Přeskočit na hlavní obsah

Smart contract security checklist

smart contractssecuritysolidity
Intermediate
Trailofbits
Building secure contracts(opens in a new tab)
7. září 2020
2 minute read minute read

Smart contract development checklist

Here's a high-level process we recommend following while you write your smart contracts.

Check for known security issues:

  • Review your contracts with Slither(opens in a new tab). It has more than 40 built-in detectors for common vulnerabilities. Run it on every check-in with new code and ensure it gets a clean report (or use triage mode to silence certain issues).
  • Review your contracts with Crytic(opens in a new tab). It checks for 50 issues that Slither does not. Crytic can help your team stay on top of each other too, by easily surfacing security issues in Pull Requests on GitHub.

Consider special features of your contract:

Visually inspect critical security features of your code:

Document critical security properties and use automated test generators to evaluate them:

  • Learn to document security properties for your code. It's tough as first, but it's the single most important activity for achieving a good outcome. It's also a prerequisite for using any of the advanced techniques in this tutorial.
  • Define security properties in Solidity, for use with Echidna(opens in a new tab) and Manticore(opens in a new tab). Focus on your state machine, access controls, arithmetic operations, external interactions, and standards conformance.
  • Define security properties with Slither's Python API. Focus on inheritance, variable dependencies, access controls, and other structural issues.
  • Run your property tests on every commit with Crytic(opens in a new tab). Crytic can consume and evaluate security property tests so everyone on your team can easily see that they pass on GitHub. Failing tests can block commits.

Finally, be mindful of issues that automated tools cannot easily find:

  • Lack of privacy: everyone else can see your transactions while they're queued in the pool
  • Front running transactions
  • Cryptographic operations
  • Risky interactions with external DeFi components

Ask for help

Ethereum office hours(opens in a new tab) run every Tuesday afternoon. These 1-hour, 1-on-1 sessions are an opportunity to ask us any questions you have about security, troubleshoot using our tools, and get feedback from experts about your current approach. We will help you work through this guide.

Join our Slack: Empire Hacking(opens in a new tab). We're always available in the #crytic and #ethereum channels if you have any questions.

Poslední úpravy: , 15. srpna 2023

Byl tento tutoriál užitečný?