I will do live security reviews of Ethereum smart contracts and share my approach to auditing on a stream. The live stream is scheduled to start at 3.30 PM GMT on Sunday (22/08/2021).
Link: https://www.youtube.com/watch?v=LLiJK_VeAvQ
Notes
Here are some brief notes that I’ll use as talking points on the stream. A detailed blog post will come later.
Resources
- https://github.com/ethereumbook/ethereumbook
- https://cryptozombies.io/
- https://solidity-by-example.org/
- https://docs.soliditylang.org/
- https://ethereum.org/en/learn/
- https://ethernaut.openzeppelin.com/
Auditing Approach
- Read about the project to get an idea of what the smart contracts are meant to do. Glance over all the resources about the project that were made available to you.
- Glance over the smart contracts to get an idea of the smart contracts architecture. Tools like Surya can come handy.
- Create a threat model and make a list of theoretical attack vectors including all common pitfalls and past exploit techniques.
- Look at places that can do value exchange. Especially functions like transfer, transferFrom, send, call, delegatecall, and selfdestruct. Walk backward from them to ensure they are secured properly.
- Do a line by line review of the contracts.
- Do another review from the perspective of every actor in your threat model.
- Run tools like Slither and review their output.
- Glance over the test cases and code coverage.
Contracts under review
NOTE: I am only going to spend a few minutes on every contract. I am not affiliated with any of these projects. This is only for educational purposes, do not derive any conclusions from this.
Contracts up for review: