Introducing Smart Contract Security Testing Guide

Smart Contract Security Testing Guide

Since the inept of smart contracts, exploits and attacks have always been prevalent in this world of decentralized applications, as can be seen from various sources such as:

Unlike traditional software that can be easily patched, most smart contracts cannot be modified after they are deployed, and allowing the logic of the smart contract to be modified after the deployment may open up rooms for attacks from both external and internal actors. Therefore, security should be one of the highest, if not the top, priorities in the development of smart contracts.

For smart contract developers, it is important to know how to securely implement their smart contracts, and test for the common pitfalls and risks. As for security professionals, having a clear checklist to follow can help standardize the testing methodology, preventing common risks from being overlooked. With these reasons, the Smart Contract Security Testing Guide (SCSTG) is created.

SCSTG is a risk-based guide for smart contract security professionals and developers to use as a reference in the security testing of smart contracts. It describes the characteristics and processes for verifying smart contract security issues in different categories, together with examples of vulnerable contracts or functions, and solutions to resolving the risks from their root causes or mitigating their risks.

The risks are categorized in 9 categories as follows:

1. Architecture and Design

Implementing smart contracts to be secure requires proper architecture and design. This testing category involves the use of compilers, the design of the smart contract calling architecture, and the design of roles and permissions.

2. Access Control

Access control is the imposing of policy by preventing users from acting beyond the scope of their authorized permissions. Improper access control can lead to unauthorized information disclosure, data manipulation or loss, or performing of business functions outside the user’s capability.

3. Error Handling and Logging

Error handling and logging are the keys in making errors in smart contracts traceable, directing the execution flow to the proper path depending on the execution result, allowing the users to know where and how the contract fails, and making it possible to trance the past actions done on the smart contract.

4. Business Logic

Business logic flow in general should be sequential, processed in order, and cannot be bypassed. Business logic vulnerabilities can happen when the smart contract’s legitimate processing flow can be used in a way that has an adverse effect on the users or the smart contract’s owner.

5. Blockchain Data

The usage of data on the blockchain, including the storage, retrieval, and modification, should be done properly to keep the integrity, and sometimes confidentiality, of the data. This includes the risks of on-chain data manipulation such as price manipulation using flash loans.

6. External Components

Smart contracts can be interconnected through the inheritance of the previously developed smart contracts or the calling of functions from other contracts. Usage of insecure external components can cause undesirable or harmful effects if not done properly, such as reentrancy attack.

7. Arithmetic

Mathematical operations on different programming languages and platforms may work differently. The arithmetic operations done in the smart contract should be able to safely handle the whole range of possible values.

8. Denial of Services

Improper contract logic can affect the availability of the contract. It should be made sure that the smart contract can function properly as designed without disruption from internal or external factors.

9. Best Practices

Smart contract can be implemented in various ways, depending on each developer’s style. However, complying with the best practices can improve the code quality of the smart contract, making it cleaner, more readable, or more efficient.

The complete Smart Contract Security Testing Guide (SCSTG) can be viewed here: https://inspex.gitbook.io/testing-guide

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inspex

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo