Notes

  • Manual code review: is required to understand business logic and detect vulnerabilities in it.

    1. Automated analyzers do not understand application-level logic and their constraints. They are limited to constraints/properties of Solidity language, EVM or Ethereum blockchain.

    2. Manual analysis of the code is required to detect security-relevant deviations in implementation vis-a-vis the specification or documentation.

    3. Auditors may need to infer business logic and their implied constraints directly from the code or from discussions with the project team and thereafter evaluate if those constraints/properties hold in all parts of the codebase.

  • Manual review approaches: Auditors have different approaches to manual reviewing smart contract code for vulnerabilities.

    1. Starting with access control

    2. Starting with asset flow

    3. Starting with control flow

    4. Starting with data flow

    5. Inferring constraints

    6. Understanding dependencies

    7. Evaluating assumptions

    8. Evaluating security checklists

PreviousSlot 6: Auditing Techniques & Tools 101NextQuiz

Last updated