Navigating a CertiK Security Audit

CertiK | Aug 18, 2021

Navigating a CertiK Security Audit

The first time you check out a crypto security audit on the CertiK Security Leaderboard you might find the report a little daunting, confusing, and a little more like hieroglyphics than an essential asset to DYOR.

Whether it’s a security audit report of your favorite ERC20, an intricate and robust DeFi audit, or you’re looking into the security of your go-to NFT platform, we’re here to help you navigate any CertiK audit like a champ.

What is a CertiK Audit?

A security audit is an objective review of a particular codebase, or smart contract. The goal is to identify security vulnerabilities, alongside potential optimizations in terms of gas consumption and coding styles. Ultimately, they serve to mitigate smart contract risks.

It’s important to note at this time that there is no pass or fail in an audit, it’s best to view them as an unbiased assessment of the security and coding style of a smart contract.

Diving In

To access a security audit head to the Security Leaderboard, find the project which audit you’d like review, head to their page. Now, select the audit under ‘Audit History’ and hit ‘View PDF’

Summary

The summary section defines the following:

  • What is being audited
  • The auditing process
  • The goals of the security audit

Overview

Here, you’ll find the ‘Project Summary’, ‘Audit Summary’, and ‘Vulnerability Summary’. Let’s take a look at each of these in a little more detail:

You’re in

After scrolling beyond the title page you’ll see the ‘Table of Contents’, which gives a top-tier overview of what to expect in the audit report.

Project Summary

Project Name: Self explanatory, it’s the name of the project being audited

Description: This is a description of the smart contracts which are undergoing the audit

Platform: Which network the contract is on

Language: The programming language the contract is written in

Codebase: A link to the public repository of the smart contract(s) being audited

Commits: The identifier for which release of the smart contract is being audited on GitHub

Audit Summary

Deliver Date: The date the audit was published

Audit Methodology: How the audit was performed and which techniques were used

Key Components: The core components of the audit

Vulnerability Summary

This section is pretty important when it comes to assessing the result of an audit.

Here, all vulnerabilities which have been identified in the audit report are displayed. In more recent reports, a table will accompany the breakdown with the number of vulnerabilities and the status of each type.

Types of vulnerabilities

Vulnerabilities are categorised into 5 sections, the details of which are illustrated below:

Critical

The most urgent type of vulnerability. Critical vulnerabilities pose an immediate and easily exploitable threat to the security of the protocol.

Major

These represent a significant threat to the security of the audited codebase and should be resolved with urgency.

Medium

They may not pose a significant risk to the wider security of the protocol, but a potential attack vector may remain

Minor

Often these do not pose a major risk to the protocol or those who interact with it, however it should be highlighted nonetheless

Informational

These types of ‘vulnerabilities’ typically relate to coding style or minor gas optimizations and do not pose a threat to the security of the protocol

Files in scope

Details as to which files were undergoing the audit. This is particularly important - always ensure the code which you’re DYOR on has been audited.

Findings

Here is where the vulnerabilities are broken down on a more technical level.

Description: An overview of the vulnerability

Recommendation: Advice from the CertiK team on how to resolve

Alleviation: How the auditee has resolved it if they have at all

Final Comments

There’s a lot to unpack when it comes to security audits, and rightly so. With the rapid growth of crypto, DeFi security (and beyond) is essential.

On that note, we’d love to leave you with some of our top tips for navigating a CertiK Audit:

  • Always read the audit report - in full!
  • Make sure the audit matches the contracts which you’re looking into
  • Audits are only one part of the DYOR process
  • Don’t forget - audits aren’t a silver bullet when it comes to rug-pulls!
  • Consult our crypto security leaderboard at certik.org when you DYOR

Consult with one of our experts at bd@certik.io

Stay connected!

Website |Twitter |Linkedin| GitHub| CertiK Shield