The connection between Web3 adoption and security has become more apparent, impacting the technology’s overall success. A significant indicator is the decline in losses to Web3 hacks, from $1.9B in H1 2022 to $737M in H1 2023.
It showcases the growing understanding of blockchain protocol’s security. As projects within the Web3 ecosystem recognize the criticality of securing assets and ensuring the integrity of their protocols, smart contract security audits have emerged as the need of the hour.
When it comes to successful project audits, the initial step in preparing for audits holds immense importance. In this article, let’s shed some light on those essential details required for a seamless and effective project audit.
Mapping Out Audit Scope
Details are crucial for understanding any project. And our auditors dig into the details of your project by going through the whitepaper and website. These will be the building blocks for our audit process.
Having a solid grasp of the system’s architecture and design allows us to efficiently delve into the codebase we’re auditing. But how do we ensure we are on the same track?
In the initial scoping call, our auditing team will connect with the project developer for a walkthrough of the code. The shared insights will form the basis for designing a testing strategy and plan for getting on with the auditing process. This way, we can target the areas that are discussed and optimize our resources to ensure the audit meets your needs.
Documentation Process
Before commencing audits, it is important to ensure the submission of a high-quality code base for auditing purposes. The former requires sharing the GitHub link and Commit hash of the project. Furthermore, providing test net and mainnet links will enrich the knowledge and offer more profound insights into the project.
We insist the code documents must be precise, comprehensive, and geared towards explaining how the protocol operates. It is of utmost importance that this documentation remains accurate, easily understandable, and kept up-to-date to ensure the auditors can grasp the underlying intentions behind the code.
So, let’s follow these prerequisites to make sure the code in the document is clear as day!
- README file: It serves as the primary source of related information like the project description, build and run instructions. Given its prominence, it’s crucial to ensure a clean and detailed README file.
- Code Lineage: Mentions on the source of inspiration and influences behind the codebase(if any) help auditors understand the project’s lineage. I.e. whether or not a fork of any project
- Clear Codebase: To optimize the codebase, eliminate any dead code, stale branches, and unused libraries, as they add unnecessary weight and clutter.
- Libraries and Dependencies: Importing external dependencies and libraries directly using tools like the Node Package Manager (NPM) instead of copy-pasting them is advisable. Leveraging updated libraries and dependencies are highly recommended.
- Code Comments: We recommend including in-line comments that elucidate the intended behaviour of the code, making it more understandable and maintainable.
- Consistency in coding style: To ensure a professional codebase, it is essential to adhere to Solidity’s style guide to maintain consistency and uniformity.
Once we freeze the submitted code, no further changes are encouraged.
Initial Test Phase
Code coverage is crucial for test cases. We require thorough testing of the code, especially for edge case scenarios, or a minimum of 90% code coverage. This will guide our audit plan. Documenting the testing process thoroughly, including test cases, the test plan, scenarios, and the traceability matrix, will help our auditors gain a deeper understanding.
Description Details of Smart Contracts
The goal here is to offer a clear understanding of each contract’s purpose and functionality. This helps auditors comprehend the underlying implications and assumptions made during the development of the code.
We emphasize you ensure these pointers below so that your project’s code is crystal clear to our auditors.
- Code Clarity and Rationale for implementation: Detailed explanations that clarify what each segment of the code accomplishes and the reasoning behind the chosen approach.
- Acknowledging Assumptions: We advise pointing out any assumptions made during the development of the smart contract.
- Specifications for Contract Functions: Specifying the functions within the contracts, particularly for non-standard contracts (excluding OpenZeppelin, libraries, interfaces, and utils) and outlining each function’s name, description, return values, and other pertinent details for easy comprehension.
We would also appreciate your input in outlining the concerns regarding potential attack scenarios or mentioning which smart contract module you consider most critical for the audit. That way, we can effectively address your needs and conduct a thorough audit.
We’re All Set To Step Up In The Security Game!
Aligning your projects with the guidelines mentioned above ensures their suitability for effective smart contract audits. By doing so, a seamless auditing experience is guaranteed.
Eager to begin the process of securing your project in Web3? Wait no further! Head over to QuillAudits and request a quote. Once you submit the form, our team will promptly get in touch with you.
We are looking forward to assisting you with your audit needs!