glowglow

QuillAudits Docs

Walk-through: A Journey With Us to Secure Your Sui Smart Contract

Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.


About us

QuillAudits is a leading web3 cybersecurity firm committed to securing Blockchain projects with our cutting-edge Web3 security solutions.

Banner.png


SUI Blockchain - Move Smart Contracts

Sui Blockchain is a layer 1 blockchain designed to enable creators and developers to build experiences catering to the next billion users in web3. It is a permissionless, proof-of-stake blockchain with smart contract capabilities. Sui aspires to deliver Ethereum-style capabilities but with better design and tools for scaling. It has been designed to provide instant settlement and high throughput, making it suitable for on-chain use cases like DeFi and GameFi.

Sui blockchain uses Move as its native programming language for writing smart contracts.


Why Sui - Move Smart  Contracts Need Audits?

  1. Security: Smart contract audits help ensure the system's security by identifying and mitigating potential vulnerabilities and risks. In a decentralized system like the Sui blockchain, where there is no central authority to regulate transactions, security is paramount to prevent malicious actors from exploiting loopholes or introducing malicious code.

  2. Accuracy: Smart contract audits ensure that the code executes as intended and achieves its intended results. Accuracy is critical in ensuring the contract operates smoothly and fairly for all parties involved.

  3. Efficiency: Smart contract audits help to optimize the performance of the code, reducing the risk of delays, congestion, or other issues that can negatively impact the system's usability.

  4. Reliability: Smart contract audits increase the reliability of the code by identifying potential points of failure or other issues that can lead to system downtime or other types of disruptions.

  5. Transparency: Smart contract audits increase the system's transparency by providing insights into the inner workings of the contract. This can increase trust and confidence in the system.

  6. Compatibility: Smart contracts may need to interact with other components of the blockchain ecosystem, such as other smart contracts. Auditing the code can ensure that the contract is compatible with these other components and can prevent issues that may arise from incompatibility.

 

💭Connecting with you 
You must have been added to a closed group with 
the Auditing Team by this time. You would be 
connected with the Project Manager and the 
Auditors through this dedicated channel during the 
process for collaboration and instant resolution.  
At any point, if you face any query or find a need 
to discuss anything - we are just a message away!


Audit Process

Things We Cover in Move Contract Audit Process but not limited to:

  • Reentrancy

  • Integer Overflow/Underflow

  • Number of Rounding Errors

  • Denial of Service/Logical Oversights

  • Time Manipulation

  • Lack of Input Validation

  • Interoperability with Other Smart Contracts

  • Governance and Upgradeability

  • Gas Limitations

  • Access Control

  • Unchecked CALL Return Values

  • Business Logic Contradiction

  • Transaction-ordering Dependence

  • Arbitrary Token Minting

  • Witness Type

  • The Flow of Capability

 

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let's dive deep into it and explore more.

 

Step 1 - Specification Gathering / Prepare For a Security Audit

This is the most crucial stage because the detail is key for a successful smart contract security audit. Here is how you can prepare for it:

Code quality

• Remove dead code and comments. 

• Consistent coding style. 

• Follow the Move style guide.

Use comments to document complex parts of the code and ensure these are consistent with the code.

 

Test the code 

• Make sure the contracts can be compiled and fully tested. 

• Perform high coverage and high-quality unit tests.

This will maximize focus on the difficult parts of the code. Auditing should not discover that some functions are uncallable or do not do what they are expected to do under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, and possibly adversarial behaviour.

 

Code freeze • Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.

After freezing the code, we will gather the specifications from you to know the intended behaviour of the smart contract through the 'Smart Contract Specification' document.

 

🦋 How can you help?
Please ask your developers to fill out the 
specification doc - It would help us to understand 
& verify the business logic and facilitate confirming 
everything thoroughly.


Step 2 - Manual Review

Here we would look for undefined, unexpected behaviour and common security vulnerabilities. The goal is to get as many skilled eyes on contract code as possible. Aims of manual review:

  • Focus on issues regarding security, attacks, mathematical errors, logical issues, etc.

  • Check the code for any vulnerabilities that can be exploited.

  • Verify that every detail in the specification is implemented in the smart contract.

  • Verify that the contract does not have any behaviour that is not stated in the specifications.

  • Verify that the contract does not violate the intended behaviour of specifications.

 

Step 3 - Functional Testing

  • The smart contract will be manually deployed in a sandbox environment like Move testnet/mainnet forks, Move IDE, Move VM etc.

  • Smart contract functions will be tested on multiple parameters and under multiple conditions to ensure that all paths of functions are operating as intended.

  • In this phase, the expected behaviour of the smart contract is verified.

  • In this phase, we would also ensure that smart contract functions are not consuming unnecessary gas.

  • Gas limits of functions will be verified in this stage.

 

Step 4 - Testing over the Latest Attack Vectors

  • The team researches newly discovered attacks (like market manipulation, LP pricing, front-running vectors, and more) and tries to replicate them to ensure the project is safe from those attacks.

  • Move attack vectors:

  • NFT attack vectors:

  • DeFi attack vectors:

  • DAO attack vectors:

  • Sui attack vectors:

  • Web2 attack vectors:

  • If the current implementation is vulnerable to those newly discovered attacks, we recommend the project team switch to a safer implementation.

 

Step 5 - Testing with Automated Tools

Testing with automated tools is essential to catch those bugs that humans miss. Some of the tools we would use are (based on the requirement/auditor preference, we use specific tools) :

  • Move Prover

  • Move IR Visualizer

 

Step 6 - Initial Audit Report

In the end, we will provide you with a comprehensive report, which we call an Initial Audit Report (IAR):

 

🦋 How can you help?
You have to prepare an 'Updation Summary' or 
'Comment Report' carrying details of the changes 
you've made after getting the IAR; this would help 
us identify the changes and test them rigorously.

  • A comprehensive Audit Report.

  • Encapsulate details of the audit & solutions to the vulnerabilities (if we found any) in your contracts.

  • We expect you to resolve the identified bugs & make suitable changes to the code, or we will connect with development partners for issues fixing.

Note - Please acknowledge that we start the Audit Process once the Audit Scope is frozen ( commit hash or explorer link ). If you make any changes to the code between the process, we can check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.

 

Step 7 - Final Audit Report

After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.

So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is.

 

🦋 How can you help?
After getting the Final Audit Report, please notify us 
whether we can proceed to prepare the final designed draft 
or if you are going to fix the code again.


Step 8 - Delivery

After getting the green light from the previous step, we send the report to our designers to generate a PDF version of the Audit Report, displaying all the necessary details of the auditing process.

Sample Audit Report

Then, the report is uploaded to our official GitHub Repository, after which we share the link to the Audit Report and Certificate of Compliance from QuillAudits.

 

Step 9: Post-Audit

After the Final Audit report, we take your project in front of the masses through :

Social Media Announcements

As per your requests, we will make an audit announcement from our social media handles to mark the completion of the audit.

audit completed image.

🚧The completion of this step depends on the calendar availability of our Marketing Team. Therefore, this step might take some time to complete.

  • Access to QuillAudits Ecosystem (Exchanges, IDO, KYC, Incubators, VC Partners)

AMA Sessions

  • Expert auditors will explain the nuances of the Audit Report.

  • Q&A and direct interaction with your audience to build trust in your project.

Niche Targeted PR Services

  • Articles & guest posts in renowned publications.

  • Cross-platform promotions to give more exposure to the project.

Organize Product Launches, Community Meetups, etc.

  • QuillAudits team will help you in your product launch in India.

  • Set up community meetups, product workshops and web3 events for you.

  • QuillAudits expert team and partners will handle everything from content creation to marketing, event location, and event coordination.

 

What Can the Project Team Expect From Us?

  • Delivery of initial report within the agreed timeline (considering a margin of ±2 days due to unforeseen circumstances).

  • Reviewing the final version of the code before concluding the audit.

  • Following the complete audit process, i.e., Manual Review, Functional Testing, Automated Testing, and Reporting bug findings.

  • Publishing audit reports and making post-audit announcements based on agreed-upon terms.

     

What Do We Expect from the Project Team?

  • A working test suite (all tests written are executable) covering at least 90% of the project code and edge-case scenarios.

  • Structured code following reasonable naming conventions and consistent coding style.

  • Well-documented contracts/functions and updated whitepaper.

  • Fixing issues from the initial bug-finding report and providing detailed comments, stating what fixes have been implemented to the concerned issues.

  • Reviewing the final report so that QuillAudits can conclude the audit.

 

Feedbacks

Your feedback helps us to improve and enhance. It helps us inculcate innovations in our services to improve and serve you better.

 

Join Our Referral Program: Become a Part of Our Quest for Securing Blockchain and Get Rewarded 🥳

Do you know a friend who might need a Smart Contract Audit? 🙋‍♂️🙋‍♀️ We have something that you might be super interested in! Together, we can benefit many DeFi, NFT, and DAO projects by securing them with QuillAudits. Refer anyone looking for an audit, and get up to 15% on each referral. 

🚀Click on the link below to get access to exciting offers.

https://bit.ly/3hqN6ZM


Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!

Telegram