How to Prepare for a Smart Contract Audit

The crypto industry is at a standstill in terms of market capitalization and TVL. But the number of smart contracts audits is increasing every month. Innovative applications of blockchain technology continue to create value. dApps and Web3 apps still handle millions and billions of user funds.

Even in the bear market, we see a hike in audits, pentests, and bug bounties. People would only use a decentralized application that works right. No one would store funds in a platform that can’t guarantee safety. Lax app security can have disastrous results, as proven by historical data on exploits. Over the years, the DeFi sector alone lost nearly $6 billion to hacks.

Getting Ready for Smart Contract Audit

As we all know, decentralized applications are powered by smart contracts programmed to execute specific functions upon meeting a set of parameters. These are essential for any Web3 application. While code quality dictates whether applications will work as intended, code security dictates the risks of losing locked funds.

Determining security and functionality is the bread and butter of smart contract auditors. A reputable third-party cybersecurity organization is always preferred to in-house efforts because its analysis is more objective and adds credibility. An external auditor will verify that contracts work as intended and eliminate any risks of post-deployment “surprises.”

Take the necessary steps to protect your project by auditing your smart contracts.

You’ve finished developing a blockchain application and found an external auditor. Your next step is to prepare for the review itself. A cybersecurity firm typically provides you with an audit preparation checklist, which has all the necessary step-by-step guidance to maximize the results of your joint efforts.

Smart Contract Audit Preparation Checklist

The preparation phase is crucial. Your goal as a customer is to supply all the relevant information about the project and code. A good auditor will help you with this step. An audit will go smoothly if you implement the following recommendations.

Step 1: Functional Requirements

Documentation should be sufficient. Functional requirements explain the app’s functions in a simple, straightforward language. They are vital for understanding what users and key stakeholders can do with the system. Good functional requirements define what an application is supposed to do and describe its desired behavior. 

Key demands of functional requirements:

1. Clear, specific, and easy to understand;
2. Defined actions of end users;
3. System inputs and outputs;
4. Identified system constraints or limitations;
5. Performance or reliability requirements.

Step 2: Technical Documentation

Technical documentation describes and explains everything related to the application’s software. The information may range from internal documentation for teams to external documentation for end users.

Key requirements for technical documentation:

1. Utilized technologies;
2. Use of third-party dependencies/programs;
3. Development environment description;
4. Run instructions;
5. Benchmarks;
6. System architecture and internal/external interactions.

Understanding Cross-Contract Dependencies

With most projects using multiple smart contracts, there will be cross-contact dependencies. It would be best if you mentioned these dependencies, ideally charting them or describing system roles. This step enables auditors to analyze dependencies’ effects on other smart contracts.

The depth of technical documentation and functional requirements affects the documentation quality of the final audit scoring.

Step 3: Set up Development Environment

Your project should have a development environment. It can be any development environment based on your preference (e.g., Truffle, Hardhat, Foundry).

Key requirements for development environment:

1. No private dependencies. All dependencies can be downloaded without setting up additional keys.
2. Having all global packages, including packages manager and language compiler.
3. The setup can run on various operating systems.
4. It contains run instructions. 

If the customer doesn’t have a development environment, the auditor will help set it up based on technical configurations and using appropriate software packages. This factor affects the code quality metric.

Step 4: Access to Clean and Executable Code

Ideally, project developers grant access to well-configured code via a repository, such as GitHub, Bitbucket, or GitLab.

A codebase should follow conventional formatting and these rules:

1. The code follows an official language style guide. Look up popular style guides for Solidity, Vyper, Rust, etc.
2. The code can be compiled.
3. Resolve all TODO and FIX comments.

A code that follows these rules will make the audit process more efficient. Unfortunately, only some people in the industry are well-organized. A repository may be unstructured or scattered over blockchain explorers like EtherScan or BscScan. The overall code quality affects the code quality metric.

Step 5: Verified Scope of Audit

Not all audits are equal, as some clients submit their entire project and others just a portion. If that’s your case, you need to prepare a verified audit scope so that auditors know which contracts they should focus on.

A verified scope of audit should include:

1. Repository link
2. Branch Name
3. Commit
4. Path to contracts that need to be audited

Specifying contract paths is unnecessary when the entire repository has to be audited. Sometimes, a repository may contain critical code beyond the audit scope. In this case, the auditor will explicitly mention the excluded code, “repository contains contracts that are out of scope and cannot be verified.”

Step 6: Access to Unit Tests

Auditors thoroughly test all contracts by running them through all possible scenarios. The audit team will create test cases themselves. But you should provide a set of unit tests. Unit tests are important because they reflect a developer’s perspective, effectively contributing to additional validations.

There are several benefits to writing tests for smart contracts. For you as a customer, unit tests showcase that smart contracts are working as intended. For a cybersecurity firm, unit tests provide a way to validate smart contract functionality. In addition to speeding up issue verification, it streamlines the audit process by providing a clear and concise set of tests to verify contracts’ behavior.

Key requirements for unit tests:

1. Cover positive and negative cases;
2. Cover cases of a construct usage by multiple users;
3. Grant access to all third-party tools required to run tests;
4. Confiture code coverage plugin.

Unit tests also affect the test coverage metric. More importantly, having 100% test coverage will increase the chances of preventing costly errors and eliminating critical bugs.

Final Remarks on Preparation Checklist

A successful preparation phase is a prerequisite for a thorough and detailed audit to detect and eliminate fatal smart contract vulnerabilities. The following smart contract audit preparation checklist will help you get the most of your smart contract audit:

• Describe functional requirements;
• Provide technical documentation;
• Set up development environment;
• Grant access to clean and executable code;
• Verify audit scope;
• Give access to unit tests.