Good question, actually. Since blockchain and the use of Smart Contracts is quite a new concept, there is no widely recognized standard for testing Smart Contracts (similar to what OWASP Testing Guide is for web applications). Therefore, auditors and penetration testers usually rely on a combination of a handful of online resources, writeups from previous hacks and mostly their own experience. This article will provide an insight into the approach we use here, at Citadelo, when auditing Smart Contracts.
Ideally, we are starting with a clear assignment with well-defined scope and some supporting documentation. However, a short information gathering session with a technical lead of the project always proves to be helpful. Usually, Smart Contracts are only a small building block of a much larger system. During the information gathering, we always try to list and understand all of the components and the way they interact. Even if they might be out of scope for the given test.
During the process of information gathering there are usually no special tools required. However, there is a useful tool called Solgraph, which often helps us when visualizing the interaction between various components of Smart Contracts.
As mentioned at the beginning, there is no complete auditing guide for Smart Contracts yet. However, there are a number of resources which can be useful during the audit. DAPS TOP 10 - Similar to OWASP Top 10, DASP contains ten of the most critical Smart Contract vulnerabilities along with illustrative examples and additional references.
Ethereum Smart Contract Best Practices by ConsenSys - besides from examples of the most critical known attacks, it contains useful recommendations for Solidity developers as well as some additional resources, tools etc. Smart Contract Security Alliance Best Practices - contains guidelines for companies preparing for Smart Contract audit, which can be useful for auditors as well.
We have to remember that all data on the blockchain are public (although not easy to read) - compiled code of Smart Contracts, content of all the variables and all transactions (successful and unsuccessful). This might potentially be a privacy issue, depending on the data in question. Besides from that, there is a whole lot of other blockchain peculiarities that need attention during the audit. From key management, to kill switch scenarios and controlled fund transfer.
In Citadelo, we are huge fans of blockchain and Smart Contracts. New applications making use of this amazing technology are coming to life almost every day. However, many companies have been burnt by the dangers that are always creeping behind any new digital paradigm. Our goal at Citadelo is to help innovative companies to minimize the chance of being hacked by conducting an in-depth security audit of their applications.