How to Prepare for Your Smart Contract Audit

You have invested a lot of effort and resources in the development of your project, and now it is ready for release. You know how to find an auditor and protect your project from all sides. But do you know how to prepare for an audit?

Let’s say you decide to order an audit to make your project launch as smooth as possible. In this article, we will tell you what steps you need to take to get a high-quality audit, save time and money, and have a smooth launch.

Defining Audit Objectives

The primary objective of any security audit is to clearly define its aim. It is necessary to have a clear understanding of the specific questions that the audit should answer, for example:

• What is the overall security level of the protocol?
• Does the protocol code meet your expectations and specifications?
• Is the token distribution model fair and sustainable?

A clearly defined scope allows for the optimization of the audit process, focusing on the most critical aspects, and achieving comprehensive results.

Ultimately, you will receive all the answers to your questions in the final report, which will list all current vulnerabilities in the specified area and provide detailed recommendations for change.

Resolving Simple Issues

Addressing these identified issues will significantly improve the speed and quality of the audit. Auditors will be able to focus on key areas, leading to a deeper and more productive analysis.

• Code comments. Complex functions that are difficult to understand without additional context should have sufficient comments and links to the relevant sections of the specification. If there are not enough comments, add them using the NatSpec format.
• Unit Testing. Ensure that at least 90% of the audit scope is covered by unit tests that accurately reflect the project’s business logic. Auditors sometimes review them to better understand the developers’ original intent behind the code and modify them to test edge cases.
• Local Build and Deployment. Verify that your project builds and deploys correctly locally, and that all dependencies are up to date.
• Function and Variable Names. Make sure that all function and variable names are clear, concise and meaningful.
• Unused Code Elements. Verify that your code does not contain unused imports, functions, and variables. If you believe that they are necessary, leave explanatory comments.
• Third-Party Development Tools. Ensure that all third-party development tools that you use are listed in the specifications, documentation, or comments.

Additionally recommended to run Slither and other static code analyzers to identify the most obvious vulnerabilities. Instructions on how to use them can be found here.

Nonetheless, some issues are likely to remain unresolved. In such cases, it is necessary to document all incomplete changes in as much detail as possible.

Documentation

Crafting clear and accessible documentation is no less crucial than setting the audit’s objectives. Auditors often handle large volumes of code and may be unfamiliar with your project and its inner workings. Providing clear documentation will significantly streamline their process of understanding your protocol.

• Fundamental Description. Provide a comprehensive overview of the product, its functionalities, and its interactions with other components. This will aid in understanding the protocol’s operational principles and potential vulnerabilities.
• Code Comments. Incorporate comments into your code. Functions should have comments briefly explaining their functionality. For complex code segments, provide more detailed comments elucidating the underlying processes and justifying the chosen approach.
• Document and Describe Conducted Tests. Provide a comprehensive overview of the tests performed to evaluate the product’s functionality and security. Include the testing methodologies employed, the tools utilized, and the outcomes and conclusions drawn from each testing phase.
• Previous Audit Reports. If this is not the first security assessment, mention it and attach documentation of previously identified vulnerabilities. The team can verify the validity and remediation of past issues.

Ensure that the project documentation and code specifications provided to auditors are up-to-date, free from outdated provisions and ambiguous interpretations. Regularly update the documentation in accordance with changes to the project and code to avoid misunderstandings and ensure audit transparency.

Engaging with the Auditor Team

To facilitate timely feedback and responses from auditors, it is crucial to establish a communication channel that is convenient for both parties. Auditors often need to ask clarifying questions to developers about the codebase and business logic, especially when dealing with complex technological solutions.

• Assign a technical expert to address auditors’ questions. This individual should be deeply involved in the development process and possess a comprehensive understanding of the project’s technical intricacies.

Auditors’ efforts will be significantly more effective if you share the direction in which you intend to develop your project and the functionalities you plan to add in the future. This will enable auditors to identify more relevant attack vectors.

Brief Checklist

Using this checklist can help you quickly check and assess your project’s readiness for a smart contract audit:

1. Defining Audit Objectives
2. Resolving Simple Issues
   • Code comments
   • Unit testing
   • Local build and deployment
   • Function and variable names
   • Unused code elements
   • Third-party development tools
3. Documentation
   • Fundamental description
   • Code commenting
   • Documentation of conducted tests
   • Reports from previous audits
4. Engaging with the Auditor Team
   • Technical expert assignment

Pre-Audit Service

Before conducting an audit, we can perform a pre-audit of your project. As a result, we will provide feedback on how well the project is prepared for the main audit, identify any problems and vulnerabilities found.

This will help to reduce the time of the main audit, reduce the number of problems and improve the quality of the code.

About OXORIO

OXORIO is a team of experienced professionals providing smart contract audit, ZK-proof audit, and security consulting services.

With over 10 years of experience in blockchain development and 5 years of smart contract auditing, OXORIO offers comprehensive support to projects at any stage of development.

Since 2021, the company has conducted high-level security audits for a number of well-known DeFi projects, including Lido, 1Inch, Rarible, and deBridge.