A smart contract audit is basically the same as a conventional code audit: it aims at finding security vulnerabilities before the code is deployed. Over/Underflows, Reentrancy, and Front Running are among the most widespread smart contract vulnerabilities. We follow best practice standards including the top 10 vulnerabilities of DASP and other well-known vulnerabilities gathered by SWC.

What we do

Expert Code Analysis: In this, an expert in smart contract development and security reviews the contract. They use their expertise to identify potential security vulnerabilities, logic issues, and inefficiencies that might not be caught by automated tools. This might include best practice violations, poorly implemented logic, gas usage inefficiencies, and more.

Control Flow Analysis: This involves creating a graph that shows how the program's control (i.e., the execution path) flows from one operation to another. This can help to identify unusual or unexpected pathways, such as infinite loops or unreachable code segments, which could indicate errors or vulnerabilities.

Dynamic Code Analysis: In contrast to static analysis which analyzes code without executing it, dynamic analysis involves running the program and monitoring its behavior. This can help identify issues that only arise during execution, such as runtime errors or state manipulation vulnerabilities.

Manual Code Analysis: A meticulous, line-by-line review of the code. This review goes beyond mere syntax checking and includes looking for logical errors, misuse of language features, non-idiomatic usage patterns, and potential security issues that could be missed by automated tools.

Vulnerability-Based Scanning: This involves using automated tools to scan the smart contract code for known vulnerabilities, such as re-entrancy attacks, arithmetic overflows, and unchecked external calls. The tool will have a database of known vulnerabilities and will scan the code to see if any of these vulnerabilities exist in the contract.

Symbolic Execution: This is a software testing technique where an abstract machine (instead of the standard machine) is used to execute the program. This enables testing of all possible execution paths and understanding which inputs will cause specific parts of the code to execute. This is useful for identifying corner cases that may lead to vulnerabilities or unexpected behavior.

Taint Analysis: This involves checking which variables in the smart contract are controllable by external entities. If a variable can be modified externally and it influences the contract's state or flow of execution, it could potentially be a security risk, as a malicious actor may be able to manipulate it.

Test Coverage: This refers to ensuring that all parts of the smart contract’s code have been tested, often through unit tests. High test coverage reduces the chance of an undetected bug or security vulnerability. Tools can be used to measure the percentage of the codebase that is covered by tests.

Linting: This involves checking the code for programming and style errors. Linters are tools that analyze source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. This helps to ensure code quality and can also enforce coding standards and styles.

The Expertise of the Kubertu's Engineers

At KUBERTU Ltd, we pride ourselves on being a boutique firm with a seasoned team of professionals. Each of our engineers holds prestigious certifications such as Offensive Security Certified Professional (OSCP), Offensive Security Web Expert (OSWE), Blockchain Security Professional (CBSP), Amazon Web Services (AWS), and ISO 27001. Their caliber is exemplified by our achievement of placing among the top 5 in the renowned Hacking event at Defcon USA 2019.