The first time you check out a crypto security audit on the CertiK Security Leaderboard, you might find the report daunting, confusing, and more like hieroglyphics than an essential asset to DYOR.
Whether it’s a security audit report of your favorite ERC20, an intricate and robust DeFi audit, or you’re looking into the security of your go-to NFT platform, we’re here to help you navigate any CertiK audit like a champ.
What is a CertiK Audit?
A security audit is an objective review of a particular codebase or smart contract. The goal is to identify security vulnerabilities and potential optimizations in gas consumption and coding style. Ultimately, they serve to mitigate smart contract risks.
It’s important to note that there is no pass or fail in an audit; it’s best to view audits as unbiased assessments of a smart contract's security and coding style.
Diving In
To access a security audit, go to the Security Leaderboard, find the project you’d like to review, and open its page. Now, select the audit under ‘Audit History’ and hit ‘View PDF.’
Summary
The summary section defines the following:
- What is being audited
- The auditing process
- The goals of the security audit
Overview
Here, you’ll find the ‘Project Summary’, ‘Audit Summary’, and ‘Vulnerability Summary’. Let’s take a look at each of these in a little more detail:
You’re in
After scrolling beyond the title page you’ll see the ‘Table of Contents’, which gives a top-tier overview of what to expect in the audit report.
Project Summary
Project Name: Self-explanatory, it’s the name of the project being audited
Description: This is a description of the smart contracts that are undergoing the audit
Platform: Which network is the contract on
Language: The programming language in which the contract is written
Codebase: A link to the public repository of the smart contract(s) being audited
Commits: The identifier for which release of the smart contract is being audited on GitHub
Audit Summary
Deliver Date: The date the audit was published
Audit Methodology: How the audit was performed and which techniques were used
Key Components: The core components of the audit
Vulnerability Summary
This section is pretty important when it comes to assessing the result of an audit.
Here, all vulnerabilities that have been identified in the audit report are displayed. In more recent reports, a table will accompany the breakdown with the number of vulnerabilities and the status of each type.
Types of vulnerabilities
Vulnerabilities are categorised into five sections, the details of which are illustrated below:
Critical
The most urgent type of vulnerability. Critical vulnerabilities pose an immediate, easily exploitable threat to the protocol's security.
Major
These pose a significant threat to the security of the audited codebase and should be resolved urgently.
Medium
They may not pose a significant risk to the broader security of the protocol, but a potential attack vector may remain.
Minor
Often, these do not pose a significant risk to the protocol or those who interact with it; however, it should be highlighted nonetheless.
Informational
These types of ‘vulnerabilities’ typically relate to coding style or minor gas optimizations and do not pose a threat to the security of the protocol.
Files in scope
Details as to which files were undergoing the audit. This is particularly important - always ensure the code that you’re DYOR on has been audited.
Findings
Here is where the vulnerabilities are broken down on a more technical level.
Description: An overview of the vulnerability
Recommendation: Advice from the CertiK team on how to resolve
Alleviation: How the auditee has resolved it if they have at all
Final Comments
There’s a lot to unpack when it comes to security audits, and rightly so. With the rapid growth of crypto, DeFi security (and beyond) is essential.
On that note, we’d love to leave you with some of our top tips for navigating a CertiK Audit:
- Always read the audit report - in full!
- Make sure the audit matches the contracts that you’re looking into
- Audits are only one part of the DYOR process
- Don’t forget - audits aren’t a silver bullet when it comes to rug-pulls!
- Consult our crypto security leaderboard at certik.com when you DYOR
Consult with one of our experts at [email protected]
Stay connected!
