Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.
About us
QuillAudits is a leading web3 cybersecurity firm committed to securing Blockchain projects with our cutting-edge Web3 security solutions.
We provide smart contracts auditing and DApps pen testing services for web3-based, DeFi, and NFT-based gaming projects.
Why Does Wallet Need Audit?
Millions of dollars have been lost in several widely known breaches of cryptocurrency wallets. The Mt. Gox hack in 2014 led to the loss of about 850,000 bitcoins (worth about $450 million at the time), as well as the DAO hack in 2016, which resulted in the loss of about $60 million worth of ether, are two of the most noteworthy hacks. In recent times, Hackers have stolen large amounts of cryptocurrency in some instances, such as the $3.8 billion stolen in 2022.
A crypto wallet product's security is critical to ensuring users' funds' safety. Suppose a wallet product is not properly secured. In that case, it can be vulnerable to a range of attacks, including theft of private keys, unauthorized access to the wallet, and tampering with transactions.
A crypto wallet product security audit is essential in ensuring the safety and security of cryptocurrency assets. As the use of cryptocurrencies has become more widespread, the number of wallet products has increased, making it challenging for users to choose a wallet that is both easy to use and secure. This is where a security audit comes in - it can thoroughly assess a wallet product's security posture, identify vulnerabilities, and provide recommendations for remediation.
💭Connecting with you You must have been added to a closed group with
the Auditing Team by this time. You would be
connected with the Project Manager and the
Auditors through this dedicated channel during the
process for collaboration and instant resolution.
At any point, if you face any query or find a need
to discuss anything - we are just a message away!Audit Process
Things We Cover in the Audit Process
Secure Key Management
Authentication and Authorization
Secure Communication Protocols
Third-party Component Security
Key Derivation
Access Control
Secure Storage
Mobile Wallet/Extension Mobile Security
We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let's dive deep into it and explore more.
Step 1 - Specification Gathering / Prepare For a Security Audit
Gather information about the wallet product, such as documentation and source code, to understand its architecture and functionality.
The scope of the wallet pentest security audit should be clearly defined in advance. This should include the wallet product under test, any associated mobile applications or web interfaces, and any relevant third-party components.
This is the most crucial stage because details are key for a successful smart contract Security audit.
Here is how you can prepare for it:
Code quality
• Remove dead code and comments.
• Consistent coding style.
Step 2 - Vulnerability Assessment Test
The vulnerability assessment phase involves testing the wallet product for vulnerabilities. This may include:
Testing the authentication and authorization mechanisms to identify any weaknesses or vulnerabilities.
Testing the input validation mechanisms to identify potential injection attacks, such as SQL injection or cross-site scripting (XSS) attacks.
Testing the key management process to identify any weaknesses or vulnerabilities in the key derivation process or backup key management.
Testing the cryptography mechanisms to identify any weaknesses or vulnerabilities in the encryption algorithms or key sizes.
Testing the network security measures, such as firewalls or intrusion detection systems (IDSs), to identify potential weaknesses or vulnerabilities.
Testing the mobile application or web interfaces to identify potential vulnerabilities or weaknesses in the user interface.
Step 3 - Exploitation Phase
The exploitation phase involves attempting to exploit any identified vulnerabilities. This may include:
Attempting to bypass authentication or authorization mechanisms.
Attempting to inject malicious code or commands into the wallet product.
Attempting to steal sensitive data, such as private keys or transaction data.
Attempting to launch denial-of-service (DoS) attacks against the wallet product or associated services.
Step 4 - Testing Over Various Attacks
Improper Platform Usage
Insecure Data Storage
Insecure Communication
Insecure Authentication
Insufficient Cryptography
Insecure Authorization
Client Code Quality
Code Tampering
Reverse Engineering
Extraneous Functionality
Indirect Object Reference
Functionality Abuse
Business Logic
Wallet Seed Phrase Protection
Previous attack exploits
Transfer of tokens from and in the application
Rate Limit Issues and Brute-forcing
Step 5 - Testing with Automated Tools
Burp Suite
Frida
Nmap
Metasploit
Horusec
Postman
Netcat
Nessus and many more.
Step 6 - Initial Audit Report
The reporting phase involves documenting the audit results and providing recommendations for improving the security of the wallet product. This may include:
Creating a detailed report outlining the audit findings and recommendations for remediation.
Prioritizing the vulnerabilities based on severity and potential impact.
Providing guidance on how to address each identified vulnerability, including recommendations for software patches or configuration changes.
Delivering the report to the Client Team.
🦋 How can you help?Please ask your developers to fill out the
specification doc - It would help us to understand
& verify the business logic and facilitate confirming
everything thoroughly.🦋 How can you help?You have to prepare an 'Updation Summary' or
'Comment Report' carrying details of the changes
you've made after getting the IAR; this would help
us identify the changes and test them rigorously.Step 7 - Final Audit Report
After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.
So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is.
🦋 How can you help?After getting the Final Audit Report, please notify us
whether we can proceed to prepare the final draft or if
you are going to fix the code again.Step 8 - Delivery
After getting the green light from the previous step, we send the report to our designers to generate a PDF version of the Audit Report, displaying all the necessary details of the auditing process.
Sample Audit Report
Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.
Step 9: Post-Audit
After the Final Audit report, we take your project in front of the masses through :
Social Media Announcements
As per your requests, we will make an audit announcement from our social media handles to mark the completion of the audit.
🚧The completion of this step depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.
Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners)
AMA Sessions
Expert auditors will explain the nuances of the Audit Report.
Q&A and direct interaction with your audience to build trust in your project.
Niche Targeted PR Services
Articles & guest posts in renowned publications.
Cross-platform promotions to give more exposure to the project.
Organize Product Launches, Community Meetups, etc.
QuillAudits team will help you in your product launch in India.
Set up community meetups, product workshops and web3 events for you.
QuillAudits expert team and partners will handle everything from content creation to marketing, event location, and event coordination.
What Can the Project Team Expect From Us?
Delivery of initial report within the agreed timeline (considering a margin of ±2 days due to unforeseen circumstances).
Reviewing the final version of the code before concluding the audit.
Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
Publishing audit reports and making post-audit announcements based on agreed-upon terms.
What Do We Expect from the Project Team?
A working test suite (all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
Structured code following reasonable naming conventions and consistent coding style.
Well-documented contracts/functions and updated whitepaper.
Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
Reviewing the final report so that QuillAudits can conclude the audit.
Feedbacks
Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.
Join Our Referral Program: Become a Part of Our Quest for Securing Blockchain and Get Rewarded 🥳
Do you know a friend who might need a Smart Contract Audit? 🙋♂️🙋♀️ We have something that you might be super interested in! Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits. Refer anyone looking for an audit, and get up to 15% on each referral.
🚀Click on the link below to get access to exciting offers.
