Smart Contract Audit

Smart contract audit includes automatic and manual tests. Automatic audit aims to find commonly encountered security vulnerabilities; manual test outlines efficiency, logical, and optimization improvements. A smart contract audit is basically the same as a conventional code audit: it aims at finding security vulnerabilities before the code is deployed. Over/Underflows, Reentrancy, and Front Running are among the most widespread smart contract vulnerabilities.

Thanks to SWC registry, the focus of the audit was to verify that the smart contract system is secure, resilient and working according to its specifications of SWC. The audit activities can be grouped in the following two categories:

Security: Identifying security related issues within each contract and within the system of contracts.

Code Correctness and Quality: A full review of the contract source code. The primary areas of focus include:

  • Correctness
  • Readability
  • Sections of code with high complexity
  • Improving scalability
  • Quantity and quality of test coverage

The following table contains an overview of the SWC registry. Each row consists of an SWC identifier (ID), weakness title:

SWC-100 Function Default Visibility
SWC-101 Integer Overflow and Underflow
SWC-102 Outdated Compiler Version
SWC-103 Floating Pragma
SWC-104 Unchecked Call Return Value
SWC-105 Unprotected Ether Withdrawal
SWC-106 Unprotected SELF-DESTRUCT Instruction
SWC-107 Reentrancy
SWC-108 State Variable Default Visibility
SWC-109 Uninitialized Storage Pointer
SWC-110 Assert Violation
SWC-111 Use of Deprecated Solidity Functions
SWC-112 Delegatecall to Untrusted Callee
SWC-113 DoS with Failed Call
SWC-114 Race condition (Transaction Order Dependence)
SWC-115 Authorization through tx.origin
SWC-116 Timestamp Dependence
SWC-117 Signature Malleability
SWC-118 Incorrect Constructor Name
SWC-119 Shadowing State Variables
SWC-120 Weak Sources of Randomness from Chain Attributes
SWC-121 Missing Protection against Signature Replay Attacks
SWC-122 Lack of Proper Signature Verification
SWC-123 Requirement Violation
SWC-124 Write to Arbitrary Storage Location
SWC-125 Incorrect Inheritance Order
SWC-127 Arbitrary Jump with Function Type Variable
SWC-128 DoS With Block Gas Limit
SWC-129 Typographical Error
SWC-130 Right-To-Left-Override control character (U+202E) Private variables
SWC-131 Presence of unused variables
SWC-132 Unexpected Ether balance

It should be noted that throughout the code audit ConsenSys best practices were utilized.

Tools utilized for Testing

A number of tests were carried out manually including:

  • problem statement;
  • analyze problem;
  • class diagram to represent the design;
  • visibility for the state variables and functions;
  • access modifiers for the functions;
  • validations for input variables of the functions;
  • conditions that must hold true and conditions that were discovered.