glowglow

QuillAudits Docs

Walk-through: A Journey With Us to Secure Your Smart Contracts

Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.


About us

QuillAudits is a leading name in Web3 security, offering top-notch solutions to safeguard projects across DeFi, GameFi, NFT gaming, and all blockchain layers. With six years of expertise, we've secured over 1000 projects globally, averting over $30 billion in losses. Our specialists rigorously audit smart contracts and ensure DApp safety on major platforms like Ethereum, BSC, Arbitrum, Algorand, Tron, Polygon, Polkadot, Fantom, NEAR, Solana, and others, guaranteeing your project's security with cutting-edge practices.


Banner.png

Why Do We Need Auditing?

In the last ten years, more than 790 attacks on various blockchain-based companies have resulted in a cumulative loss of more than $ 27 billion. Also more worrying is that these numbers have been exploding greatly in the last couple of years. We have experienced more than 430 attacks in the previous two years, and more than $12 billion was lost.

If we talk about the current year only, there have been more than 200 attacks on various projects working on blockchain-based solutions, and these attacks have resulted in the loss of more than $2.5 billion. Not only that, but the most significant attack ever in terms of monetary value in the blockchain space also happened in the first half of this year, only when Axie Infinity’s Ronin Network Suffered $625M worth of exploitation.

One of the critical reasons for most of such hacks was security loopholes. Various research data found that most hacks happen due to vulnerabilities in smart contracts (44%), almost half of the attacks. So, it becomes very important that various senior security auditors thoroughly review the smart contracts of the projects, and the issues found are corrected immediately based on their recommendations. 

 

trends

pie chart

vulnerabilities

 

Connecting with you - By this time, you must have been added to a closed group with the Auditing Team. You would be connected with the Project Manager and the Auditors through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!


Audit Process

Things We Cover in Audit Process :

  • Business Logics Review
  • Functionality Checks
  • Access Control & Authorization
  • Escrow manipulation
  • Freezing of a contract
  • Token Supply manipulation
  • User Balances manipulation
  • Data Consistency manipulation
  • Kill-Switch Mechanism
  • Operation Trails & Event Generation

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we do a thorough scrutiny of the smart contract to provide you with the Final Audit Report. Lets's dive deep into it and explore more


auditprocess

Step 1 - Specification Gathering / Prepare For a Security Audit

This is the most crucial stage because the detail is key for a successful smart contract Security audit. Here is how you can prepare for it:


Code quality

• Remove dead code and comments

• Consistent coding style.

• Follow the Rust (Solana) style guide.

Use comments to document complex parts of the code but also make sure these are. consistent with the code


Test the code

• Make sure the contracts can be compiled and fully tested.

• Perform high coverage and high-quality unit tests.

This will maximize focus on the difficult parts of the code. Auditing should not be discovered that some functions are uncallable, or do not do what they are expected to do under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, possibly adversarial behavior.


Code freeze

• Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.

After freezing the code, we will gather the specifications from you to know the intended behavior of the smart contract through the 'Smart Contract Specification' document.


🦋How you can help - Please ask your developers to fill the specification doc - It would help us to understand & verify the business logic, and facilitate confirming everything thoroughly.



Step 2 - Manual Code Review

Here we would look for undefined, unexpected behavior and common security vulnerabilities. The goal is to get to as many skilled eyes on contract code as possible.

Aims of manual review:

  • Focus on security, attacks, mathematical errors, logical issues, etc.
  • Check the code for any vulnerabilities that can be exploited.
  • Verify that every detail in the specification is implemented in the smart contract.
  • Verify that the contract does not have any behaviour that is not stated in the specifications.
  • Verify that the contract does not violate the originally intended behaviour of specifications.

Step 3 - Functionality Testing

  • The smart contract will be manually deployed in a sandbox environment like testnet/mainnet forks, hardhat, ganache, etc.
  • Smart contract functions will be tested on multiple parameters and under various conditions to ensure that all paths of functions are operating as intended.
  • In this phase, the expected behaviour of the smart contract is verified.
  • In this phase, we also ensure that smart contract functions are not consuming unnecessary gas.
  • Gas limits of functions will be verified in this stage.


Step 4 - Testing over Latest Attack Vectors


  • The team researches newly discovered attacks (like market manipulation, LP pricing, front-running vectors, and more) and tries to replicate them to ensure the project is safe from those attacks.
  • Solidity attack vectors:
  • NFT attack vectors:
  • DeFi attack vectors:
  • DAO attack vectors:
  • Blockchain attack vectors:
  • Web2 attack vectors:
  • If the current implementation is vulnerable to those newly discovered attacks, we recommend the project team switch to a safer implementation.

Step 5 - Testing with Automated Tools

Testing with automated tools is essential to catch those bugs that humans miss. Some of the tools we would use are (based on the requirement/auditor preference, we use specific tools) :

  • Mythril / Mythx

  • Solgraph

  • Solidity Coverage

  • Slither

  • Solidity Visual Developer

 

Step 6 - Initial Audit Report

In the end, we would provide you with a comprehensive report, which we call the Initial Audit Report (IAR):


🦋How you can help - You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.


  • A Comprehensive Audit report.
  • Encapsulates details of the Audit & solutions to the vulnerabilities (if we found any) in your contracts.
  • We expect you to resolve the identified bugs & make suitable changes to the code.

Note - Please acknowledge that once the Audit Scope is frozen ( commit hash or explorer link ), we start the Audit Process. In case, you make any changes to the code in-between the process, we will be able to check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.


Step 7 - Final Audit Report

After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.

So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) whether to alter the code again or to move forward as it is.


🦋How you can help - After getting the Final Audit Report, please notify us whether we can proceed to prepare the final designed draft or you are going to fix the code again.


Step 8 - Delivery

After getting a green light from the previous step, we send the report to our designers. With their skills, they make a PDF Version of the Audit Report and beautifully showcase everything in it.


Post-Audit-Announcements

As per your requests, we make an Audit Announcement from our social media handles to mark the completion of the Audit.

Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners).


🚧The completion of this step totally depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.


AMA Sessions

  • Expert Auditors Explaining the Nuances of the Audit Report
  • QnA and Direct Interaction with Your Audience to Build Trust in Your Project

Niche Targeted Marketing/PR Services

  • Articles & Guest Posts in Renowned Publications.
  • Cross-Platform Promotions to Give More Exposure to the Project.

Organize Product launches, Community Meetups etc.

  • QuillAudits team will help you in your product launch in India.
  • Set up community meetups, product workshops and web3 events for you.
  • QuillAudits expert team and partners will take care of everything from content creation to marketing and event location to event coordination.


What can the Project Team Expects from Us?

  • Delivery of initial report within the agreed timeline (considering a margin of +- 2 days due to unforeseen circumstances).
  • Reviewing the final version of the code before concluding the audit.
  • Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.
  • Publishing Audit Reports and Making Post Audit Announcements based on agreed-upon terms.

What do We expect from Project Team?

  • A working test suite(all tests written are executable) covering at least 90% of the project code and edge-case scenarios.
  • Structured code following reasonable naming conventions and consistent coding style.
  • Well-documented contracts/functions and updated whitepaper.
  • Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.
  • Reviewing the final report so that QuillAudits can conclude the audit.


Feedbacks

Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.

Please click here to provide your valuable feedback - Feedback Link


🦋Survey - Kindly provide your valuable inputs by filling out the survey form to aid us in understanding the current DeFi & NFT market better. It would help us to improve upon our methodology for 𝘀𝗺𝗮𝗿𝘁 𝗰𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. Survey Link


Join Our Referral Program: Become a part of our quest for Securing Blockchain and Get Rewarded 🥳

💡Do you know a friend who might be in need of a Smart Contract Audit? 🙋‍♂️🙋‍♀️

We have something that you might be super interested in!

Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits.

Refer anyone looking for an audit, and get up to 15% on each referral. Click on the link below to get access to exciting offers. 🚀

https://bit.ly/3hqN6ZM



Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!

Telegram