utilize heuristics for auditing smart contracts.
Common Smart Contract Vulnerabilities
Timestamp Dependence : Smart contracts that use the block.timestamp variable may have this vulnerability.
Gas Limit and Loops : Loops that run for an indeterminate number of iterations can hit the gas limit, causing transactions to fail.
Denial of Service (DOS) Attacks : Exploiting design flaws or gas-related vulnerabilities to make contracts unusable.
Re-entrancy Attacks : This occurs when an external contract hijacks the control flow, and makes recursive calls to the original contract.
Delegatecall : delegatecall is a low-level function similar to a dynamic library call in other languages. If not used carefully, it can lead to serious vulnerabilities.
Math-Related Vulnerabilities : Integer overflow, underflow, and rounding errors are common in smart contracts due to the lack of native floating-point support in Solidity.
Unchecked Return Values : Failing to check the return values of low-level calls such as send, call, and delegatecall can lead to vulnerabilities where contract execution continues even after a failed external call.

These section are still in development and will be expanded in the near future.

Upgradeability Patterns and Vulnerabilities

Upgradeability and the security implications for smart contract development, incident response and maintenance
Upgrade Patterns Compares and contrasts different upgradeability patterns, such as proxy contracts, delegate calls, and eternal storage
Some common upgradeability vulnerabilities and how to avoid them, such as storage collisions, function clashes, and malicious upgrades

Front-running vectors

Define front-running as the act of exploiting the ordering of transactions in the mempool to gain an unfair advantage
Illustrates how front running can affect defi protocols, such as Uniswap, Curve, and Yearn
Discusses some possible solutions and mitigations, such as using commit-reveal schemes, batching transactions, or using layer 2 solutions

Ethereum cryptography and signature malleability

Cover the basics of cryptography and how it is used in Ethereum for signing and verifying transactions and messages
Explain the concept of signature malleability and how it can lead to replay attacks and double spending
Shows how to prevent signature malleability using EIP-712 and EIP-191 standards

Analyzing DeFi Security

The risks and vulnerabilities associated with perpetuals, such as funding rate manipulation, liquidation cascades, and oracle attacks
Types of DeFi products, such as decentralized exchanges, lending platforms, yield farming protocols, and derivatives like options and futures along with their associated risks and vulnerabilities
A look at Uniswap V2 & V3 and how it implements concentrated liquidity and range-bound pools to understand Front-running, Back-running and sandwich attacks.
A look at Perpetuals, which are synthetic assets that track the price of an underlying asset without expiration. The mechanics of perpetuals, such as funding rate, margin, leverage, liquidation, and settlement
Impermanent Loss : In automated market makers like Uniswap, liquidity providers can suffer losses due to price fluctuations.
Price Oracle Manipulation : DeFi protocols often rely on price oracles for asset prices. If these oracles are manipulated, it can lead to serious consequences.
Flash Loan Attacks : Flash loans allow users to borrow assets and return them within the same transaction. If not handled properly, they can be used to manipulate market prices and exploit DeFi protocols.
Exploring some advanced attacks that target specific defi protocols or features, such as ERC-4626 inflation attack, AMM arbitrage, and oracle manipulation

Case Studies and Examples

Detailed Analysis of notable Smart Contract Audit Findings
Forensics and Post-Mortem Analysis
A look at the subject of how to Analyzing Exploits
Analysis of notable audit cases and lessons learned.
Learning from Historical Audits: Successes and Failures
Analyzing Past Attacks : Analysis of several past attacks on DeFi protocols, understanding how they happened, what vulnerabilities were exploited, and how they could have been prevented.

Continuing Education and Resources

Advanced Courses and Certifications: Additional courses and certifications that can further knowledge and skills in smart contract auditing.
Online Channels, Communities, Newsletters and Forums : Connect with other auditors, ask questions, and stay up-to-date on the latest news and trends in the field.
Books and Publications : Key books and publications that every smart contract auditor should read.

DF3NDR Web3 Security Books