How to Understand Audited Files’ Provenance in a Fairyproof’s Audit Report?

Often times when you are reading an audit report, you will certainly find a provenance section. Provenance is one of the key components in…

Often times when you are reading an audit report, you will certainly find a provenance section. Provenance is one of the key components in one audit report. In today’s article, we are going to fathom the meaning behind it.

An audit report is a certificate for the quality of a set of smart contract files after the files are audited.

However, smart contract files are not like common physical products. As intangible as they can be, hence they possess no appearances, shapes or colors, etc. Then when a user reads an audit report for a set of smart contract files how does the user know where these files come from and where they exist？

Most well-known blockchain-based cryptocurrencies such as Bitcoin, Ethereum, etc share a common feature: their source code is open source. Being open-source means their source code is publicly viewable and verifiable.

Most of the projects Fairyproof audited were open-source as well. Quite often the projects’ source files were saved in professional public repositories such as Github, which are publicly readable. The address of such a GitHub repository proves a project’s provenance. If a project’s provenance is listed in its audit report it will help build readers’ confidence in both this project and the report.

A Github repository is not the only way to prove a file’s provenance. In general, there are three kinds of provenance Fairyproof uses for audited project files: files’ GitHub repositories, files’ SHA-256 values, and files’ blockchain addresses. With regard to the provenance in a Fairyproof’s audit report, one, two, or all of the three are widely used.

Github is a well-known public code repository. When a file is saved in Github, each time when it is saved it will be given a globally unique but different version number which is called a commit number. When a file has been changed and saved multiple times multiple commit numbers will be given to these change actions. Therefore, users can trace a file’s change history by tracking its all commit numbers.

When a project team submits its project files together with the files’ Github repository address and a commit number for an audit, the Github repository address and the commit number together establish this project’s tamper-proof provenance which records a specific status at that moment. When the team makes changes to the files thereafter, different commit numbers will be generated and given to these files.

Applying the SHA-256 algorithm to a file to generate an SHA-256 value for the file is another way to record the file’s provenance.

The SHA-256 algorithm takes an input of arbitrary length and outputs a fixed-length result. This fixed-length result will be varied when the input is changed. No two different inputs can generate the same results. When a file is fed as an input to the SHA-256 function, a unique value will be generated for this file. If any changes are applied to the file and the changed file is fed to the SHA-256 function, a different value will be generated. Therefore, an SHA-256 value generated for a file can prove the file’s provenance when the file is submitted for an audit.

The third provenance Fairyproof usually uses in an audit report is a file’s on-chain address. This usually applies to smart contract files that are deployed on a permissionless blockchain.

With regard to a DApp, its smart contract files are deployed on a permissionless blockchain. After they are deployed on a permissionless blockchain they will be tamper-proof. In addition, if they are open-source they will be publicly viewable on that blockchain. In this case, anyone can visit the addresses on the blockchain, where the files are deployed, and check the files which can no longer be modified on-chain. These addresses serve as perfect provenances for these files.

About the author:

Yuefei TAN, CEO of Fairyproof

About Fairyproof:

Fairyproof Tech is a blockchain security company, established in Jan 2021.

It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.

The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.

Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.