This repository provides a comprehensive checklist and a set of tools to help you audit the security of Solidity smart contracts. It aims to assist developers, auditors, and security researchers in identifying common vulnerabilities and best practices when reviewing smart contract code.
The checklist covers various aspects of smart contract security, including:
- Reentrancy vulnerabilities
- Integer overflow/underflow
- Unchecked external calls
- Access control issues
- Input validation and sanitization
- Randomness and timestamp dependence
- Gas optimization
In addition to the checklist, the repository includes:
- Code snippets demonstrating vulnerabilities and their fixes
- Recommendations for automated security analysis tools
- Step-by-step usage instructions
- Real-world case studies and lessons learned
- Community engagement and discussion platform
- Additional resources for smart contract security
Whether you're a developer looking to ensure the security of your smart contracts or an auditor conducting a thorough security review, this repository provides a structured and comprehensive approach to identifying and mitigating potential vulnerabilities.
Join our community, contribute your own findings and experiences, and together, let's enhance the security of the Solidity smart contract ecosystem!
- Security Audit Checklist
- Vulnerability Code Snippets
- Automated Security Analysis Tools
- Usage Instructions
- Case Studies
- Community Engagement
- Security Practices Beyond Solidity
- Additional Resources
- Contributing
This section provides a comprehensive checklist categorized by vulnerability types, explaining the importance of each check and the associated risks.
- Reentrancy Vulnerabilities
- Integer Overflow/Underflow
- Unchecked External Calls
- Access Control
- Input Validation and Sanitization
- Randomness
- Timestamp Dependence
- Gas Optimization
Reentrancy vulnerabilities occur when external contracts are allowed to make recursive calls back into the vulnerable contract before the original transaction is completed. This can lead to unexpected behavior and the draining of funds.
- Check for untrusted external contract calls
- Ensure state updates happen before external calls
- Use reentrancy guards or checks-effects-interactions pattern
Integer overflow and underflow vulnerabilities happen when arithmetic operations result in a value that is outside the range of the integer type. This can lead to incorrect calculations and unexpected behavior.
- Use SafeMath or similar libraries for arithmetic operations
- Validate input values to prevent unexpected overflows/underflows
Unchecked external calls can lead to failures if the external contract reverts or runs out of gas. It's important to handle these situations gracefully.
- Check the return value of external calls
- Handle failures gracefully and avoid assumptions about external contract behavior
Access control vulnerabilities arise when unauthorized users can access sensitive functions or modify critical state variables.
- Implement proper access control mechanisms for sensitive functions
- Use modifiers to restrict access based on roles or permissions
- Avoid using
tx.origin
for authorization
Lack of proper input validation and sanitization can allow attackers to manipulate contract behavior or exploit vulnerabilities.
- Validate and sanitize all user inputs
- Enforce proper constraints on input values
- Use safe string manipulation techniques
Generating true randomness is challenging in blockchain environments due to the deterministic nature of smart contracts. Improper use of randomness can lead to predictable outcomes and vulnerabilities.
- Do not rely on block hash, timestamp, or other blockchain data for randomness
- Use secure and audited random number generation techniques, such as commit-reveal schemes or oracles
Relying on block timestamps for critical logic can be problematic due to the potential manipulation of timestamps by miners.
- Avoid using block timestamps for critical logic
- If timestamps are used, be aware of the limitations and potential vulnerabilities
Inefficient gas usage can lead to high transaction costs and potential out-of-gas exceptions.
- Optimize gas usage to prevent out-of-gas exceptions
- Minimize storage reads and writes
- Use efficient data structures and algorithms
This section provides well-commented code snippets demonstrating vulnerabilities and their fixes. Each code snippet includes a description of the vulnerability, its potential impact, and the recommended mitigation technique.
// Vulnerable contract
contract VulnerableContract {
mapping(address => uint) public balances;
function withdraw() public {
uint amount = balances[msg.sender];
(bool success, ) = msg.sender.call.value(amount)("");
require(success, "Transfer failed.");
balances[msg.sender] = 0;
}
}
// Fixed contract
contract FixedContract {
mapping(address => uint) public balances;
function withdraw() public {
uint amount = balances[msg.sender];
balances[msg.sender] = 0;
(bool success, ) = msg.sender.call.value(amount)("");
require(success, "Transfer failed.");
}
}
In the vulnerable contract, the external call is made before updating the balance, allowing for reentrancy. The fixed contract updates the balance before making the external call, preventing reentrancy.
// Vulnerable contract
contract VulnerableContract {
uint public balance;
function deposit(uint amount) public {
balance += amount;
}
}
// Fixed contract
contract FixedContract {
using SafeMath for uint;
uint public balance;
function deposit(uint amount) public {
balance = balance.add(amount);
}
}
The vulnerable contract is susceptible to integer overflow, while the fixed contract uses the SafeMath library to prevent overflow.
This section lists and describes various automated tools that can aid in security analysis, including their setup instructions, expected output, and result interpretation guidelines.
- Slither: Slither is a Solidity static analysis framework that detects vulnerabilities, suggests optimizations, and provides a suite of tools for smart contract analysis.
- Mythril: Mythril is a security analysis tool that uses symbolic execution to detect vulnerabilities in smart contracts.
- Securify: Securify is a security scanner for Ethereum smart contracts that analyzes contracts for vulnerabilities and provides security insights.
- Solhint: Solhint is a linter for Solidity that provides security, style, and best practice rules for smart contract development.
- Ethlint: Ethlint is a linter for Solidity that identifies security vulnerabilities, coding style issues, and best practice violations.
- Echidna: Echidna is a smart contract fuzzer that generates random transactions to test smart contracts for vulnerabilities and property violations.
- Harvey: Harvey is a fuzzer for Solidity smart contracts that uses coverage-guided techniques to identify vulnerabilities.
- Manticore: Manticore is a symbolic execution tool for analyzing smart contracts and identifying vulnerabilities.
- Mythril (also listed in Static Analysis Tools): Mythril combines symbolic execution with taint analysis and control flow checking to detect a wide range of vulnerabilities.
- For a quick and comprehensive static analysis, use Slither or Securify.
- For in-depth analysis and detecting complex vulnerabilities, use Mythril or Manticore.
- For linting and style checking, use Solhint or Ethlint.
- For testing edge cases and finding property violations, use Echidna or Harvey.
It's recommended to use a combination of tools for a thorough security audit.
This section provides a step-by-step guide on how to effectively use the provided resources, from setting up the environment to reporting findings.
- Install Node.js and npm
- Clone this repository:
git clone https://github.com/iAnonymous3000/solidity-security-audit-checklist.git
- Install the required dependencies:
npm install
- Familiarize yourself with the Security Audit Checklist
- Use the checklist as a reference during your manual code review process
- Check off the items in the Progress Tracker as you complete each section
- Choose the appropriate automated tools based on your needs and the Tool Comparison guidance
- Follow the setup instructions provided for each tool
- Run the tools against your smart contract code
- Analyze the tool output and interpret the results
- Review the code line by line, keeping the checklist items in mind
- Refer to the Vulnerability Code Snippets for examples of vulnerabilities and their fixes
- Document any identified vulnerabilities or potential issues
- Compile a comprehensive report detailing your findings
- Include the identified vulnerabilities, their potential impact, and recommended remediation steps
- Provide the report to the relevant stakeholders for review and action
This section includes real-world examples and case studies from past audits to provide practical insights into smart contract vulnerabilities and their consequences.
The DAO hack was a famous exploit that resulted in the theft of approximately $50 million worth of Ether. The attacker exploited a reentrancy vulnerability in The DAO's smart contract, allowing them to repeatedly withdraw funds before the contract could update its balance.
Lessons learned:
- Reentrancy vulnerabilities can have severe consequences
- Proper access control and state updates are crucial
- Thorough testing and auditing are essential before deploying contracts
The Parity Multisig Wallet hack resulted in the freezing of over $30 million worth of Ether. The attacker exploited a vulnerability in the wallet's initialization function, allowing them to take control of the contract and prevent further access to the funds.
Lessons learned:
- Proper initialization and access control are critical
- Simplicity and modularity can reduce the attack surface
- Regular audits and updates are necessary to address potential vulnerabilities
This section encourages users to share their audit experiences, discuss challenges they encountered, and how they resolved them. It provides a forum or discussion platform where users can interact and learn from each other. Users are encouraged to contribute their own case studies and lessons learned.
- Participate in discussions on our GitHub Discussions page
- Contribute your own case studies and lessons learned by submitting a pull request
This section provides a holistic view of smart contract security by including resources and best practices for operational security, multi-sig wallets, and smart contract upgradeability patterns.
- Operational Security Best Practices
- Gnosis Safe: A Secure Multi-Sig Wallet
- OpenZeppelin Upgrades: Secure Smart Contract Upgradeability
This section provides links to external resources, articles, and guides for further learning about smart contract security.
- Ethereum Smart Contract Security Best Practices
- Solidity Documentation: Security Considerations
- Smart Contract Weakness Classification (SWC) Registry
- Ethereum Foundation Blog: Smart Contract Security
We welcome contributions from the community to help improve and expand this repository. If you have suggestions for additional checklist items, code snippets, or tools, please follow the contribution guidelines below.
- Fork the repository and create a new branch for your contributions
- Ensure your code adheres to the existing style and formatting conventions
- Include clear and concise documentation for any new additions
- Submit a pull request with a detailed description of your changes
- Fork the repository and create a new branch:
git checkout -b my-feature-branch
- Make your changes and commit them:
git commit -m 'Add new feature'
- Push your changes to your forked repository:
git push origin my-feature-branch
- Open a pull request against the main repository
This repository is regularly updated to keep up with the latest security best practices and emerging vulnerabilities. Users are encouraged to watch the repository for updates and check back for the latest versions.
We hope this repository serves as a comprehensive guide and toolset for auditing the security of your Solidity smart contracts. Remember to stay vigilant, keep your knowledge up-to-date, and always prioritize security in your smart contract development process. Happy auditing!