web3 protocols/smart_contracts audit

3 min readApr 4, 2022

An audit is a straightforward check of known vulnerabilities and security models of specific protocol(s)/smart contract(s) and execution environment, economics context, etc. not a random discovery of any possible bugs.

All known attack vectors and chains of actions that lead to hacks can be classified and considered at some levels:

Technical // cryptography, cpu/vm code: calls, overflows, formats, etc.
Business logic // app logic, access control, conditions, locks, etc.
Architecture (DApps) // governance, DAO, centralization, etc.
Web3/web2 infra/arch // l1, l2, bridges, p2p, keys lost/leak, etc.
Tokenomics // ponzi, price manipulation, pump/dump, etc.
Human factor // insiders, social engineering, phishing, etc.
Unclassified and “black swans” // interoperability, data leaks, etc.

Why to consider so many factors? It’s okay to focus on 1–3 if you operating in a mature and well tested secure environment. But recent hacks have shown a combination of weaknesses on many levels.

Technical

Focus on code (smart_contracts), check of common bugs/weaknesses, some auto-tools can be used. Audit result is a checklist of common known technical bugs with comments and found artifacts.

Business logic

Check if the business logic is implemented in the code as it described in the docs (papers, requirements, etc.) The result of the audit is a list of found differences.

Architecture

Identify possible attack vectors at a high level (governance, voting, deposit/withdraw, oracles hacks, keys lost/leak etc.). The hacking process can be any level of complexity and consists of many steps and transactions. The result of the audit is a checklist of known protocol breaches with comments and risk assessments.

An example: **Inverse Finance got flipped for ~$15M.**

Web3/web2 infra/arch

Modern web3 apps/protocols are integrated in a complex web3/web2 infrastructure: bridges, gateways, oracles, etc. Known possible risks should be evaluated. Audit result is a list of infra risks.

Tokenomics

Market manipulation or oracles hacks can lead to price dump/pump and finally economic hacks. Audit result is a list of economic risks.

Human factor

By the original idea of web3, the human factor should have less influence on stability and security. But in a practice the attack vectors on a person have not gone away. Audit result is a list of human factor risks.

Example audits

consensys openzeppelin zokyo techrate peckshield

Conclusions

Audit report should include:

Checklist of common known technical bugs.
Analysis of business/app logic (artifacts list).
Checklists of known/possible high-level and complex attack vectors/risks including arch, infra, tokenomics, human factor, etc.