11 Tests for Secure Smart Contracts

Auditless
Auditless
Jul 11, 2018 · 2 min read

DISCLAIMER. As new types of vulnerabilities and tools emerge, we will continue to adapt this framework. Please check back with us to see the latest updates.

Smart contract security is often approached as a black-box process with a binary answer — “secure” or “vulnerable”. In reality, security, like the art of risk mitigation is much more complex.

Seemingly secondary concerns like code practices, patterns and libraries you use are as important as the correctness of your contracts at a given point in time.

The optimal policy for maximizing smart contract security then is to continuously strive for a diverse set of cross-cutting concerns. In our work with audit and development teams, we have identified a set of 11 distinct tests that together underpin a practical security framework.

The best smart contract teams will adopt and embrace these 11 tests to develop a competitive advantage in security, performance and delivery speed.

Finally, as the sophistication of attackers and assets under management grow, smart contract security is becoming more of a binary playing field. Successful companies can choose to be either “excellent” or “vulnerable”, “good enough” is not an option.

Here is our list:

  1. Specification
  2. Known vulnerability scanning
  3. Static analysis
  4. Dynamic analysis
  5. EVM analysis
  6. Development practices
  7. Testing
  8. Gas optimization
  9. Scalability
  10. Network impacts
  11. Coin offering design

1. Specification

Presence and quality of white-papers, documentation and other assets specifying intended smart contract behavior.

2. Known vulnerability scanning

On-going tracking of emerging vulnerabilities.

3. Static analysis

Automated exhaustive analysis of the code structure, unintended available paths and broken assumptions.

4. Dynamic analysis

Testing “in motion”, examining the behavior of smart contracts for the purpose of arriving at a vulnerable state.

5. EVM (Ethereum Virtual Machine) analysis

Analysis of broader ecosystem including node clients, miners to avoid sophisticated forms of attacks.

6. Development practices

Code style, testing practices and other forms of mitigatory actions.

7. Testing

Test design and intelligent coverage optimization.

8. Gas optimization

Achieving intended functionality through minimal gas costs for users.

9. Scalability

Performance and scalability optimization.

10. Network impacts

Analysis of second-order consequences of deploying contract(s) including but not limited to bot users, performance and gas price implications.

11. Coin offering design

For token protocols — token sale, roll-out and communication design. Design and allocation of bounties.

Please reach out to peteris at audit less dot com if you would like to learn more about tools & techniques to engineer secure smart contracts or want to help us build on the framework.

Auditless

Everything Auditless

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store