Smart contracts provide a way to programatically govern relationships between multiple entities, without the need for a middleman. The security implications of this new paradigm are far reaching, requiring small teams of developers to protect potentially millions of dollars of assets.
Security flaws in smart contracts have cumulatively cost the cryptocurrency ecosystem hundreds of millions of dollars. We help to identify these vulnerabilities in your code before they are deployed into a production environment.
We employ an industry standard methodology that uses multiple techniques to identify security issues in smart contracts.
Manual code review
We will manually read through the codebase to identify high risk areas of the code and potential security loopholes, which will be verified during the manual testing phase. We look for faults in business logic, discrepancies with the specification provided, and other flaws that could affect the functioning of the smart contract.
Our team of security professionals will manually deploy smart contracts to a testnet in order to assess them. We'll use our experience of participating in bug bounty programs to find edge cases in your code, whether it's a way to lock user funds in the contract or if a bonus percentage being calculated incorrectly.
In order to maximise coverage, we use static analysis tools to automatically identify the presence of vulnerabilities. These vulnerabilities will typically be related to under / overflow bugs, transaction-ordering dependence / front running, reentrancy, and other bugs that are well suited to an automated analysis.
We use dynamic analysis to automate the process of assessing certain business logic, where necessary. Additionally, we'll help to identify bugs in your test suite if they are provided with the smart contracts.
Get the most out of your audit
Here are a couple pointers that will help you get the most out of your report.
The audit report will first be shared with you privately to help fix issues that were identified during the audit. On your request, we can release a public version the report on the iosiro website. This report can be shared with users to provide a third party perspective on the performance and security of the contracts, providing them with peace of mind.
Alternatively, we also offer a badge to clients who remediate their smart contracts to a satisfactory level. This can be displayed on your website to advertise the fact that you have gone through the audit process without releasing the audit results publicly.
We can only scope the audit once you have a completed codebase. We're happy to speak at an earlier stage, but in terms of starting the audit we'll need access to the actual code that will be audited. There are a number of other techniques that you can use to help secure the contracts
We highly recommend using version control software, such as git, to manage the codebase during the audit. This allows us to effectively do our jobs as we can highlight exactly which code is in scope for an audit, and reference specific changes in the code that address specific vulnerabilities.