https://github.com/cybersecurityup/smart-contracts-audit-checklist

https://github.com/cybersecurityup/smart-contracts-audit-checklist

Last synced: 5 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/cybersecurityup/smart-contracts-audit-checklist
• Owner: CyberSecurityUP
• Created: 2024-09-08T16:12:56.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-09-09T03:07:16.000Z (almost 2 years ago)
• Last Synced: 2025-06-02T08:18:39.608Z (about 1 year ago)
• Size: 11.7 KB
• Stars: 27
• Watchers: 1
• Forks: 4
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# smart-contracts-audit-checklist

### **General Security**

- [ ] **Audit**: Has the contract been reviewed by a third-party security audit?

- [ ] **Review external contracts**: Does the contract interact securely with other external contracts?

- [ ] **Check admin permissions**: Are administrative functions restricted to authorized users only?

- [ ] **Secure contract upgrade process**: Is there a secure method for upgrading or migrating the contract?

### **Input Validation**

- [ ] **Validate user inputs**: Are all inputs from users properly validated to prevent issues like **injection** or **overflows**?

- [ ] **Reentrancy**: Is the contract vulnerable to **reentrancy attacks**? Ensure functions update their internal state before making external calls.

- [ ] **Test for Reentrancy**: Use automated tools like Slither to test for reentrancy vulnerabilities. Ensure functions update internal state before making external calls.

- [ ] **Validate All Inputs**: Ensure all user inputs, including transaction amounts, addresses, and IDs, are validated to avoid common issues like overflow, underflow, or invalid entries.

- [ ] **Test Invalid or Out-of-Order Transactions**: Test the contract’s ability to handle invalid transaction sequences, especially grouped transactions.

### **Access Control**

- [ ] **Check access restrictions**: Are only authorized users able to access critical functions or sensitive data?

- [ ] **Correct function visibility**: Are functions marked with the correct visibility (`private`, `internal`, `public`)?

- [ ] **Admin function protection**: Are critical administrative functions like `mint`, `burn`, and `pause` properly secured?

- [ ] **Check Ownership and Admin Privileges**: Ensure that only authorized addresses can perform critical operations like minting, burning, staking, and withdrawal.

- [ ] **Multisig Program**: Implement multisig mechanisms for key administrative operations to prevent malicious actions by a single admin.

- [ ] **Role-based Function Access**: Test if the contract properly limits access to certain functions based on roles, like signatory and validator.

### **Integer Overflows/Underflows**

- [ ] **Validate arithmetic calculations**: Are all arithmetic operations protected from **overflows** and **underflows**? Is `SafeMath` or equivalent being used?

### **Timestamp Dependency**

- [ ] **Check usage of `block.timestamp`**: Does the contract rely on `block.timestamp` in a way that could be manipulated by miners?

### **Time-Based Attacks**

- [ ] **Timestamp Dependence**: Check for reliance on `block.timestamp` and ensure it cannot be manipulated by miners to gain unfair advantages.

- [ ] **Pool Start and End Date Validation**: Confirm that pool start dates are properly validated to prevent issues where a pool starts in the past.

### **Arithmetic Safety**

- [ ] **Integer Overflow and Underflow**: Verify that arithmetic operations in the contract are protected using libraries like `SafeMath` or similar mechanisms. Check for missing underflow protection as identified in Yieldly audits.

### **Governance**

- [ ] **DAO and Governance Attacks**: Test for possible governance manipulation where attackers could execute critical actions like upgrading contracts, minting new tokens, or changing protocol rules.

- [ ] **Threshold Validation for Voting**: Verify that threshold limits are properly defined and applied in voting mechanisms for signatory and validator roles.

### **External Call Failures**

- [ ] **Validate external calls**: Does the contract properly check the return values of external calls to ensure execution halts on failure?

- [ ] **Call and Delegatecall**: Are functions using `call()` or `delegatecall()` implemented securely to avoid malicious code execution?

- [ ] **Unchecked External Calls**: Ensure that external calls are properly validated and that the contract does not proceed after failed external calls.

- [ ] **Proxy Contract Validation**: Verify that the contract utilizes proxy contracts securely. Ensure that transactions routed through the proxy cannot be bypassed.

### **Gas Manipulation**

- [ ] **Gas limits**: Are contract functions designed to stay within gas limits? Are long-running loops avoided to prevent gas exhaustion?

- [ ] **Efficient gas usage**: Ensure that gas is not wasted unnecessarily, particularly in critical functions.

### **Token Management**

- [ ] **ERC20/721 compliance**: Are the token contracts (ERC20, ERC721) following the proper standards?

- [ ] **Transfer permissions**: Can transfer functions be manipulated? Does the contract handle permissions and limits correctly?

### **Insecure Randomness**

- [ ] **Randomness generation**: If the contract generates random numbers, are they generated securely to avoid manipulation?

### **Denial of Service (DoS)**

- [ ] **Test DoS resistance**: Can the contract be locked or rendered unusable by malicious transactions that consume excessive gas or halt critical functions?

- [ ] **Loops in functions**: Ensure that functions looping over arrays or lists do not allow attackers to exhaust gas limits.

### **State Management**

- [ ] **Storage and data access**: Ensure the contract is storing and accessing data efficiently.

- [ ] **State updates**: Does the contract correctly update its state after each transaction?

### **Front-running Attacks**

- [ ] **Prevent front-running**: Can important transactions be manipulated or reordered by front-running attacks?

### **Phishing Attacks**

- [ ] **Protect against phishing**: Test how the contract handles interactions with user interfaces that may deceive users.

### **Randomness Vulnerabilities**

- [ ] **Test randomness sources**: Are random numbers generated using secure and unpredictable sources to prevent manipulation?

### **Emergency Functions**

- [ ] **Implement Emergency Withdraw**: Confirm that users have access to emergency withdrawal functions to recover funds if a contract enters an unexpected state. Ensure admin privileges on emergency actions are not overly restrictive.

### **Staking, Pools, and Rewards**

- [ ] **Reward Calculation Verification**: Test if staking rewards and pool ratios are calculated correctly after staking and withdrawing actions. Ensure that updates to rewards are triggered as expected.

- [ ] **Dynamic Testing for Pool Operations**: Perform dynamic tests to ensure that pool ratios and user claimable amounts are updated correctly.

### **Oracle Manipulation**

- [ ] **Secure oracle usage**: If the contract relies on external oracles, are they protected against manipulation?

- [ ] **Secure Randomness**: Ensure that random number generation is not predictable or manipulable, especially in lottery or staking functionalities.

- [ ] **Oracle Manipulation**: Test contracts for potential oracle manipulation that could lead to pricing or staking rewards being incorrectly calculated.

### **OWASP-related Vulnerabilities for Smart Contracts**

- [ ] **Proper data validation**: Are inputs and outputs validated properly to prevent data integrity issues?

- [ ] **Correct cryptography implementation**: Are cryptographic methods and hashing applied according to best practices?

- [ ] **Access control and authentication**: Are there any vulnerabilities allowing unauthorized users to access restricted functions?

- [ ] **Injection mitigation**: Ensure the contract is not vulnerable to data or command injection.

### **Manual Testing Considerations**

- [ ] **Admin Bypass Testing**: Attempt to bypass admin privileges or role restrictions by manipulating function parameters or transaction sequences.

- [ ] **Test Role-based Enhancements**: Verify that role-based enhancements are structured properly, ensuring that only authorized users can perform specific actions.

### **Tools to Automate Smart Contract Testing**

- [ ] **MythX**: Automatically analyze contracts for common vulnerabilities.

- [ ] **Slither**: Detect logic vulnerabilities, reentrancy issues, and gas optimizations.

- [ ] **Manticore**: Symbolic execution and fuzzing tool for smart contracts.

- [ ] **Oyente**: Static analyzer to find issues like reentrancy, uncontrolled loops, and others.

### **Smart Contract Best Practices**

- [ ] **Adhere to Versioning**: Ensure the contract explicitly defines the Solidity or Algorand version (`pragma version`) being used to avoid unintended behavior during compilatio.

- [ ] **Boundaries for Function Parameters**: Check that input values for functions have well-defined boundaries, such as ensuring array sizes or transaction amounts are reasonable.