Auditing Scope (Solidity)
During the process of auditing smart contracts, we have identified the following common types of vulnerabilities. However, our auditing work is not limited to these types.
Common Vulnerabilities
| Category | Description |
|---|---|
Business Logic | Reviewing the logic to ensure that the code implements the expected functionality as specified in the documents. |
Access Control | Assessing and managing the mechanisms in place to regulate and restrict user access to resources, systems, or information based on predefined permissions and privileges. |
Data Validation | Evaluating the mechanisms of the smart contract for validating and verifying the integrity and correctness of the data it relies on. |
Numerics | Handling and processing numerical values and calculations accurately and efficiently, considering potential limitations, precision issues, and rounding errors associated with different data types and arithmetic operations. |
Reentrancy | Addressing vulnerabilities that could allow an attacker to reenter a function or contract before the previous execution has completed, potentially leading to unintended consequences or malicious actions. |
Cryptography | Implementing secure cryptographic algorithms and protocols to protect sensitive data, ensuring confidentiality, integrity, and authentication in various applications and systems. |
Denial of Service | Identifying and mitigating vulnerabilities that could lead to a Denial of Service attack, which aims to disrupt or incapacitate a system, network, or service, rendering it unavailable to legitimate users. |
Upgradeable | When using the proxy pattern in upgradable contracts, there may be security risks. Ensure that appropriate security measures are taken when implementing the proxy pattern to prevent malicious attacks or contract takeover. |
Inconsistency | Inconsistency focuses on identifying and resolving inconsistencies, disparities, or discrepancies between documented specifications, guidelines, or instructions and the actual implementation of a system, software, or process. |
Front-running | Identifying and addressing vulnerabilities that allow malicious actors to exploit privileged information, typically in decentralized financial applications, to gain unfair advantages in transactions or trades. |
Weak Randomness | Identifying and addressing vulnerabilities that depend on the randomness of deterministic variables. |
Centralization | Assessing and mitigating risks associated with centralization of data, control, or authority in systems or organizations, considering potential single points of failure or vulnerabilities. |
Configuration | Managing and maintaining the configuration settings and parameters of a system or application, including customization options, environmental variables, and external dependencies, to ensure optimal performance and functionality. |
Variable Shadowing | Using the same name for variables in different functions or inherited contracts can lead to conflicts and hidden variables, resulting in unexpected execution behavior. |
Compiler | Identifying and addressing vulnerabilities that depend on compiler version. |
Logging | Implementing a system that captures and records relevant events, actions, and errors occurring within an application or system, facilitating troubleshooting, auditing, and analysis of system behavior. |
Gas Optimization | Suggestions for reducing gas costs. |
Code Quality | Assessing and improving the overall quality, readability, maintainability, and efficiency of the software codebase through practices like code reviews, adherence to coding standards, and the use of automated analysis tools. |
Last updated