How Fairyproof Categorizes Risks or Issues in an Audit Report？

In general, when an auditor audits a project, he/she will assess and mark the severity of each issue or risk discovered such that the…

In general, when an auditor audits a project, he/she will assess and mark the severity of each issue or risk discovered such that the audited project’s team would take actions accordingly to fix these issues or risks and the readers of the audit report for this project would have a clear view on the overall quality of this project with respect to its security level. This is especially important for a reader who may intend to invest in this project after he/she reads these discovered issues or risks’ severities.

As a security audit company, Fairyproof classifies issues or risks discovered in an audited project into five categories: critical, high, medium, low, and neutral.

An issue categorized as “critical” has the highest priority and should be fixed as soon as possible.

An issue categorized as “high” has the second-highest priority and will probably bring problems and should be fixed.

An issue categorized as “medium” could potentially bring problems and should eventually be fixed.

An issue categorized as “low” is a minor detail or warning that can remain unfixed but would be better fixed at some point in the future.

An issue categorized as “neutral” is not an issue or risk but a suggestion for code improvement.

Whenever an issue or risk is discovered and marked as one of the five categories during an audit, Fairyproof will list it and communicate with the project team. For a risk of critical-severity or high-severity, Fairyproof will urge the project team to do a due diligence check and fix them as soon as possible. For a risk of medium-severity or low-severity, Fairyproof will work with the project team and propose a plan to fix them in the near term if the team doesn’t have enough resources to fix them right away. For an issue of neutral-severity, Fairyproof will work with the project team and build a long-term plan to fix it if the team for some reason is not available to get it done properly.

When Fairyproof audits a project, it will work closely and communicate frequently with the project team. Whenever issues or risks are discovered, they will be presented to the project team and then Fairyproof will assist the team in fixing these issues or risks. After they are fixed another audit will be started. This iteration will be repeated until eventually, the project team accepts the project’s overall security level. And a final audit report for the audited project will be generated after these iterations.

In a Fairyproof’s audit report that was released in the early days, all the issues or risks discovered including critical or high risks that had been fixed during iterations were listed. Therefore, for a project that was audited in the early days, if its audit report had critical or high-severity risks listed, even if they were fixed and were listed in the audit report as being fixed, some readers might not notice the details and might think the project had huge risks that were not fixed.

That was not true at all.

In order to avoid this misunderstanding, Fairyproof’s technical team changed the way of listing critical or high-severity issues or risks in an audit report thereafter. If a critical or high-severity risk is discovered in the project but not fixed by the project team it will be listed in its audit report otherwise it will not.

Hence, in most of the recent audit reports released by Fairyproof readers may not see critical or high-severity risks listed in an audit report that often, since even if there are some, most of them have already been fixed.

This change greatly improves an audit report’s readability and helps readers understand the overall security level of a project more easily after they read its audit report.

About the author:

Yuefei TAN, CEO of Fairyproof

About Fairyproof:

Fairyproof Tech is a blockchain security company, established in Jan 2021.

It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.

The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.

Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.