Introducing Smart Contract Security Testing Guide
Since the inept of smart contracts, exploits and attacks have always been prevalent in this world of decentralized applications, as can be seen from various sources such as:
Unlike traditional software that can be easily patched, most smart contracts cannot be modified after they are deployed, and allowing the logic of the smart contract to be modified after the deployment may open up rooms for attacks from both external and internal actors. Therefore, security should be one of the highest, if not the top, priorities in the development of smart contracts.
For smart contract developers, it is important to know how to securely implement their smart contracts, and test for the common pitfalls and risks. As for security professionals, having a clear checklist to follow can help standardize the testing methodology, preventing common risks from being overlooked. With these reasons, the Smart Contract Security Testing Guide (SCSTG) is created.
SCSTG is a risk-based guide for smart contract security professionals and developers to use as a reference in the security testing of smart contracts. It describes the characteristics and processes for verifying smart contract security issues in different categories, together with examples of vulnerable contracts or functions, and solutions to resolving the risks from their root causes or mitigating their risks.
The risks are categorized in 9 categories as follows:
1. Architecture and Design
Implementing smart contracts to be secure requires proper architecture and design. This testing category involves the use of compilers, the design of the smart contract calling architecture, and the design of roles and permissions.
2. Access Control
Access control is the imposing of policy by preventing users from acting beyond the scope of their authorized permissions. Improper access control can lead to unauthorized information disclosure, data manipulation or loss, or performing of business functions outside the user’s capability.
3. Error Handling and Logging
Error handling and logging are the keys in making errors in smart contracts traceable, directing the execution flow to the proper path depending on the execution result, allowing the users to know where and how the contract fails, and making it possible to trance the past actions done on the smart contract.
4. Business Logic
Business logic flow in general should be sequential, processed in order, and cannot be bypassed. Business logic vulnerabilities can happen when the smart contract’s legitimate processing flow can be used in a way that has an adverse effect on the users or the smart contract’s owner.
5. Blockchain Data
The usage of data on the blockchain, including the storage, retrieval, and modification, should be done properly to keep the integrity, and sometimes confidentiality, of the data. This includes the risks of on-chain data manipulation such as price manipulation using flash loans.
6. External Components
Smart contracts can be interconnected through the inheritance of the previously developed smart contracts or the calling of functions from other contracts. Usage of insecure external components can cause undesirable or harmful effects if not done properly, such as reentrancy attack.
Mathematical operations on different programming languages and platforms may work differently. The arithmetic operations done in the smart contract should be able to safely handle the whole range of possible values.
8. Denial of Services
Improper contract logic can affect the availability of the contract. It should be made sure that the smart contract can function properly as designed without disruption from internal or external factors.
9. Best Practices
Smart contract can be implemented in various ways, depending on each developer’s style. However, complying with the best practices can improve the code quality of the smart contract, making it cleaner, more readable, or more efficient.
The complete Smart Contract Security Testing Guide (SCSTG) can be viewed here: https://inspex.gitbook.io/testing-guide
Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.