This is to help users understand basic security and some fundamentals of auditing.
This repo has a few contracts with big flaws, see if you can find them, and see if the tools help you find them! Good luck!
An audit is a security focused code review for looking for issues with your code.
When writing good code, you 100% need to follow these before sending you code to an audit.
Tweet from legendary security expert Tincho
- Add comments
- This will help your auditors understand what you're doing.
- Use NatSpec
- Document your functions. DOCUMENT YOUR FUNCTIONS.
- Test
- If you don't have tests, and test coverage of all your functions and lines of code, you shouldn't go to audit. If your tests don't pass, don't go to audit.
- Be ready to talk to your auditors
- The more communication, the better.
- Be prepared to give them plenty of time.
- They literally pour themselves over your code.
"At this time, there are 0 good auditors that can get you an audit in under a week. If an auditor says they can do it in that time frame, they are either doing you a favor or they are shit. " - Patrick Collins, March 4th, 2022
An auditor's process looks like this:
- Run tests
- Read specs/docs
- Run fast tools (like slither, linters, static analysis, etc)
- Manual Analysis
- Run slow tools (like echidna, manticore, symbolic execution, MythX)
- Discuss (and repeat steps as needed)
- Write report
Typically, you organize reports in a chart that looks like this:
These are some of the best places to learn even MORE about security:
PRs welcome to improve the list.
- Slither
- Static analysis from Trail of Bits.
- Echidna
- Fuzzing from Trail of Bits.
- Manticore
- Symbolic execution tool from Trail of Bits.
- MythX
- Paid service for smart contract security.
- Mythrill
- MythX free edition.
- ETH Security Toolbox
- Script to create docker containers configured with Trail of Bits security tools.
- ethersplay
- ETH Disassembler
- Consensys Security Tools
- A list of Consensys tools.
- Ethernaut (This is a must play!)
- Damn Vulnerable Defi (This is a must play!)
- rekt
- A blog that keeps up with all the "best" hacks in the industry.
- Trail of Bits blog
- Learn from one of the best auditors in the space.
- OpenZeppelin Blog
- Another blog of one of the best auditors in the space.
- Smart Contract Security Best Practices
- Consensys blog on security vulnerabilities. Also check out their tools.
- Chainlink X Certik Blog on Security
- More attacks
- Git
- You'll know you did it right if you can run
git --versionand you see a response likegit version x.x.x
- You'll know you did it right if you can run
- Node.js
- You'll know you've installed Node.js right if you can run:
node --versionand get an ouput like:vx.x.x
- You'll know you've installed Node.js right if you can run:
- Yarn instead of
npm- You'll know you've installed yarn right if you can run:
yarn --versionand get an output like:x.x.x- You might need to install it with npm
- You'll know you've installed yarn right if you can run:
- Docker
- You'll know you've installed docker right if you can run:
docker --versionand get an ouput likeDocker version xx.xx.xx, build xxxxx
git clone `url`
cd `path`
yarn
Then, go right into usage
Sorry! Feel free to make a PR if you'd like to see TypeScript here.
Open the docker shell:
yarn toolbox
Then, run:
slither /src/contracts/ --solc-remaps @openzeppelin=/src/node_modules/@openzeppelin --exclude naming-convention,external-function,low-level-calls
To exit:
exit
Open the docker shell:
yarn toolbox
Then, run this:
echidna-test /src/contracts/test/fuzzing/VaultFuzzTest.sol --contract VaultFuzzTest --config /src/contracts/test/fuzzing/config.yaml
To exit:
exit
To check linting / code formatting:
yarn lint
or, to fix:
yarn lint:fix
yarn format