Specification describes in detail what (and sometimes why) the project and its various components are supposed to do functionally as part of their design and architecture.
- From a security perspective, it specifies what the assets are, where they are held, who are the actors, privileges of actors, who is allowed to access what and when, trust relationships, threat model, potential attack vectors, scenarios and mitigations.
- Analysing the specification of a project provides auditors with the above details and lets them evaluate the assumptions made and indicate any shortcomings
- Very few smart contract projects have detailed specifications at their first audit stage. At best, they have some documentation about what is implemented. Auditors spend a lot of time inferring specification from documentation/implementation which leaves them with less time for vulnerability assessment.
- What/Why/Requirements/Design
- Assets/Actors/Trust/Threat
- Assumptions/Shortcomings
- Infer: Lost Time