DISCLAIMER. As new types of vulnerabilities and tools emerge, we will continue to adapt this framework. Please check back with us to see the latest updates.
Smart contract security is often approached as a black-box process with a binary answer — “secure” or “vulnerable”. In reality, security, like the art of risk mitigation is much more complex.
Seemingly secondary concerns like code practices, patterns and libraries you use are as important as the correctness of your contracts at a given point in time.
The optimal policy for maximizing smart contract security then is to continuously strive for a diverse set of cross-cutting concerns. In our work with audit and development teams, we have identified a set of 11 distinct tests that together underpin a practical security framework.
The best smart contract teams will adopt and embrace these 11 tests to develop a competitive advantage in security, performance and delivery speed.
Finally, as the sophistication of attackers and assets under management grow, smart contract security is becoming more of a binary playing field. Successful companies can choose to be either “excellent” or “vulnerable”, “good enough” is not an option.
Here is our list:
- Specification
- Known vulnerability scanning
- Static analysis
- Dynamic analysis
- EVM analysis
- Development practices
- Testing
- Gas optimization
- Scalability
- Network impacts
- Coin offering design
1. Specification
Presence and quality of white-papers, documentation and other assets specifying intended smart contract behavior.
2. Known vulnerability scanning
On-going tracking of emerging vulnerabilities.
3. Static analysis
Automated exhaustive analysis of the code structure, unintended available paths and broken assumptions.
4. Dynamic analysis
Testing “in motion”, examining the behavior of smart contracts for the purpose of arriving at a vulnerable state.
5. EVM (Ethereum Virtual Machine) analysis
Analysis of broader ecosystem including node clients, miners to avoid sophisticated forms of attacks.
6. Development practices
Code style, testing practices and other forms of mitigatory actions.
7. Testing
Test design and intelligent coverage optimization.
8. Gas optimization
Achieving intended functionality through minimal gas costs for users.
9. Scalability
Performance and scalability optimization.
10. Network impacts
Analysis of second-order consequences of deploying contract(s) including but not limited to bot users, performance and gas price implications.
11. Coin offering design
For token protocols — token sale, roll-out and communication design. Design and allocation of bounties.
Please reach out to peteris at audit less dot com if you would like to learn more about tools & techniques to engineer secure smart contracts or want to help us build on the framework.
Ready to build your own smart contracts? We just launched a knowledge base that can help you every step of the way. Join here.
