Blog Post

How to Prepare for a Smart Contract Audit

June 15, 2021

To extract the most value from a smart contract security audit, there are a few things you can do beforehand:



1. Document your system's intended functionality.

2. Share what you're concerned about.

3. Develop high-coverage, high-quality tests for the codebase.

4. Freeze the smart contract code.

5. Set aside time to address findings before launch.


## Document your system's intended functionality


A large part of smart contract auditing is gaining a deep understanding of the intended purpose of the system. Particular areas of concern include specific design decisions, considerations, and tradeoffs. Time spent on the documentation will be rewarded with a faster, higher-quality audit. 


The best format for this information is a plain English specification which explains the functionality at both a high and low level. Ethereum's [EIPs](https://eips.ethereum.org/all) and Synthetix's [SIPs](https://sips.synthetix.io/) are good examples of this kind of documentation.


## Share what you're concerned about


You may not be a security expert, but you still likely understand your system better than anybody else. Sit down with your team and brainstorm the following and then include it in your documentation:


- **Assets:** What are the main assets at risk? Under what conditions can they be accessed, and by whom?

    - Financial assets (e.g. capital, interest, rewards)

    - Privileged roles (e.g. admin user)

    - Integrations (e.g. third parties dependent on certain functionality)

- **Controls:**  What defensive controls are in place in the system?

    - Are there different user roles? What can the roles do / not do? (e.g. buyer / seller, manager, admin)

    - Are there conditional actions? (e.g. funds locked until a certain date)

    - Are there different states in the contract? What should happen / not happen in each state? (e.g. phases of a sale, system pause, etc)


As an audit is generally a [white-box security assessment](https://en.wikipedia.org/wiki/White-box_testing), it will help to think about whether you have particular concerns about specific areas of the system – common examples include mathematical precision or calculations, complex custom-written functionality, and external integrations. 


## Develop high-coverage, high-quality tests for the codebase


Having close to 100% test coverage provides some level of surety that your code works as intended. This also empowers auditors to spend more time identifying security issues rather than functional bugs. 


If the system has external dependencies and integrates with other protocols, it's advisable to include thorough integration tests, ideally through mainnet forks.


Auditors will use a well-written test suite extensively, both to gain familiarity with the expected behavior of the system, and to identify further edge cases to assess. Ensure that the repository is set up in a working condition to avoid wasting any time at the start of the audit. 


## Freeze the smart contract code


It's very helpful to freeze the smart contract code before starting an audit. Changes made to the contracts, even contracts outside of the audit scope, can lead to delays and even re-audits in certain cases. 


If the code is still under active development during an audit, it's important to have a dedicated branch in the repository that is used for the audit. That way it's possible to audit a static codebase, which simplifies the current audit, as well as making it easier to determine the scope of future audits. 


## Set aside time to address findings before launch


The audit may identify a number of wide-ranging vulnerabilities. Some findings may have a broader impact than others – for example, some vulnerabilities may require architectural changes to the codebase, which will often require large amounts of restructuring and refactoring. Addressing vulnerabilities could also introduce further vulnerabilities, so multiple reviews may be required. 


It's important to include a buffer in your timeline after the initial audit to make sure you have time to properly implement fixes and have those fixes thoroughly reviewed before you launch on mainnet.


## Conclusion


Smart contract audits can be an expensive and unfamiliar process. By taking the time to follow the steps outlined in this post, you'll be sure to make the most of your smart contract audit. 


If you'd like to find out more about smart contract auditing or get your smart contracts audited, reach out to us below.

Secure your system.
Request a service
Start Now