The first time you check out a crypto security audit on the CertiK Security Leaderboard you might find the report a little daunting, confusing, and a little more like hieroglyphics than an essential asset to DYOR.
Whether it’s a security audit report of your favorite ERC20, an intricate and robust DeFi audit, or you’re looking into the security of your go-to NFT platform, we’re here to help you navigate any CertiK audit like a champ.
A security audit is an objective review of a particular codebase, or smart contract. The goal is to identify security vulnerabilities, alongside potential optimizations in terms of gas consumption and coding styles. Ultimately, they serve to mitigate smart contract risks.
It’s important to note at this time that there is no pass or fail in an audit, it’s best to view them as an unbiased assessment of the security and coding style of a smart contract.
To access a security audit head to the Security Leaderboard, find the project which audit you’d like review, head to their page. Now, select the audit under ‘Audit History’ and hit ‘View PDF’
The summary section defines the following:
Here, you’ll find the ‘Project Summary’, ‘Audit Summary’, and ‘Vulnerability Summary’. Let’s take a look at each of these in a little more detail:
After scrolling beyond the title page you’ll see the ‘Table of Contents’, which gives a top-tier overview of what to expect in the audit report.
Project Name: Self explanatory, it’s the name of the project being audited
Description: This is a description of the smart contracts which are undergoing the audit
Platform: Which network the contract is on
Language: The programming language the contract is written in
Codebase: A link to the public repository of the smart contract(s) being audited
Commits: The identifier for which release of the smart contract is being audited on GitHub
Deliver Date: The date the audit was published
Audit Methodology: How the audit was performed and which techniques were used
Key Components: The core components of the audit
This section is pretty important when it comes to assessing the result of an audit.
Here, all vulnerabilities which have been identified in the audit report are displayed. In more recent reports, a table will accompany the breakdown with the number of vulnerabilities and the status of each type.
Vulnerabilities are categorised into 5 sections, the details of which are illustrated below:
The most urgent type of vulnerability. Critical vulnerabilities pose an immediate and easily exploitable threat to the security of the protocol.
These represent a significant threat to the security of the audited codebase and should be resolved with urgency.
They may not pose a significant risk to the wider security of the protocol, but a potential attack vector may remain
Often these do not pose a major risk to the protocol or those who interact with it, however it should be highlighted nonetheless
These types of ‘vulnerabilities’ typically relate to coding style or minor gas optimizations and do not pose a threat to the security of the protocol
Details as to which files were undergoing the audit. This is particularly important - always ensure the code which you’re DYOR on has been audited.
Here is where the vulnerabilities are broken down on a more technical level.
Description: An overview of the vulnerability
Recommendation: Advice from the CertiK team on how to resolve
Alleviation: How the auditee has resolved it if they have at all
There’s a lot to unpack when it comes to security audits, and rightly so. With the rapid growth of crypto, DeFi security (and beyond) is essential.
On that note, we’d love to leave you with some of our top tips for navigating a CertiK Audit:
Consult with one of our experts at firstname.lastname@example.org