What Constitutes an Audit Report?
Amateur readers may be a tad perplexed and directionless when they start reading an audit report, in today’s article, we will elaborate on…
Amateur readers may be a tad perplexed and directionless when they start reading an audit report, in today’s article, we will elaborate on the key elements that consist of an audit report to facilitate your understanding.
Like common products, a crypto asset or a DApp has its customers therefore its users are supposed to have basic expectations for its quality. In general, a physical product has a government or third-party issued certificate to show its customers that its quality has passed a recognized inspection. Likewise, a crypto asset or a DApp needs such a certificate as well.
Even with such a quality inspection process, common products still cannot avoid defects or issues and are very likely to undertake recalls when defects or issues are discovered. However, a crypto asset or DApp cannot be recalled after it is deployed on-chain and defects or issues are discovered. This means that a quality certificate issued for a crypto asset or DApp is the only evidence that proves the crypto asset or DApp has some kind of quality assurance. Such a certificate for a crypto asset or DApp is what we commonly call an audit report.
A crypto asset or DApp is implemented with smart contracts. An audit report for a crypto asset or DApp is a summary of findings written by auditors (usually experienced smart contract professionals from third-party teams) after they conduct an extensive review and thorough analysis of the crypto asset or DApp’s smart contracts.
A smart contract audit report is like a bridge that connects a crypto asset or DApp to its customers. A professional audit report not only helps a crypto asset or DApp’s customers build trust and confidence in its quality but also helps it attract more customers and grow more market shares.
A professional audit report should contain, in detail, all the vulnerabilities that may cause potential issues or risks. It is the auditors’ responsibility to discover these vulnerabilities as much as possible.
Besides discovering the vulnerabilities of smart contracts, the auditors should as well consider how to make an audit report readable and understandable especially for non-professional readers. Furthermore, it would be better if the auditors can make an audit report intriguing such that non-professional readers can catch the report’s key points and have an objective opinion on its quality after they read the report.
Based on this understanding Fairyproof lays out the contents of a smart contract audit report in the following way:
It may contain up to twelve sections:
In the first section, we present detailed information about an audited project, such as a list of its contract files, the provenances of the contract files, a disclaimer, a methodology used by the auditors, and most importantly a final comment from the auditee.
For most non-professional readers if they want to quickly catch the key points of an audit report and don’t want to dig into too many technical details, they can just read this section alone without proceeding with the remaining sections.
If readers want to know more about an audited project, they may need to read the following sections.
In the second section, we present a brief summary of Fairyproof such as its home site, background, business cases, products, services, etc.
In the third section we present an introduction to the audited project’s functions, services, features, business model, tokenomics,etc.
In the fourth section, we present the audited contract files’ functions, services features, business model, tokenomics,etc.
A key difference between the fourth section and the third section is that the audited contract files (presented in the fourth section) may just be a subset of the whole project (presented in the third section).
In the fifth section, we present what Fairyproof does in the whole audit process such as what issues are discovered, what suggestions Fairyproof raises, how the project team fixes the issues etc.
In the sixth section, we present what kinds of issues or risks Fairyproof usually checks during an audit.
In the seventh section, we present the different severities Fairyproof uses to categorize the risks or issues that are finally listed in the report. In general, there are four severities: critical, high, medium and low.
In the eighth section, we present what specific vulnerabilities Fairyproof checks and examines based on the features and functions of an audited project. Since every project has its specific features and functions, every project may introduce specific vulnerabilities besides general ones. Therefore, we add this section in an audit report to address a project’s special vulnerabilities.
In the ninth section, we list all the discovered and unfixed issues or risks categorized by their risk severities.
In the tenth section, we list all the discovered and unfixed issues or risks categorized by the contract files to which they belong. This section is optional.
In the eleventh section, we list all the discovered and unfixed issues or risks, and furthermore present the description, our recommendation, and the update/response from the team for each of these issues or risks.
This is the most technical part of a whole audit report.
In the twelfth section, we list additional recommendations, if applicable, for the project team to enhance the project’s overall security, robustness, and maintainability. The recommendations presented in this section don’t address risks or issues but address the project’s overall quality. This section is optional.
This is the whole layout of a smart contract audit report composed by Fairyproof.
About the author:
Yuefei TAN, CEO of Fairyproof
About Fairyproof:
Fairyproof Tech is a blockchain security company, established in Jan 2021.
It was founded by a team with rich experience in smart contract programming and network security. The team members participated in initiating a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, ERC-2794, and EIP-3712, of which ERC-2569 was officially accepted by the Ethereum team.
The team participated in the launch and development of various Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and conducted security audits of multiple projects which have been deployed on Ethereum. Based on its strong R&D capability and deep understanding of smart contract security, Fairyproof has developed comprehensive vulnerability tracking and security systems and tools.
Fairyproof Tech serves and works closely with customers by providing systematic solutions covering both “code vulnerabilities” and “logic vulnerabilities” and aims to provide customers with the best and most professional services.