Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.
About us
QuillAudits is a leading web3 cybersecurity firm committed to securing Blockchain projects with our cutting-edge Web3 security solutions.
We provide smart contracts auditing and DApps pen testing services for web3-based, DeFi, and NFT-based gaming projects.
Polkadot Blockchain
Polkadot blockchain protocol is designed to enable
interoperability between different blockchain
networks. It was created by the Web3 Foundation
and is built on Substrate, a blockchain development framework.
Polkadot allows different blockchain networks to
communicate with each other through a shared
security model, allowing them to exchange
information and assets. It also allows developers to
create and customize their blockchain networks with
specific features and functionalities.
The programming language used to write smart
contracts on the Polkadot network supports several
languages, including Rust, C++, and Solidity.
However, the most widely used language is Rust,
which is the primary language used in the
development of Substrate and the Polkadot
ecosystem. Rust is a safe and efficient systems
programming language that enables developers to
write secure and performant smart contracts for
the Polkadot network.Why Do We Need Polkadot Contract Auditing?
⚠️Polkadot smart contract hacks have an average
exploit value of $3 million, emphasizing the need
for a Polkadot smart contract audit.
One notable example of a smart contract hack on
the Polkadot network was the Apron Network attack,
which took place in November 2021. In this attack,
a hacker exploited a vulnerability in the smart
contract code to steal $50 million worth of
cryptocurrencies. The vulnerability was related to
how the smart contract handled the distribution of
rewards to liquidity providers.
Another example was the recent hack on the Karura
network, which is built on the Polkadot ecosystem
that allowed a malicious hacker to steal $200 million
worth of crypto leveraging the smart contract vulnerabilities
lying in the handling of loans and collateral.
These hacks demonstrate the importance of smart contract audits
and the need for continuous testing and monitoring of smart contracts
to ensure their security and reliability.💭Connecting with you You must have been added to a closed group with
the Auditing Team by this time. You would be
connected with the Project Manager and the
Auditors through this dedicated channel during the
process for collaboration and instant resolution.
At any point, if you face any query or find a need
to discuss anything - we are just a message away!Audit Process
Things We Cover in the Audit Process
Code Review
Smart Contract Architecture Review
Threat Modeling
Checking for Potential Attack Vectors
Checking Runtime Modules
Business Logic Review
Authorization and Access Control
Cross-Contract Interactions
Upgradability and Governance
Reporting and Documentation
We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let's dive deep into it and explore more.
Step 1 - Specification Gathering / Prepare For a Security Audit
This is the most crucial stage because the detail is key for a successful smart contract security audit. Here is how you can prepare for it:
Code quality
• Remove dead code and comments.
• Consistent coding style.
• Follow the Rust (Polkadot) style guide.
Use comments to document complex parts of the code and ensure these are consistent with the code.
Test the code
• Make sure the contracts can be compiled and fully tested.
• Perform high coverage and high-quality unit tests.
This will maximize focus on the difficult parts of the code. Auditing should not discover that some functions are uncallable or do not do what they are expected to do under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, and possibly adversarial behaviour.
Code freeze • Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.
After freezing the code, we will gather the specifications from you to know the intended behaviour of the smart contract through the 'Smart Contract Specification' document.
🦋 How can you help?Please ask your developers to fill out the
specification doc - It would help us to understand
& verify the business logic and facilitate confirming
everything thoroughly.Step 2 - Manual Review
Here we would look for undefined, unexpected behaviour and common security vulnerabilities. The goal is to get as many skilled eyes on contract code as possible. Aims of manual review:
Review the smart contract code to ensure it adheres to best coding practices and standards and identify any potential vulnerabilities or bugs in the code.
Conduct a thorough security analysis of the smart contract to identify any potential vulnerabilities or weaknesses that attackers could exploit.
Identifying ways to optimize the smart contract's gas usage to reduce transaction costs and improve efficiency.
Focus on security, attacks, mathematical errors, logical issues, etc.
Check the code for any vulnerabilities that can be exploited.
Step 3 - Functional Testing
Functional testing is essential to the smart contract auditing process, ensuring that the contract functions as intended and meets the specified requirements.
Input Validation: Check whether the contract performs proper input validation to ensure it only accepts valid inputs and rejects invalid or malicious ones.
Contract Behavior: Verify the behaviour of the contract by testing various scenarios and inputs to ensure that it functions as intended and produces the expected outputs.
Function Parameters: Check the function parameters to ensure they match the contract's specifications and requirements and are properly used throughout the code.
State Changes: Verify the state changes within the contract due to various actions or transactions to ensure that they align with the expected outcomes and don't introduce unintended side effects.
Gas Usage: Test the contract's gas usage to ensure it is efficient and optimized to minimize transaction costs and improve performance.
Step 4 - Testing over the Latest Attack Vectors
The substrate is a modular framework for building blockchains, including the Polkadot network. Rust is the primary programming language used to develop Substrate-based blockchains. Substrate-based blockchains are susceptible to security threats and attacks like any other software system.
Reentrancy Attacks
Integer Overflow/Underflow
Access Control Vulnerabilities
Denial of Service (DoS) Attacks
Lack of Input Validation
Malicious Code Injection
Time-Dependent Attacks
Front-running
Step 5 - Testing with Automated Tools
Testing with automated tools is essential to catch those bugs that humans miss. Some of the tools we would use are (based on the requirement/auditor preference, we use specific tools) :
Cargo-audit
RustSec
Rust-Analyzer
Step 6 - Initial Audit Report
In the end, we will provide you with a comprehensive report, which we call an Initial Audit Report (IAR):
🦋 How can you help?You have to prepare an 'Updation Summary' or
'Comment Report' carrying details of the changes
you've made after getting the IAR; this would help
us identify the changes and test them rigorously.A comprehensive Audit Report.
Encapsulate details of the audit & solutions to the vulnerabilities (if we found any) in your contracts.
We expect you to resolve the identified bugs & make suitable changes to the code, or we will connect with development partners for issues fixing.
Note - Please acknowledge that we start the Audit Process once the Audit Scope is frozen ( commit hash or explorer link ). If you make any changes to the code between the process, we can check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.
Step 7 - Final Audit Report
After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.
So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is.
🦋 How can you help?After getting the Final Audit Report, please notify us
whether we can proceed to prepare the final designed draft
or if you are going to fix the code again.Step 8 - Delivery
After getting the green light from the previous step, we send the report to our designers to generate a PDF version of the Audit Report, displaying all the necessary details of the auditing process.
Sample Audit Report
Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.
Step 9: Post-Audit
After the Final Audit report, we take your project in front of the masses through :
Social Media Announcements
As per your requests, we will make an audit announcement from our social media handles to mark the completion of the audit.
🚧The completion of this step depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.
Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners)
AMA Sessions
Expert auditors will explain the nuances of the Audit Report.
Q&A and direct interaction with your audience to build trust in your project.
Niche Targeted PR Services
Articles & guest posts in renowned publications.
Cross-platform promotions to give more exposure to the project.
Organize Product Launches, Community Meetups, etc.
QuillAudits team will help you in your product launch in India.
Set up community meetups, product workshops and web3 events for you.
QuillAudits expert team and partners will handle everything from content creation to marketing, event location, and event coordination.
What Can the Project Team Expect From Us?
Delivery of initial report within the agreed timeline (considering a margin of ±2 days due to unforeseen circumstances).
Reviewing the final version of the code before concluding the audit.
Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
Publishing audit reports and making post-audit announcements based on agreed-upon terms.
What Do We Expect from the Project Team?
A working test suite (all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
Structured code following reasonable naming conventions and consistent coding style.
Well-documented contracts/functions and updated whitepaper.
Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
Reviewing the final report so that QuillAudits can conclude the audit.
Feedbacks
Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.
Join Our Referral Program: Become a Part of Our Quest for Securing Blockchain and Get Rewarded 🥳
Do you know a friend who might need a Smart Contract Audit? 🙋♂️🙋♀️ We have something that you might be super interested in! Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits. Refer anyone looking for an audit, and get up to 15% on each referral.
🚀Click on the link below to get access to exciting offers.
