While developing Volt, one of the major challenges was shipping code iteratively and engaging security experts for minor changes without initiating a full system audit. However, a thorough audit is essential, even for minor changes. This is especially true since even small changes can significantly affect complex systems. However, valuable lessons learned during this process are worth sharing.
Before diving into the defense mechanisms that help maintain the integrity of the code, it’s important to underscore a simple, yet often overlooked, strategy: stepping away from the code. Taking a day or two to step away from the code and reset, then returning to the problem can yield bugs that were hidden during development. This tactic, endorsed by a respected fellow engineer, cannot be overstated in its usefulness. This method was also briefly mentioned in the time section of this article.
The first line of defense in this journey of code security is unit tests, a fairly standard practice and an essential one. The second line of defense involves integration tests, ensuring the correct interfacing of our code with the rest of the system. Pre and post-proposal checks ensure the proper functioning of the PSM, stability of the oracle price, and steady fund amounts in the protocol before and after the proposal. Though these are standard practices for a smart contract engineering team, they are essential.
Next, a third layer of defense comes in the form of differential tests. These involve rewriting the same algorithm differently and conducting a fuzz test to ensure both implementations return identical results given the same input. Lastly, forge invariant tests, where applicable, offer an additional layer of confidence regarding key system properties. Combined, these layers form a comprehensive foundation for an entirely internal security posture.
Seeking additional scrutiny on the code led to the implementation of pair programming sessions with external engineers. Each session involved dissecting the code line by line, clarifying assumptions, and actively seeking bugs. Documenting the findings, including discovered bugs, proposed remedies, review participants, and time spent, provided an internal gauge of code completion based on the number of findings-free reviews.
Template for these review meetings:
- Meeting kickoff: code author provides context on software architecture
- Review of fixes from the previous session, with explanations of the underlying issues and their solutions
- Review of changes since the last review, discussing each module’s dependencies and changes
- Line-by-line walk-through of each variable and function, stating assumptions on expected system behavior, who can manipulate which value
- Review of external calls
- Checks Effects Interactions (CEI)
- Rounding in the protocol’s favor
- Front running
- Assumptions around unchecked or other gas optimizations
- Review of a slither run if uncertain about any finding’s severity
- Documentation of findings in an internal audit log on the PR
Attached is the audit log created from internal reviews.
Reflecting on the audit log, a deeper exploration of the findings could have been beneficial to outside parties. The log can be an invaluable resource for security researchers, providing an ADR for all changes made during the review and their justifications, making it easier for auditors to understand the assumptions that shaped the code.
An improved audit log template would include:
- Purpose of the meeting
- Contracts covered
- Issues found
- Proposed solutions to issues
- Duration of break taken between writing this code
An excellent security posture requires multiple layers. Stepping away and returning to the code with fresh eyes, creating multiple types of tests, conducting thorough internal and external reviews, and diligently maintaining an audit log are all key components in enhancing internal security posture. However, these measures are not substitutes for a full audit. They can increase internal security posture and yield a more polished final product to present auditors and the world.
