Process and Methodology
Deploying smart contracts on a permanent public blockchain is risky. There are plenty of examples of incidents in which funds have been stolen or permanently locked, because of programming errors, unexpected user behavior or oddities of the underlying blockchain protocol implementation.
For some prominent examples and common vulnerabilities read our recent article on Ethereum smart contract security. We offer detailed audits of smart contracts for a number of platforms, including Ethereum. If you are planning an ICO, an ERC-20 token, a non-fungible token representing your assets or any other smart contract-based application, contact us for a competitive quotation.
Our workflow is as follows: After understanding the intended functioning of the contract, we start by using static code analytics tools. We then proceed to manually scan the contract for certain types of vulnerabilities. Depending on the complexity and type of contract, we then deploy the contract on a test blockchain and either perform a series of manual tests or generate and execute specific unit tests. Finally, we prepare a report with issues in three levels of severity and a section on general recommendations.
The following is an example audit report shared with the client’s permission: 20180601_Audit_Report_CryptoFights
We have performed audits for various projects, including tokens based on ERC20, ERC223 and ERC721 specifications.
- CryptoSprites ERC-721 token (https://www.cryptosprites.com/)
- Maxdata token and ICO contracts (https://maxdata.io/)
- Coinnup token and ICO contracts (https://ico.coinnup.com/)
- Latino Token token contract (https://latinotoken.com/)
- Boon Tech Token and ICO contracts (https://boontech.ai/)
- Parsec Frontiers token and ICO contracts (https://parsecfrontiers.com/)
- Ekk Baz token and ICO contracts (https://ekkbaz.com/)
- CryptoFights game contracts (https://cryptofights.io/)
- XCHNG token and Dutch Auction token sale contract (https://www.xchng.io/)
- Morpheus Network token (https://morpheus.network/) – new version after the June 2018 hack
- Gath3r.io token and crowd sale contract (https://gath3r.io/)
- iHome token contract (https://ihome.org/)
- Tolar.io Token and crowd sale contracts (https://www.tolar.io/)
- Token.io banking smart contracts (https://token.io/) – for Solidified (Audit Report)
- FOAM Proof of Location protocol (https://www.foam.space/)- for Solidified
- FansUnite (https://fansunite.io/) – for Solidified
- Yazom Token and Distribution Contracts (https://www.yazom.com/)
- MelonPort Protocol and Token Migration (https://melonport.com/) – for Solidified
- PolyMath (https://polymath.network/) – as part of the continuous Solidified audit team
- Cosmos Ethereum Peg zone (https://github.com/cosmos/peggy) – initial version before project relaunch (for Swish Labs).
Full Stack Security Auditing
Blockchain systems do not stop at the smart contract level. Other issues to consider are:
- Key generation
- Key storage
- Wallet security,
- Regulatory compliance and data protection
- Traditional Web cybersecurity
To this end, we offer full stack auditing and consulting services including pentesting and code reviews.