class: title # Case Study of Audits --- # Agenda 1. Audits - Code Security - Design Decisions and Architecture - Code Quality 2. Competition: Case Study of Contracts --- # Goals of an Audit - Code Security - Code Architecture - Code Quality --- # Audit Process ## Auditing Companies - Quantstamp - Trail of Bits - ChainSecurity - Hosho - Open Zeppelin --- # Audit Handoff - Most recent version of code - Explanation of how code is supposed to work - Description of particular areas of code that are complex --- class: title # Source Code: ZIP file on Blackboard --- ## Exercise - Introduction to Code Throughout this lecture, we will be facilitating an end-to-end audit of this audit code in production. In groups, answer the following: - Who are the parties involved? - What are the states in the contract? --- class: col-3 # Security of Code Common smart contract vulnerabilities include: - Arithmetic Overflow/Underflow - Mismatched visibility modifiers on certain functions - Re-entrancy attacks - Misuse of tx.origin and msg.sender - Force-sending funds into a contract - Reliance on external libraries - Exceptions not handled correctly - Incorrect authorization on a contract --- # Exercise - Auditing Contracts In groups of 2-3, identify security problems in the codebase. - For each problem, identify potential solutions - From your solutions, choose the “best” one --- class: title # Code Walkthrough --- class: title # Architecture and Design --- class: title **What are some benefits of decentralized technologies over centralized technologies?** **What are things we need to be careful of?** --- # Guidelines - Never store private key - Never change state of a contract without proper permission - Ensure all parties of a smart contract have equal rights --- # Exercise - Architectural Design Looking at the smart contracts, determine if there are any instsances of improper design: - Identify any other problems - What are some potential solutions? Out of those, which is the best one? --- class: title # Code Quality --- # Code Quality - Correctness - Readability - Improving Scalability --- class: title # Code Quality - Correctness ## It's not a bug, it's a feature. --- ## It's a bug, it's a feature examples - Gmail undo button functionality - Hiding files in Unix/Linux - Mac App Store --- ## Code Quality: Readability ```javascript var input1 = "String to be inputted"; var input2 = "number to be inputted" let output1 = await Contract.methods.function2(input1, input2); let output2 = await Contract.methods.function1(input2, input1); ``` --- ## Code Quality: Readability - Avoid commenting - write methods that explain what they do - DRY --- # Exercise - Critique the Code Looking at the same codebase, answer the following questions: - Is there anything confusing in the code? - How would you change those to make it more readable? --- class: title # Comparison of Our Results to Actual Audit --- # Lab: Compile an Audit Using your previous assignment from Smart Contract Essentials/Design Patterns, audit your code in terms of the following: - Code Security - Design Decisions/Architecture - Code Quality