Introduction

Vulnerabilities in smart contracts can cause loss of funds & damage the reputation of a protocol. Flaws in smart contract are easy targets for Hackers. Ever since the DAO hack billions have been lost to smart contracts exploits. Here’s where smart contracts audits comes in, they’re critical for risk assessment and mitigation strategies. An audit analyses the code to discover possible errors, security vulnerabilities, and recommend fixes before deployment. Let’s dive further into this added security layer and its structure.

1. Quality Writing

Auditing firms and auditors often delivers delivers high quality writing. The targeted audience shouldn’t struggle understanding the content. The goal is then to simplify complex topics as much as possible. It’s not only about enforcing the security of smart contracts but to also educate and inform in an effective manner.

“Good writing does not succeed or fail on the strength of its ability to persuade. It succeeds or fails on the strength of its ability to engage you, to make you think, to give you a glimpse into someone else's head.” - Malcolm Gladwell

2. Executive Summary

This is the overall summary of the audit report which includes:

• Which protocol/project has been audited (Engagement Overview)?

• Which firm/independent researcher audited it (Engagement Overview)?

• The flaws they’re looking for (Project Scope)?

• The findings (Summary of Findings)

  Good insights that can be included are the exposure analysis (severity) and the category breakdown to help readers detect patterns.

3. Limitations

This section is for education purposes, an audit report doesn’t necessarily make a smart contract safe. All auditing firms add this section to their reports for legal requirements.

4. Contract Flow

Some auditing firms include diagrams of how the contracts interacts with each other giving a bird-eye view to the reader. This greatly improves the reader’s understanding by giving more context. You can also achieve this by providing a thorough explanation (System Overview) of the overall purpose of each contract.

5. Automated Testing

Some Audit firms like TrailOfBits showcase the results they found using automated testing.

There’s also some recommendation of incorporating Echidna fuzzing test to improve the development of the contracts.

6. Code Base Maturity

This is an important section as this is where auditors come to check if the code was written properly. Here, the “soft” skills comes into place to detect any underlying issues that can result in the creation of vulnerabilities.

7. Finding Categories

This is where the detailed technical description of the findings are. This includes:

• Severity: You’ll find below a matrix that determines the protocol’s impact if it were to be exploited.

• Difficulty: This refers to how difficult it is to exploit a vulnerability.

• Proof of concept: Basically the same as the exploit scenario.

• Mitigation or recommendations: Information on how to patch the information.

8. Exploit Scenarios

Exploit scenarios are important as they show how a certain flaw can be exploited. So far only TrailOfBits are implementing these into their audit reports.

9. Recommendations or Notes

This is the general recommendations section where auditors gives an overall review of the entire codebase and development process. You’ll see an example below: