Smart Contract Audit Methodology & Tips

Sm4rty
6 min readMar 22, 2023

--

Hey there, I am Samrat Gupta aka Sm4rty, an Independent Smart Contract Auditor and a Part-time Bug Bounty Hunter. In this blog, I will share my methodology for auditing smart contracts. While there is no universal approach, this post provides insight into creating your own. Additionally, it includes resources and advice to help you become an efficient and effective auditor.

This Blog is also published at DeFiHackLabs’s Substack as a Lesson 1 in Solidity Security Series. Check it out here.

Let’s start:

Step 1: Reading the Documentation and developing Mental Model:

Before starting with auditing, one must first understand the project first which includes the technical designs, objectives of the Project, Contract types, etc. There are many sources that can help an auditor to understand and grasp the project.

  1. Whitepapers or Documentations.
  2. Code Comments and Natspec
  3. Projects Website/Blogs and so on.

Developing Mental Model

While reading through the documentation It is critical to develop a mental model for auditing. The audit will be built on your mental model of the smart contract system. Before looking deeper into the details, it is essential that we have a strong high-level understanding of the contracts.

Some tools can help you assist with this process:

Solidity Metrics: This extension will generate Source Code Metrics, Complexity, call graphs, and Risk profile reports for projects written in solidity. It will help you understand the overview of the contracts.

Solidity Visual Developer: This extension contributes security-centric syntax and semantic highlighting, a detailed class outline, specialized views, graphs, advanced Solidity code insights, and augmentation to Visual Studio Code. You can use it to automatically generate call graphs and UML diagrams.

Step 2: Running some Tools:

Static Analysis Tools:

In this step, we will run some static analysis tools. Static analysis tools are used to analyze smart contracts for common security vulnerabilities and low-hanging bugs. Static Analysis tools will drastically decrease your false-negative rate and help you catch things that manual analysis rarely uncovers.

We can use Mythx, Slither, Mythril, 4naly3er, and a lot of other tools for it.

Fuzzing Tools:

Fuzzing involves providing a large number of random inputs to a smart contract and observing how it responds. The goal of fuzzing is to find edge cases and unexpected behaviors that might indicate a security vulnerability or bug. We can use tools like Echidna, Foundry Fuzz, or some other tools for fuzzing.

It’s important to note that, while these tools can provide valuable insights and identify any potential issues, they are not a replacement for a thorough manual review, which is our next step.

Step 3: Manual Code Review

Now, that we know the overview of what the protocol does and have an eagle-eye view of the contracts. Let’s dive deep into the contracts and start Manual Auditing. Start Reading the codes Line by Line to get an understanding of the contracts.

Think like an attacker and identify potential places where things can go wrong. The following are some of the most common checks I look for:

  1. Common Smart contract bugs
  2. Access Controls Checks in Critical Functions
  3. Check if the contract complies with the standards
  4. The flow of Function calls
  5. Examine all User-controlled Input
  6. Realistic attack scenarios and edge cases

A lot of the bugs and vulnerabilities that actually impact a code are protocol-specific. Finding these protocol-specific bugs requires a thorough understanding of protocol and some creativity. Identify the protocol’s pain points by brainstorming ideas and looking for edge cases.

Note-Taking:

When auditing a complex or large codebase, it is important to take note of anything that appears to be wrong. Utilize some notetaking software like notepad, notion, or Evernote.

VScode Extension Inline Bookmarks can also assist you with the process. While reading the code, we can add audit tags wherever we find bugs or suspect a vulnerability. We can get back to it later.

Step 4: Write POCs

A POC is a demonstration of the feasibility and viability of an idea, and in the context of smart contract auditing, it serves to validate if the vulnerability is valid. Now that we found some vulnerabilities, We can write some PoC tests using frameworks like foundry, hardhat, or brownie. Below are a few ways to write PoC for our findings:

  1. Unit Test
  2. Exploit on a Fork
  3. Simulation

It’s critical to provide sufficient comments throughout each PoC, both for our own understanding and that of others.

Step 5: Report Writing

A good report should contain:

  1. Summary of the vulnerability: A clear and concise description of the vulnerability.
  2. Impact: This section is where Auditors provide a detailed breakdown of possible losses or damage to the protocol.
  3. Assigning Severity: Severity can be classified as high, medium, low, or informational depending on the impact, likelihood, and other risk factors.
  4. Proof of concept: A valid PoC might be an attack script in Hardhat/Foundry test file that can trigger the exploit or any code that manages to somehow exploit the project’s vulnerability.
  5. Mitigation steps: In this section, the auditor should provide a recommendation on how to mitigate the vulnerability. This will be beneficial for the project, making it easier to resolve the issue.
  6. Reference [Optional]: Any external reference links related to the vulnerability.

Alpha Tips: How can you improve?

  1. Read Audit Reports, particularly those of Code4rena and Sherlock. Gain a deeper understanding of their contents to further your knowledge.
  2. Not only read and understand the smart contract’s vulnerabilities but also try to reproduce the bug using Foundry/Hardhat. DeFiVulnLabs can be a helpful resource for reproducing the bug using Foundry.
  3. Solve various smart contract CTFs to gain valuable knowledge in security research. CTFs are more beneficial than other formats for learning. Solve CTFs like Ethernaut, Damn Vulnerable DeFi Application, CTF Protocol, QuillCTF, Paradigm CTF, etc.
  4. Read BugFix Reports from Immunefi and Hack Analysis of Recent hacks. Try to reproduce the exploit locally. DeFiHackLabs can be a helpful resource for Reproducing DeFi hack incidents using Foundry.
  5. Taking notes while learning is an important habit to cultivate. It can help you retain information better and make it easier to recall important concepts. Make your own notes while learning anything. Personally, I use Notion to keep a track of my everyday learnings.
  6. Stay informed by getting involved in the community. Some of the top Discord servers to keep up to date are Spearbit, DeFiHackLabs, Secureum, Immunefi, Blockchain Pentesting, etc.
  7. Understand financial and mathematical concepts. Some Vulnerabilities often require a strong understanding of finance or complex mathematical calculations. Having mastery of these skills will give you an edge in the competition.
  8. Finally, take care of yourself. Audits demand a high level of concentration and mental acuity. You won’t be able to deliver great audits without adequate sleep and nutrition.

Connect with me:

Twitter | LinkedIn | Github | Instagram

Thanks for Reading. Any Suggestions are always welcomed!!

--

--

Sm4rty

Smart contract Auditor and Web3 Security Researcher. Interested in Web3 and SmartContract Security.