We are offering a bounty for whoever creates the best template for solidity developers to use while auditing smart contracts. It does not have to be 100% inclusive of all known bugs and best practices as it should be general as most contracts will be different. A checklist for reetrancy, safe maths being used for all math etc would be one section. Please feel free to ask any questions below and as always leave your ETH address below your answer to be awarded the bounty.
I use this guide often - I hope this will be useful…
In addition to what @tissor said, I would suggest to make a section of different attack vector possibilities (just like setting up multiple tests) Will suggest a few more of these (as well as be able to add more when we discover more weaknesses)
Reentrancy and Race Conditions
Transaction Ordering Assumptions
@calvin So have a checklist of possible attacks and then the auditor simply goes through each category and checks for that vulnerability? I’m a big fan of checklists but we’d also have to ensure that we do not give the auditors tunnel vision by having a very specific list too.
We are trying to come up with a system that is better than just a program running over the code as it will then only be as good as the bugs that it knows.
A possible extra thing that popped into my head is making a version of a local testnet (such as ganache) that has possibly hundreds or thousands of accounts that will all try to interact with the contract as fast as possible, to sort of stress-test the code. Might be a worthwile add to the auditing suite to see if the code is really up for dealing with a lot of interaction
Just want to point out that this is exactly what we’re aiming to do with the https://www.dasp.co
For sure! You can reach out to me here: email@example.com
We just released a set of guideline (guidelines.secureth.org) that is targeted at developers to help them prepare for an audit. The next phase will assist the auditors within the guidelines. We are getting comments now from a big group of auditors and hope to push the guidelines more publicly in about a month.
This isn’t exactly what you want, but it will help.