A Solidity security audit is a vital step in deploying smart contracts. If you choose not to have your contracts audited, you are putting your community and reputation at risk.
However, many audit firms do not perform the proper due diligence on your smart contracts. This will lead to false reassurance that your project is ready for significant traffic.
The top audit firms will usually follow a process that is outlined in these steps:
The audit firm will conduct an initial assessment of the code to understand the scope of the project and identify any potential risks or issues. This may include reviewing the project’s documentation, architecture, and design.
This initial assessment is less about the code. It’s to get the team on the same page regarding how this project or protocol works.
Teams should be able to put together an architecture review that demonstrates a clear understanding of how this protocol functions.
Early on, the team should identify the most high-risk areas within the codebase. This ensures an understanding of the protocols and will allow the auditors to spend extra time around high-risk areas.
The firm will perform a thorough review of the code, line by line, looking for potential vulnerabilities, security issues, and bugs. The reviewers will also verify that the code meets industry standards and best practices for writing secure smart contracts.
Although you cannot rely on automated tools, the best auditors will use some of the top recommended tools within their audit process. There’s no downside to using the tools as long as the team is still providing thorough, manual reviews.
Every line of code needs to be manually reviewed by auditors. Many auditors will even print out the code and review it on paper. This ensures the upmost focus and attention to detail while auditing.
The firm will conduct various types of testing to ensure that the code functions as intended, including unit testing, integration testing, and manual testing. They may also use tools such as fuzz testing and symbolic execution to uncover potential issues.
Auditors will review your unit and integration tests to ensure proper code coverage and logic accuracy.
In the event that an exploit is found, proving the exploit in code is an essential piece of the audit.
Automated testing tools, like Slither, will also be used at this phase to further flesh out issues.
Auditors may execute certain tests on a live environment or write additional scripts that help cover the audit.
If the audit firm finds any vulnerabilities, it will attempt to exploit them in a controlled environment to understand the impact and potential for loss.
As mentioned above, the best way to prove an exploit is by writing a test case in the project’s existing test suite. Another great way to prove the vulnerability is by performing the exploit on test infrastructure.
The firm will document all of its findings and create a comprehensive report that includes a summary of the audit, a list of identified issues and their severity, and recommendations for addressing the issues.
After the report is provided, the development team will work to address any issues identified in the report. The audit firm may conduct follow-up testing to ensure that the issues have been properly resolved.
Note that this is a general audit process, and a solidity audit firm may have variations on it but that is a general framework they follow.
Should you get an audit?
If you are going to launch your project to the public, you should absolutely get an audit. It will give your community assurance that you have protected their best interests.