How Fairyproof Describes a Listed Issue or Risk?
If an auditor discovers issues or risks after he/she reviews a project, he/she will list these issues or risks in an audit report for this…
If an auditor discovers issues or risks after he/she reviews a project, he/she will list these issues or risks in an audit report for this project. To list these issues or risks, the auditor on one hand, wants the auditee to be aware of them and fix them, and on the other hand wants readers (in general third parties) to go through them and assess the project’s overall security and quality.
Therefore, how to describe an issue or risk precisely such that the auditee could accurately get the auditor’s point and find a solution promptly, and readers could easily understand them and come up with an objective view is of great importance.
In a Fairyproof’s audit report, descriptions about discovered issues or risks are summarized in a section titled “Issue descriptions”.
To some extent, for both the auditee and serious readers, this section is the most important section in a whole audit report.
In this section, for each issue or risk, Fairyproof would give it a title, mark its risk severity, list a risk category this issue or risk belongs to, its location in the source code, detailed description about it, recommended solution presented by Fairyproof and status of the issue.
Whenever an issue or risk is discovered, Fairyproof will give it a title. The title is a brief description of the issue or risk. Usually, it is just composed of several words or a simple sentence. Readers can quickly grasp the key point of the issue or risk after reading the title.
Following the title is a risk severity assigned to the issue or risk. A risk severity could be critical, high, medium, low, or neutral based on the potential negative impact the issue or risk would bring to the project.
After that Fairyproof will assign a risk category to the issue or risk. Based on Fairyproof’s rich experience, we have summarized a list of risk categories and typical solutions to these risk categories. By assigning a risk category to an issue or risk, we can quickly present a solution based on our technical database and help the auditee fix it as soon as possible.
Then Fairyproof would give a detailed description of this issue or risk. Fairyproof would list the location of the issue or risk, what code section would bring the issue or risk, how the issue or risk would be triggered, why it might be triggered, and what impact it would bring to the project if it were left unfixed.
The detailed description of an issue or risk is the most technical part of a Fairyproof’s audit report. In general, this part is intended for the auditee’s technical team to read and review therefore it has detailed technical writing such that the auditee could promptly recognize this issue and find a solution to the issue or risk.
Besides listing an issue or risk, Fairyproof will also give a recommendation to the issue or risk. In general, this recommendation is Fairyproof’s technical advice or suggested solution. And this advice or solution should have been tested and verified by Fairyproof’s engineers. Therefore, if the auditee doesn’t have a better solution, this advice or suggested solution would better be adopted.
Up till this step, an initial draft of an audit report is done, but the audit is not done yet and the audit report is not done either.
This draft version would be presented to the auditee and Fairyproof would expect the auditee to provide feedback to each issue or risk listed especially how the auditee would handle these issues or risks.
For each listed issue or risk the auditee must give feedback and inform Fairyproof of its status. Whether it is fixed or left unfixed its status will be added as “Status” in the detailed description part of each issue or risk.
It may take a relatively long time or even multiple iterations of mutual communication between Fairyproof and the auditee to pindown a “Status”. This is how Fairyproof works closely with the auditee to fix the issues or risks and eventually come up with a final audit report effectively.
About the author:
Yuefei TAN, CEO of Fairyproof
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.