๐กStarkNet is a layer-2 scaling solution for Ethereum that aims to improve the scalability, privacy, and usability of Ethereum-based decentralised applications (dApps). StarkWare, a blockchain technology company that specialises in zero-knowledge proof (ZKP) systems, is developing it.
StarkNet uses a technology known as Validium, which enables dApps to run off-chain while maintaining the security of the Ethereum mainnet. This means that dApps can benefit from the scalability and transaction throughput of off-chain computation while maintaining the Ethereum network's security and trustworthiness. Furthermore, StarkNet supports privacy-preserving computations via the use of ZKPs, allowing dApps to protect sensitive user data while still providing a transparent and auditable system.
Cairo, a low-level programming language that can be used to write StarkNet-specific code, is provided by StarkNet as a development kit. Cairo is optimised for zero-knowledge proofs (ZKPs) and is intended to provide a high level of flexibility and efficiency for building complex StarkNet applications.
Why Cairo Smart contracts Need Security Audit?
๐กSmart contracts, like any other software application, are vulnerable to a variety of security issues that can jeopardise their security, reliability, and performance.
Conducting a thorough security audit is one of the most important steps in developing secure and reliable smart contracts. Security audits are critical for identifying and mitigating potential vulnerabilities and ensuring that smart contracts written in Cairo for StarkNet function as intended.
Some of the most common vulnerabilities that can affect Cairo smart contracts
โ ๏ธCairo Smart Contract Vulnerabilities:
- Reentrancy attacks: where an attacker exploits a vulnerability in the contract code that allows them to repeatedly call the same function before it has completed executing, leading to the loss of funds.
- Front-running attacks: where an attacker exploits a time delay in the execution of transactions to their advantage, by executing a similar transaction with a higher fee, resulting in a loss of profits or funds for the victim
- Time manipulation: where an attacker manipulates the time on a smart contract to execute a function at an unintended time, leading to a loss of funds or other unintended consequences.
- Malicious libraries: where a smart contract uses external libraries that have vulnerabilities or are malicious, leading to a potential loss of control of the contract or funds.
- Logic errors: These are bugs in the code that allow attackers to exploit unexpected smart contract behavior. For example, an error in a conditional statement could allow an attacker to circumvent certain checks and balances.
- Reentrancy attacks: occur when an attacker repeatedly invokes a function in a smart contract before the previous invocation has been completed, resulting in unexpected behavior or even financial losses.
- Overflows and underflows: integers occur when an arithmetic operation produces a number too large or too small to be stored in the available memory. Attackers can use these flaws to manipulate the state of the smart contract.
- Input validation issues: Issues with input validation occur when the smart contract fails to validate user input properly. Attackers can use these flaws to provide malicious input, jeopardizing the smart contract's security.
- Insufficient Access Controls: Inadequate access control: These flaws occur when the smart contract properly restricts access to specific functions or data. Attackers can use these flaws to gain unauthorized access to the smart contract.
To mitigate these vulnerabilities, performing thorough security audits on Cairo-written smart contracts before deploying them to production is critical.
Cairo Smart Contract Audit Process
Things We Cover in Audit Process :
- Business Logics Review
- Functionality Checks
- Access Control & Authorization
- Escrow manipulation
- Freezing of a contract
- Token Supply manipulation
- User Balances manipulation
- Data Consistency manipulation
- Kill-Switch Mechanism
- Operation Trails & Event Generation
We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we do a thorough scrutiny of the smart contract to provide you with the Final Audit Report. Lets's dive deep into it and explore more
Step 1 - Specification Gathering / Prepare For a Security Audit
This is the most crucial stage because the detail is key for a successful smart contract Security audit. Here is how you can prepare for it:
Code quality
Ensure code quality by removing dead code and comments, following the Solidity / Rust (Solana) style guide, and using comments to document complex parts of the code. Test the code by performing high coverage and high-quality unit tests, ensuring the contracts can be compiled and fully tested.
Code freeze
Freeze the code, specify the commit hash, or deploy the code on testnet and share the link. After freezing the code, gather the specifications from the development team to know the intended behavior of the smart contract through the 'Smart Contract Specification' document.
Step 2 - Manual Code Review
Manual review is a critical step that involves looking for undefined, unexpected behaviour and a Wide Variety of security vulnerabilities.
Aims of manual review:
- Focus on security, attacks, mathematical errors, logical issues, etc.
- Check the code for any vulnerabilities that can be exploited.
- Verify that every detail in the specification is implemented in the smart contract.
- Verify that the contract does not have any behavior that is not stated in the specifications.
- Verify that the contract does not violate the originally intended behavior of specifications.
Step 3 - Functionality Testing
๐ In this step, the smart contract will be manually deployed in a sandbox environment, and smart contract functions will be tested on multiple parameters and under multiple conditions.
This phase is intended to verify the intended behavior of the smart contract and ensure that smart contract functions are not consuming unnecessary gas. Gas limits of functions will be verified in this stage.
Step 4 - Testing over Latest Attack Vectors
- The QuillAudits researches newly discovered attacks and tries to replicate them to ensure the project is safe from those attacks. Attack vectors could include:
- Re-Entrancy
- Exposing unwanted external functions
- View Functions that modify the state
- Missing Pausing functionality
- Signature Replay Attacks
- Storage Variable Name Clashing
- Interacting with Arbitrary Tokens
- Missing Zero Address Checks
- Missing Zero Value Checks
- Toolchain and Best Practices
- Use standard and/or reputable and tested libraries
- Use up-to-date Cairo versions
- Upgradable Contracts
- Deployment check of your implementation contract
- Oracles
- Price Feeds
- Pseudo Random Number Generators
- Logic Flaws
- Frontrunning
- Governance Attacks
- Denial of Service (DoS)
Step 5 - Testing with Automated Tools
Tool We Use
ProtostarยNilePytestยStarknet-devnetยStarkNetยApe WorxยStarknet-pyย
ย
Step 6 - Initial Audit Report
QuillAudits provide the project team with a comprehensive report called the Initial Audit Report (IAR). The report will contain details of the audit and Recommendations for any vulnerabilities in the smart contract.
The development team is expected to resolve the identified bugs & make suitable changes to the code. If necessary, the QuillAudits will connect with development partners for issues fixing.
๐ฆHow can you help?
You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.
Step 7 - Final Audit Report
After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.
So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) whether to alter the code again or to move forward as it is.
๐ฆHow you can help - After getting the Final Audit Report, please notify us whether we can proceed to prepare the final designed draft or you are going to fix the code again.
Step 8 - Delivery
After getting a green light from the previous step, we send the report to our designers. With their skills, they make a PDF Version of the Audit Report and beautifully showcase everything in it.
Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.
Step 9 - Post-Audit
Social Media Announcements
As per your requests, we make an Audit Announcement from our social media handles to mark the completion of the Audit.
Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners).
๐งThe completion of this step totally depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.
AMA Sessions
- Expert Auditors Explaining the Nuances of the Audit Report
- QnA and Direct Interaction with Your Audience to Build Trust in Your Project
Niche Targeted Marketing/PR Services
- Articles & Guest Posts in Renowned Publications.
- Cross-Platform Promotions to Give More Exposure to the Project.
Organize Product launches, Community Meetups etc.
- QuillAudits team will help you in your product launch in India.
- Set up community meetups, product workshops and web3 events for you.
- QuillAudits expert team and partners will take care of everything from content creation to marketing and event location to event coordination.
What can the Project Team Expects from Us?
- Delivery of initial report within the agreed timeline (considering a margin of +- 2 days due to unforeseen circumstances).
- Reviewing the final version of the code before concluding the audit.
- Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
- Publishing Audit Reports and Making Post Audit Announcements based on agreed-upon terms.
What do We expect from Project Team?
- A working test suite(all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
- Structured code following reasonable naming conventions and consistent coding style.
- Well-documented contracts/functions and updated whitepaper.
- Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
- Reviewing the final report so that QuillAudits can conclude the audit.
Feedbacks
Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.
Please click here to provide your valuable feedback - Feedback Link
๐ฆSurvey - Kindly provide your valuable inputs by filling out the survey form to aid us in understanding the current DeFi & NFT market better. It would help us to improve upon our methodology for ๐๐บ๐ฎ๐ฟ๐ ๐ฐ๐ผ๐ป๐๐ฟ๐ฎ๐ฐ๐๐ ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐. Survey Link
Join Our Referral Program: Become a part of our quest for Securing Blockchain and Get Rewarded ๐ฅณ
๐กDo you know a friend who might be in need of a Smart Contract Audit? ๐โโ๏ธ๐โโ๏ธ
We have something that you might be super interested in!
Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits.
Refer anyone looking for an audit, and get up to 15% on each referral. Click on the link below to get access to exciting offers. ๐
https://bit.ly/3hqN6ZM
