Article author:

A Look inside a Smart Contract Audit

Auditing smart contracts is a vital part of building up security in DeFi.
For all we know now about why we need to do it, we know very little about the process itself and what is it that auditors actually do. To figure this out, we went to the source and interviewed the CTO of a DSA member HashEx – Gleb Zykov.
How does the audit process start?
We start every day with stand-up meetings where we discuss progress in tasks and divide who is going to focus on which audit. So, as we decide who’s responsible for a particular audit, they download the code to their computer and get familiar with the project.

This is a preliminary stage that includes studying the architecture of the solution, forming a list of additional clarifying questions for the customers, and reviewing the documentation.

What additional scripts and tools do the auditors in HashEx use?
We don’t have a universal tool for reviewing the code, that everyone in the company has to use. Each auditor is free to use whichever one they’re most used to and find most convenient.
At the moment, Visual Studio Code is the one most auditors use to view and analyze the code. And additionally, we connect various plug-ins, for instance, this one.

During the analysis, we occasionally write additional tests for particular contracts; for that, we most often use the HardHat framework.
Rarely we might use echidna or SMTChecker, but those are usually used by developers when they’re testing their own code.
Last, but not least, we use for reviewing the mined transactions.
What’s the most difficult part of each step of an audit?
At the earliest stage, we may encounter a very prosaic issue of getting a full payment ahead of starting the actual work.
We try to be as transparent as possible and make sure that the client understands what they’re paying for and why we accept the payment the way we do.
During the audit, figuring out the project and discovering the issues is the actual hardest part.
And after we give the preliminary report to the client, they might ask to lower the severity of an issue or remove something altogether. Of course, this has to be carefully managed because we wouldn’t compromise the integrity of the service we provide.

How do you compile the final report?
During the audit, each auditor writes down their own list of issues. If the audit is large with many contracts and many issues, they might coordinate their work to understand and review the project faster and more thoroughly.
When we do that, we hold meetings where each auditor shares their discoveries and we discuss them. This allows us to add the issues we missed, and remove issues if they can’t be confirmed.
The final step is selecting an auditor who collects all the issues together and forms a report. That we usually do with the help of DSA’s Audit Builder. It lets you form a preliminary report and then edit or update it as needed.
There are additional steps before the report is sent to the client, first, all the auditors involved in the project review the report, then the content is reviewed so that it is coherent and easily understandable, and then we send the preliminary report to the client.

We are thankful to Gleb and his audit team for this in-depth look into the work of DeFi security specialists.
Stay safe and trust in research!
Wrapping Up

Never put your DeFi security down!
Besides the golden rules above, you should remember that there is hardly a comprehensive list to cover all potential vulnerabilities. The more blockchain and DeFi grow, the more sophisticated attempts hackers create to exploit the systems and steal your money.
Top Solana Vulnerabilities
Solana is a widely popular blockchain and attractively low transaction fees are certainly among the reasons developers choose it. Among Solana-based dApps are some of the most popular and valued projects. This is why knowing Solana and its weaker points is now more necessary than ever.


A Developer’s Guide: A Framework setup
Developers often ask how to correctly, efficiently, and securely set up a framework for developing smart contracts. This guide aims to help new developers do it quickly and conveniently.