80 - Audit Process
Audit Process could be thought of as a ten-step process as follows:
- Read specification/documentation of the project to understand the requirements, design and architecture
- Run fast automated tools such as linters or static analyzers to investigate common Solidity pitfalls or missing smart contract best-practices
- Manual code analysis to understand business logic and detect vulnerabilities in it
- Run slower but more deeper automated tools such as symbolic checkers, fuzzers or formal verification analyzers which typically require formulation of properties/constraints beforehand, hand holding during the analyses and some post-run evaluation of their results
- Discuss (with other auditors) the findings from above to identify any false positives or missing analyses
- Convey status to project team for clarifying questions on business logic or threat model
- Iterate the above for the duration of the audit leaving some time for report writing
- Write report summarizing the above with details on findings and recommendations
- Deliver the report to the project team and discuss findings, severity and potential fixes
- Evaluate fixes from the project team and verify that they indeed remove the vulnerabilities identified in findings.
- Read Spec/Docs
- Fast Tools
- Manual Analysis
- Slow/Deep Tools
- Discuss Findings
- Convey Status
- Iterate
- Write Report
- Deliver Report
- Evaluate Fixes