We've prepared this material to assist you in securing your project by answering these and other pre-audit-related questions.
🤿 Let's dive in.
Yes! Please prepare your codebase before an audit to save both your time and money! ⌛💸
[ ] 1. Update relevant documentation, including system architecture and design considerations.
[ ] 2. Ensure that all complicated parts of code are properly commented and linked to documentation references. We recommend using Natspec.
[ ] 3. Aim for at least 90% test coverage and prepare a test suite execution instruction.
[ ] 4. Make sure there are no compiler warnings, your project can be easily deployed locally, and external dependencies are updated to a stable version.
[ ] 5. Make sure all function and variable names are correct.
[ ] 6. Clean up the codebase by removing redundant code, imports and libraries. Make commentaries, if you consider it necessary to have such code.
[ ] 7. Make sure any third party development tools you use are listed in the spec\docs\comments.
[ ] 8. We recommend running Slither and other static analyzers to identify the most obvious problems. You can use this guide.
[ ] 9. We recommend checking that all critical program operations are logged and reflected through events.
So, you've completed developing your project, investing significant effort and resources, and are preparing for the release\deployment. You might already know how to find an auditor and secure your project from all sides.
As we have analyzed in our previous article-report, smart contract audit is a significant security consideration. But we still haven’t figured out how to prepare for it! Let's assume that you decide to order an audit and want to make the process as efficient as possible. Let's figure out what steps you need to apply!”
Your goal is to get a quality audit and launch smoothly, spending as little money and time as possible.
Let's find out what influences the quality, time, and cost of an audit.
For that, let's define the purpose of an audit. The goal of an audit is to list all current vulnerabilities in the specified scope and provide detailed recommendations for changes.
Thus, the quality of an audit is expressed in the final report that contains the number of vulnerabilities found (hard to assess since we don't know how many are not found), how dangerous these vulnerabilities really are (usually graded - critical, major, info etc.), why it’s crucial to fix them, and recommendations how to do that.