|
1 | 1 | # Security Review Preparation Checklist |
2 | 2 |
|
3 | | -So, you're getting a security review! |
| 3 | +Get ready for your security review! Ensuring a few key elements are in place before the review starts can make the process significantly smoother for both sides. |
4 | 4 |
|
5 | | -Ensure the security review proceeds smoothly by taking prior action with the following informative items. |
| 5 | +💡 **ProTip 1:** Predefine areas of focus and provide the review team early access to your codebase. |
6 | 6 |
|
7 | | -## Essential Items |
| 7 | +- Provide a detailed list of files for review. |
| 8 | +- Freeze a stable commit hash, branch, or release prior to review. |
| 9 | +- Pinpoint areas in the codebase that previously had issues, inspire less confidence, or are of particular concern. |
| 10 | +- If your codebase is a fork of an existing protocol, delinate the differences and modifications you made compared to the original codebase. |
8 | 11 |
|
9 | | -The items below guide us in focusing effectively on the pertinent parts of your code, maximizing our utilization of time and resources. |
| 12 | +💡 **ProTip 2:** Lay the groundwork for your review by ensuring your project is build-ready. This allows us to focus on giving you actionable recommendations instead of trying to build your code! |
10 | 13 |
|
11 | | -- [ ] **Provide build instructions** – share how to build and test your code using a fresh clone of your repository. It gives us direct insight into your setup. |
12 | | -- [ ] **List exact files in scope for the review** – list out the exact files to be reviewed to focus on key areas of your codebase. |
13 | | -- [ ] **Freeze and share your hash/branch/release before the review starts** – a stable commit allows us to start digging into your codebase and learning how it works. Tell your security review team what commit to review, and try to ensure that this commit is frozen before the review commences. |
14 | | -- [ ] **Add inline comments** – utilise comments on complex areas of the codebase. Document why something was done, its purpose and goal. |
15 | | -- [ ] **Provide Natspec documentation** – ensure all functions have NatSpec descriptions for function's purpose, parameters, and return values. |
16 | | -- [ ] **Provide test coverage report** – provide a report outlining tested and untested code areas. |
17 | | -- [ ] **Share your unit tests** – share your unit tests with us! We may use it to understand the system flow, can provide feedback on its setup, and can use it to test proof of concepts. |
18 | | -- [ ] **List external dependencies you're using and their purpose** – list used libraries and external dependencies along with their purposes. |
19 | | -- [ ] **Create user flow diagrams** – outline the entrypoint functions, subsequent callstacks, and expected system interactions for users. |
20 | | -- [ ] **Design an architecture diagram** – illustrate the interactions among contracts. |
21 | | -- [ ] **Let us know what you're worried about** – reveal parts of the code or exploit paths that cause concern.This helps us target our review and make sure that we prioritize the areas of the codebase you're worried about. |
22 | | -- [ ] **Document the impossible** – know when you are making assumptions on types and their values into the codebase, and document all these instances. |
| 14 | +- Create a clear set of build instructions. |
| 15 | +- Confirm your setup process by cloning and testing your repository on a fresh environment. |
23 | 16 |
|
24 | | -### Defi-Specific Additions |
| 17 | +💡 **ProTip 3:** Streamline our process of building a mental model of your codebase by providing comprehensive documentation. |
25 | 18 |
|
26 | | -- [ ] **Share economic analysis performed on the codebase** – sharing results of economic analysis will help us to understand the boundaries of inputs and ranges of outputs. |
27 | | -- [ ] **List system invariants** – define your assumptions about system operations and function behaviors. |
28 | | -- [ ] **Provide documentation for arithmetic formulas used with code references** – all formulas you implement should be referenced in this document, with a link to the function in your code that implements it. If the representation in your code differs from the formula, provide the derivation that maps the formula used in the code and the formula you intend to implement. |
29 | | -- [ ] **Create a glossary for your system** – consistently used terminology should be documented and made accessible. |
30 | | -- [ ] **Validation of rounding directions** – share all analysis you have done on checking the correct rounding direction for your system. |
| 19 | +- Create flowcharts and sequence diagrams to depict primary workflows. |
| 20 | +- List actors and with their respective roles and privileges. |
| 21 | +- Incorporate external developer documentation that links directly to your code. |
| 22 | +- Add inline comments for complex areas of your system. |
| 23 | +- Maintain comprehensive NatSpec descriptions for all functions. |
| 24 | +- Create short video walkthroughs for complex workflows or areas of concern. |
31 | 25 |
|
32 | | -### Bridge-Specific Additions |
| 26 | +💡 **ProTip 4:** Share your test suite and coverage report with us to better understand the system. |
33 | 27 |
|
34 | | -- [ ] **Document off-chain checks** – provide details about validations performed by off-chain components like relayers or bots. |
35 | | -- [ ] **Checks performed by off-chain components such as relayers or bots** tell us what data validation takes place off-chain so we can better understand what data is sent to smart contracts |
36 | | -- [ ] **Transition of value-passing on source and destination chains** – show us how the chains share data, and what return values/emissions from a source chain maps to a destination chain |
| 28 | +- Provide your test coverage report. |
| 29 | +- Share unit and stateful fuzz tests. |
| 30 | +- Share fuzz and differential tests. |
37 | 31 |
|
38 | | -## Beneficial Additions |
| 32 | +💡 **ProTip 5:** For arithmetic-heavy codebases, meticulously document and map all of your formulas. |
39 | 33 |
|
40 | | -Providing the following items can bolster the efficiency of our review, allowing for a deeper and more thorough examination of your codebase. |
| 34 | +- Document every formula implemented in your codebase. |
| 35 | +- Map each formula to in-code implementation and if there are deviations between these two, include derivations. |
| 36 | +- Share all rounding direction analysis. |
| 37 | +- Share results from any economic analysis conducted on your codebase. |
41 | 38 |
|
42 | | -- [ ] **Ranges of all system parameters used in the system** – explicitly outline the minimum and maximum bound of configuration values in your codebase |
43 | | -- [ ] **Document all design decisions** – decision-making processes engineering tradeoffs, and discarded alternatives related to the system and codebase setup provides valuable context that greatly enhances our review efficiency, affording a more comprehensive and nuanced understanding of the entire system. |
44 | | -- [ ] **Provide results of fuzz and differential testing** – especially vital if your code involves lower-level assembly or math-related libraries. This aids us in employing tooling to spot deviations and edge cases. |
45 | | -- [ ] **Perform and report on stateful invariant testing** – such testing enables us to pinpoint edge cases that might occur during end-to-end operations. |
46 | | -- [ ] **Provide videos of complex workflows** – visual aids can effectively capture complex workflows, improving our grasp of the system's intricacies and bolstering the efficiency of our review. |
47 | | -- [ ] **Provide lists of actors with their expected roles and privileges** – outlining the distinct actors in your system, along with their specific roles and permissions, grants us a clearer understanding of how user interactions are designed and how authority is structured within the system. This, in turn, boosts the efficiency and depth of our review. |
48 | | -- [ ] **Prepare and share an Incident response plan** – a robust incident response plan provides insight into how your system is prepared to handle potential security breaches or unexpected system behavior. By sharing this, we can assess the system's robustness under adverse conditions, as well as provide recommendations for enhancing the resilience of your incident response strategy. |
| 39 | +💡 **ProTip 6:** Expedite familiarisation of your codebase by detailing all assumptions. |
49 | 40 |
|
50 | | -### References |
| 41 | +- List system invariants. |
| 42 | +- Identify the parameter ranges (minimum and maximum values) used in your system. |
| 43 | +- Highlight unreachable or logically excluded system states. |
| 44 | +- Compile a glossary for consistent terminology use. |
| 45 | +- List external dependencies used and their purpose. |
51 | 46 |
|
52 | | -- Our own experience |
53 | | -- [The Pragamatic Programmer](https://pragprog.com/titles/tpp20/the-pragmatic-programmer-20th-anniversary-edition/) |
| 47 | +💡 **ProTip 7:** Clarify all interactions within the system. Highlight how contracts work together on-chain and how your contract interfaces with off-chain components. |
| 48 | + |
| 49 | +- Create an architecture diagram of on-chain contract interactions. |
| 50 | +- Document all design decisions, including engineering trade-offs, and discarded alternatives. |
| 51 | +- If your system uses off-chain components, outline data validation procedures off-chain and the input bounds for on-chain functions. |
| 52 | +- If your system has bridge-like functionality, document values passing between source and destination chains. |
0 commit comments