A Detailed Introduction to Fairyproof’s Audit Procedure

When it comes to smart contract audits, the audit procedure is always something you need to know. In today’s article, we’d like to give you…

When it comes to smart contract audits, the audit procedure is always something you need to know. In today’s article, we’d like to give you a clearer picture of the audit procedure of Fairyproof.

Generally, in a Fairyproof’s audit report for a project, how the project is audited is illustrated in detail. A Fairyproof’s standard audit procedure contains two sub-procedures: a routine audit conducted by Fairyproof’s automatic audit systems, and a manual audit conducted by Fairyproof’s engineers.

In the previous articles, we emphasized that smart contracts are quite different from industrialized products that are manufactured on modern assembly lines. Smart contracts are manually written by human beings. If a project is assigned to two engineers to implement, they each would very likely implement it in his/how own way. The qualities of the two implementations may be dramatically different. And these differences in qualities may come with potential risks or issues.

In the early days, most of these risks or issues had to rely on audit engineers’ manual work to find out. Although the find-out work for every audit had to be done manually by human beings there were some commonalities among this work and these commonalities could be taken out, standardized, and trained to be done by automatic systems. This leads to the development of automatic systems or tools that can be used to do audits.

From our point of view, applying various automatic systems or tools in an audit can greatly improve an audit’s efficiency and mitigate risks or issues that may be missed or overlooked by human beings. However, using automatic systems or tools can merely find standard risks or issues but barely work for particular or specific risks or issues. These particular or specific risks or issues often cause much larger losses or damage to both a project and its users. Thus, engaging engineers in manually auditing a project after using tools to audit it is a must-have procedure. It not only serves as a procedure to fathom particular or specific risks or issues but also serves as a final check to ensure risks or issues that automatic systems or tools miss could be discovered.

Today we rely on both automatic systems and manual work to perform an audit, and this is how Fairyproof came up with the aforementioned procedure to perform an audit. Fairyproof considers both as equally important

With regard to the development of automatic systems or tools, Fairyproof has been working hard and striving to apply cutting-edge technologies in developing systems and tools to help improve automatic audit’s efficiency and accuracy.

Although there are quite a few open-source tools and utilities in existence, most of them are still immature, ineffective, and inefficient to be used out of the box. We researched popular tools and utilities such as Security, Mythril, Oyente, ECF, Maian, Lem, etc, and found that there was still much room to improve their usability and user experience. As a result, we developed our own tools and utilities based on them and keep working to refine them with continuous iterations.

To make audit work standardized and automatic is not only a trend in the blockchain security industry but also a bottleneck that every security company is striving to fix. Fairyproof will keep putting endless efforts in the area and establish a more solid framework and infrastructure for automatic audit.

Besides using automatic systems and tools to do audits, Fairyproof also keeps enrolling and training engineers to build its capability in manual audit and aims to grow and build a strong technical team of security experts and professionals.

Doing a manual audit is not only a step to discover risks or issues that may be missed by automatic audit but also helps accrue experience and findings that can hardly be learned by automatic systems and tools but greatly help discover particular risks of issues. These accrued experience and findings can be organized and input into Fairyproof’s systems and tools and can be used to train them to be more intelligent, efficient, and effective. Therefore, a manual audit is not only a key step in an audit but also a key component in Fairyproof’s overall audit system.

A manual audit is performed by engineers and is hard to standardize since every engineer has his/her own logic and thinking and does an audit in his own way. Hence, it happens quite often that when two engineers audit the same project, one may discover particular or specific risks or issues the other may not. Then how to fully engage an engineer’s creative thinking in auditing a project and avoid risks or issues being missed due to his/her biased thinking is a big challenge that a manual audit has to deal with.

Fairyproof tackles this challenge by applying both a uniform audit benchmark to guide engineers to discover risks or issues as many as possible and a peer audit that needs to be conducted by at least two engineers for a project.

A uniform audit guideline is made to guide engineers to audit a project such that no severe risks or issues would be missed and as many risks or issues could be discovered efficiently and effectively. This ensures engineers who audit a project are on the same page and will work towards the same goal and in the correct direction.

Even under a uniform audit guideline, different engineers may still make mistakes and cannot cover every corner that may hide risks or issues. Then a peer audit comes into play

A peer audit is a process that is applied to a project but needs to be carried out by at least two engineers, i.e., these engineers will be assigned to audit the same project individually and each will need to summarize his/her own findings. Eventually, the findings collected from all these engineers form a final audit report.

By doing a peer audit, collective intelligence is played out such that risks, or issues could be discovered as many as possible.

This whole procedure is how Fairyproof utilizes all available resources to conduct a complete audit for a project.

About the author:

Yuefei TAN, CEO of Fairyproof

About Fairyproof:

Fairyproof Tech is a blockchain security company, established in Jan 2021.

It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.

The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.

Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.