Hacking Notes
  • Hacking Notes
  • Penetration Testing Methodology
    • Host Discovery
    • Information Gathering
    • Exploit Research
    • Exploit Development
    • Exploit Testing
    • Exploiting
    • Information Gathering
    • Privilege Escalation
  • Shells
    • Reverse Shell Cheat Sheet
    • Bind Shell Cheat Sheet
    • Webshells
    • C Shell
  • Stuck?
  • LICENSE
  • Windows
    • Windows Information Gathering
    • Windows PrivEsc
      • Method
      • PE Scripts
      • Potatos
      • Windows Privs
    • Transferring Files
    • Active Directory
      • ad-attacks
      • auth-enumeration
      • unauth-enumeration
      • authentication-delegation
      • reference
      • Kerberos
        • Authentication Delegation
      • mind-map
    • LNK Files
    • SCF Files
    • Compile Code
    • Tips & Tricks
  • Linux
    • Linux OS Information Gathering
    • Linux PrivEsc
      • methodology
      • Privilege Escalation Scripts
        • LinEnum
    • Hosting Files
    • Linux File System
    • Scheduling Jobs
    • POSIX
      • Scripting
      • Notes
  • Web Application Testing
    • Methodology
    • Enumeration
    • Attacks
      • SQLi
      • File Inclusion
      • Directory Traversal
      • Cross-Site Scripting
      • Login Forms
      • Content Injection
      • XSS
    • Assessment Tools
      • ZAP
      • ffuf
      • Nikto
      • wpscan
      • zap
    • Wordpress
      • wpscan
    • Apache
    • Nostromo
  • Services
    • Services
      • Active Directory Administration
      • Cups
      • DFSR
      • DHCP Client
      • DHCP Server
      • DNS
      • FTP
      • HTTP
      • HTTP(S)
      • IIS
      • Imap Encrypted
      • IMAP
      • IPsec
        • Kerberos
        • LDAP
        • ldaps
        • MSRPC
        • MSSQL
        • MySQL
        • Netbios Datagram Service
        • Netbios Name Service
        • Netbios Session Service
        • NFS
        • NNTP
        • NTP
        • Oracle
        • POP3
        • POP3 Encrypted
        • RDP
      • Redis
        • RFSP
        • RPCbind / Portmapper
        • RSIP
        • RTSP
      • RSYNC
        • SMB
        • SMTP
        • SNMP
        • SSH
        • Telnet
        • TFTP
        • VNC
      • VNC Remote Desktop
      • VNC Web Interface
        • WinRM
      • Wins
  • Containers
    • Docker
  • Buffer Overflow
    • Buffer Overflow
    • win32
  • Tools
    • Windows
      • chisel
      • mimikatz
      • mssqlclient.py
      • plink
      • psexec.py
      • smbeagle
      • winexe
    • Linux
      • chisel
      • evil-winrm
      • exiftool
      • Impacket
        • GetADUsers
        • GetNPUsers
        • getST
        • getTGT
        • GetUserSPNS
        • secretsdump
        • smbclient
        • wmiexec
      • jd-gui
      • ldapsearch
      • strings
      • smbeagle
      • Helpful Sites
  • Misc
    • Tunneling
    • Cryptography
    • Regex
    • Tools to Checkout
  • Password Cracking
    • Hashcat
    • John The Ripper
  • Tunneling
    • Tunnels
  • Web3
    • Introduction
    • Audit Process
    • Report Writing
    • List of Tools
    • Web3 References
Powered by GitBook
On this page
  • Audit Process
  • Layout
  • Where to Start

Was this helpful?

  1. Web3

Audit Process

PreviousIntroductionNextReport Writing

Last updated 3 years ago

Was this helpful?

Audit Process

When starting an audit, it is good to know when you are going to stop.

Set myself the goal of fully understanding the system to the point where I could reimplement it from scratch without being allowed a look at the original codebase. Not from remembering the code, but from having understood what the application is supposed to do. If you have examined a project that far and have not found a bug, the chances of finding one by continuing is low. However, if there is a bug in there, your chances of finding it with this method are high.

- Alexander Schlindwein

The audit process will be different based on if you are doing an audit on a bug bounty program, your own program, or have been hired either directly or working with an organization. However, the basic ideas of each of these steps should be considered for all audits.

  1. Go through a checklist with the project team

  2. Read specification/documentation of the project to understand the requirements, design and architecture

  3. Run fast automated tools such as linters or static analyzers to investigate common Solidity pitfalls or missing smart contract best-practices

  4. Manual code analysis to understand business logic and detect vulnerabilities in it

  5. Look over the layout to see if it matches best practice and to understand how it is laid out if not

  6. Create a data flow diagram (Consider using tools to help with this such as: , , )

  7. Run slower but more deeper automated tools such as symbolic checkers, fuzzers or formal verification analyzers which typically require formulation of properties/constraints beforehand, hand holding during the analyses and some post-run evaluation of their results

  8. Create proof-of-concept attacks to validate any findings

  9. Communicate the status with the project team and get clarification on business logic or threat model

  10. Steps 1-6 are more cyclical in nature than check off and move on

  11. Write report summarizing the above with details on findings and recommendations

  12. Deliver the report to the project team and discuss findings, severity and potential fixes

  13. Evaluate fixes from the project team and verify that they indeed removed or mitigated the vulnerabilities identified in findings

Note: some skip step two and go directly into step 3. This is because documentation can lead you astray because it is wrong or misleading; however, the code is the source of truth.

Layout

  1. pragma directives

  2. import directives

  3. Structs/Enums/Contracts

    1. state variables

    2. events

    3. errors

    4. modifiers

    5. constructor

    6. functions

Where to Start

When presented with several contracts and hundreds of lines of code, it may be daunting to find a starting place for the manual audit or even to start reviewing the code. Consider starting with either the or the areas of the smart contract.

pre-audit
ThreatDragon
Etherscan
VS Code Solidity Auditor
asset flow
access control