Auditless
Auditless
Jul 11, 2018 · 2 min read

DISCLAIMER. As new types of vulnerabilities and tools emerge, we will continue to adapt this framework. Please check back with us to see the latest updates.

Smart contract security is often approached as a black-box process with a binary answer — “secure” or “vulnerable”. In reality, security, like the art of risk mitigation is much more complex.

Seemingly secondary concerns like code practices, patterns and libraries you use are as important as the correctness of your contracts at a given point in time.

The optimal policy for maximizing smart contract security then is to continuously strive for a diverse set of cross-cutting concerns. In our work with audit and development teams, we have identified a set of 11 distinct tests that together underpin a practical security framework.

The best smart contract teams will adopt and embrace these 11 tests to develop a competitive advantage in security, performance and delivery speed.

Finally, as the sophistication of attackers and assets under management grow, smart contract security is becoming more of a binary playing field. Successful companies can choose to be either “excellent” or “vulnerable”, “good enough” is not an option.

Here is our list:

  1. Specification
  2. Known vulnerability scanning
  3. Static analysis
  4. Dynamic analysis
  5. EVM analysis
  6. Development practices
  7. Testing
  8. Gas optimization
  9. Scalability
  10. Network impacts
  11. Coin offering design

1. Specification

Presence and quality of white-papers, documentation and other assets specifying intended smart contract behavior.

2. Known vulnerability scanning

On-going tracking of emerging vulnerabilities.

3. Static analysis

Automated exhaustive analysis of the code structure, unintended available paths and broken assumptions.

4. Dynamic analysis

Testing “in motion”, examining the behavior of smart contracts for the purpose of arriving at a vulnerable state.

5. EVM (Ethereum Virtual Machine) analysis

Analysis of broader ecosystem including node clients, miners to avoid sophisticated forms of attacks.

6. Development practices

Code style, testing practices and other forms of mitigatory actions.

7. Testing

Test design and intelligent coverage optimization.

8. Gas optimization

Achieving intended functionality through minimal gas costs for users.

9. Scalability

Performance and scalability optimization.

10. Network impacts

Analysis of second-order consequences of deploying contract(s) including but not limited to bot users, performance and gas price implications.

11. Coin offering design

For token protocols — token sale, roll-out and communication design. Design and allocation of bounties.


Please reach out to peteris at audit less dot com if you would like to learn more about tools & techniques to engineer secure smart contracts or want to help us build on the framework.

Auditless

Everything Auditless

Auditless

Written by

Auditless

Auditless

Auditless

Everything Auditless

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade