|
1 | | -# Security Review Preparation Checklist |
| 1 | +# How to prepare for a security review |
2 | 2 |
|
3 | 3 | Get ready for your security review! Ensuring a few key elements are in place before the review starts can make the process significantly smoother for both sides. |
4 | 4 |
|
5 | | -💡 **ProTip 1:** Predefine areas of focus and provide the review team early access to your codebase. |
| 5 | +## Set a goal for the review |
6 | 6 |
|
7 | | -- Provide a detailed list of files for review. |
8 | | -- Freeze a stable commit hash, branch, or release prior to review. |
9 | | -- Pinpoint areas in the codebase that previously had issues, inspire less confidence, or are of particular concern. |
10 | | -- If your codebase is a fork of an existing protocol, delinate the differences and modifications you made compared to the original codebase. |
| 7 | +This is the most important step of a security review, and paradoxically the one most often overlooked. You should have an idea of what kind of questions you want answered, such as: |
11 | 8 |
|
12 | | -💡 **ProTip 2:** Lay the groundwork for your review by ensuring your project is build-ready. This allows us to focus on giving you actionable recommendations instead of trying to build your code! |
| 9 | +- What’s the overall level of security for this product? |
| 10 | +- What are the areas that you are the most concerns about? |
| 11 | + - Take into considerations previous audits and issues, complex parts, and fragile components. |
| 12 | +- What is the worst case scenario for your project? |
13 | 13 |
|
14 | | -- Create a clear set of build instructions. |
15 | | -- Confirm your setup process by cloning and testing your repository on a fresh environment. |
| 14 | +Knowing your biggest area of concern will help the assessment team tailor their approach to meet your needs. |
16 | 15 |
|
17 | | -💡 **ProTip 3:** Streamline our process of building a mental model of your codebase by providing comprehensive documentation. |
| 16 | +## Resolve the easy issues |
18 | 17 |
|
19 | | -- Create flowcharts and sequence diagrams to depict primary workflows. |
20 | | -- List actors and with their respective roles and privileges. |
21 | | -- Incorporate external developer documentation that links directly to your code. |
22 | | -- Add inline comments for complex areas of your system. |
23 | | -- Maintain comprehensive NatSpec descriptions for all functions. |
24 | | -- Create short video walkthroughs for complex workflows or areas of concern. |
| 18 | +Handing the code off to the assessment team is a lot like releasing the product: the cleaner the code, the better everything will go. To that end: |
25 | 19 |
|
26 | | -💡 **ProTip 4:** Share your test suite and coverage report with us to better understand the system. |
| 20 | +- **Triage all results from static analysis tools**. Go after the low-hanging fruits and use: |
| 21 | + - [Slither](https://github.com/crytic/slither) for Solidity codebases |
| 22 | + - [dylint](https://github.com/trailofbits/dylint) for Rust codebases |
| 23 | + - [golangci](https://golangci-lint.run/) for Go codebases |
| 24 | + - [CodeQL and Semgrep](https://appsec.guide/) for Go/Rust/C++/... codebases |
| 25 | +- **Increase unit and feature test coverage**. Ideally this has been part of the development process, but everyone slips up, tests don’t get updated, or new features don’t quite match the old integrations tests. Now is the time to update the tests and run them all. |
| 26 | +- **Remove dead code, unused libraries, and other extraneous weight.** You may know which is unused but the consultants won’t and will waste time investigating it for potential issues. The same goes for that new feature that hasn’t seen progress in months, or that third-party library that doesn’t get used anymore. |
27 | 27 |
|
28 | | -- Provide your test coverage report. |
29 | | -- Share unit and stateful fuzz tests. |
30 | | -- Share fuzz and differential tests. |
| 28 | +## Ensure the code is accessible |
31 | 29 |
|
32 | | -💡 **ProTip 5:** For arithmetic-heavy codebases, meticulously document and map all of your formulas. |
| 30 | +Making the code accessible and clearly identified will avoid wasting ressources from the security engineers. |
33 | 31 |
|
34 | | -- Document every formula implemented in your codebase. |
35 | | -- Map each formula to in-code implementation and if there are deviations between these two, include derivations. |
36 | | -- Share all rounding direction analysis. |
37 | | -- Share results from any economic analysis conducted on your codebase. |
| 32 | +- **Provide a detailed list of files for review.**. This will avoid confusion if your codebase is large and some elements are not meant to be in scope. |
| 33 | +- **Create a clear set of build instructions, and confirm the setup by cloning and testing your repository on a fresh environment.** A code that cannot be built is a code more difficult to review. |
| 34 | +- **Freeze a stable commit hash, branch, or release prior to review.** Working on a moving target makes the review more difficult |
| 35 | +- **Identify boilerplates, dependencies and difference from forked code**. By highliting what code you wrote, you will help keeping the review focused |
38 | 36 |
|
39 | | -💡 **ProTip 6:** Expedite familiarisation of your codebase by detailing all assumptions. |
| 37 | +## Document, Document, Document |
40 | 38 |
|
41 | | -- List system invariants. |
42 | | -- Identify the parameter ranges (minimum and maximum values) used in your system. |
43 | | -- Highlight unreachable or logically excluded system states. |
44 | | -- Compile a glossary for consistent terminology use. |
45 | | -- List external dependencies used and their purpose. |
| 39 | +Streamline the revuew process of building a mental model of your codebase by providing comprehensive documentation. |
46 | 40 |
|
47 | | -💡 **ProTip 7:** Clarify all interactions within the system. Highlight how contracts work together on-chain and how your contract interfaces with off-chain components. |
48 | | - |
49 | | -- Create an architecture diagram of on-chain contract interactions. |
50 | | -- Document all design decisions, including engineering trade-offs, and discarded alternatives. |
51 | | -- If your system uses off-chain components, outline data validation procedures off-chain and the input bounds for on-chain functions. |
52 | | -- If your system has bridge-like functionality, document values passing between source and destination chains. |
| 41 | +- **Create flowcharts and sequence diagrams to depict primary workflows**. They will help identify the components and their relationships |
| 42 | +- **Write users stories**. Having users stories is a powerful tool to explain a project |
| 43 | +- **Outline the on-chain / off-chain assumptions**. This includes: |
| 44 | + - Data validation procedure |
| 45 | + - Oracles information |
| 46 | + - Bridges assumptions |
| 47 | +- **List actors and with their respective roles and privileges**. The complexity of a system grows with its number of actors. |
| 48 | +- **Incorporate external developer documentation that links directly to your code**. This will help to ensure the documentation is up to date with the code |
| 49 | +- **Add function documentation and inline comments for complex areas of your system**. Code documentation should include: |
| 50 | + - System and function level invariants |
| 51 | + - Parameter ranges (minimum and maximum values) used in your system. |
| 52 | + - Arithmetic formula: how they map to their specification, and their precision loss exceptations |
| 53 | +- **Compile a glossary for consistent terminology use.** You use your codebase every day and you are familar with the terminology - a new person looking at your code is not |
| 54 | +- **Consider creating short video walkthroughs for complex workflows or areas of concern**. Video walkthroughs is a great format to share your knowledge |
0 commit comments