Security Review Guide

This blog article provides a guide on how to prepare smart contract and protocol security reviews, covering stages of system design, the importance of development team understanding, and guidelines for achieving review readiness, including quality assurance, code freeze, test coverage, peer code review, checklists, and automated code analysis.

June 19, 2024

Security Review Guide

At audit firms, reputation is based on conducting thorough smart contract and protocol security reviews. This guide focuses on Security Review Readiness, detailing how protocols can prepare their codebase, technical documentation, resources, and communication structure to streamline the security review process and maximize potential results.

Protocol’s Lifecycle and Security Research Needs

Stage-Dependent Security Needs:

  1. Early Stages of System Design:
    • Focus: Architecture review, not code review.
    • Action: Evaluate high-level design and potential security weaknesses.
  2. During the MVP:
    • Focus: Preliminary reviews by one or two researchers.
    • Action: Conduct "solo reviews" to identify early-stage vulnerabilities.
  3. Frozen Feature Set without Solid Test Coverage:
    • Focus: Enhancing test coverage before a full review.
    • Action: Engage a security researcher with expertise in fuzzing to improve automated code coverage.
  4. Preparation for Mainnet Launch:
    • Focus: Comprehensive third-party security review.
    • Action: Ensure the protocol is fully prepared for a detailed review.
  5. Post-Refactor or Incremental Feature Addition:
    • Focus: Solo/pair reviews, public competitions, or team security reviews.
    • Action: Assess the protocol's readiness for review and address any identified issues.

General Consideration:The development stage dictates distinct security needs. Engaging security researchers is beneficial before full review readiness, aiming for a bug-free protocol before going live.

Defining 'Review Ready' in Protocol Development

Understanding the Diversity in Development Teams:Development teams vary in size, skill sets, and resources. There is no universal checklist for 'Review Ready.' The primary indicator is when a protocol team has exhausted all within their capacity to identify and eliminate bugs.

Guidelines to Achieve Review Readiness

Understanding QA and QC in Project Management:

  • Quality Assurance (QA): Prevent issues through proactive steps and established processes.
  • Quality Control (QC): Detect and address issues in the developed protocol.

Quality Assurance (Prevention)

A. System Specification

  1. Importance:
    • Prevent vulnerabilities early.
    • Provide clear guidance for testers and reviewers.
  2. Advantages:
    • Easier to revise than implemented systems.
    • Encourages thorough and simplified protocol design.
  3. Tools and Techniques:
    • Plain English: Describe functionality clearly.
    • State Machines: Visualize states and transitions.
    • Diagramming: Map architecture and workflow.
    • NatSpec: Document code and interfaces.
    • Placeholder Tests: Identify failures early.
    • Formal Definitions: Ensure precision and reduce ambiguity.

B. Removing Attack Vectors

  1. Principle of Elimination:
    • Remove attack vectors entirely rather than just fortifying them.
  2. Example - Admin Key Management:
    • Eliminate admin-level privileges to avoid securing non-existent accounts.

C. Identifying Risks

  1. Risk and Threat Assessment:
    • Conduct ongoing threat modeling.
    • Utilize OWASP’s Four Question Framework for guidance.
  2. Practical Activities:
    • Review similar protocol incidents.
    • Conduct internal discussions.
    • Consult security researchers.

D. Refactoring

  1. Advantages:
    • Simplify the system and minimize potential attack surfaces.
    • Refactoring improves protocol safety and clarity.

E. Code Reuse

  1. Don’t Reinvent the Wheel:
    • Use well-tested, peer-reviewed codebases.
    • Prefer established libraries like OpenZeppelin or Solady.

Quality Control (Detection)

A. Code Freeze

  1. Advantages:
    • Stabilizes the codebase for effective bug detection.
    • Halts feature addition to focus on examination.

B. Test Coverage

  1. Importance:
    • Testing is crucial for identifying bugs.
    • Aim for 100% statement and branch coverage.
  2. Comprehensive Coverage:
    • Use system specification as a guide.
    • Incorporate threat modeling in tests.

C. Peer Code Review

  1. Value:
    • Regular feature-by-feature reviews.
    • Comprehensive top-to-bottom codebase reviews.

D. Checklists

  1. Advantages:
    • Ensure thorough coverage by cross-referencing expert checklists.
  2. Timing:
    • Conduct self-assessment before internal peer code reviews.

E. Automated Code Analysis

  1. Effective Use:
    • Identify and rectify vulnerabilities with static and automated tools.
    • Proactive analysis streamlines manual reviews.
  2. Recommended Tools:
    • Slither
    • Mythril
    • 4naly3er
    • Sstan

Conclusion

By following the steps and guidelines outlined, your protocol will be prepared for a security review, streamlining the relevant processes for an effective and efficient engagement. Engaging in comprehensive QA and QC processes ensures a robust foundation for security reviews, ultimately enhancing the safety and reliability of your protocol.

References

Author's image

TRUSTBYTES