| title | Lesson 2 Recap |
|---|
Follow along with this video:
Congratulations! You've come so far already, let's do a quick recap of what's been covered in this section.
A smart contract audit is a time-boxed security review, looking for security vulnerabilities. The goal here is to inform the protocol on how to be as secure as possible.
There's no silver bullet when it comes to how to perform a security review. Generally, a security review is divided into three stages:
- Initial review
- Scoping
- Reconnaissance
- Vulnerability Identification
- Reporting
- Protocol Fixes
- Protocol fixes issues
- Retests and adds tests for changes
- Mitigation Review
- Reconnaissance
- Vulnerability Identification
- Reporting
Keep in mind that ensuring security isn’t only a crucial point in the smart contract development lifecycle, it's a continuous, never-ending process!
- Plan & Design
- Develop & Test
- Smart Contract Audit & Post Deploy Planning
- Deploy
- Monitor & Maintain
"Security shouldn't just be an afterthought or some box you check. You need to have a security mindset from day one".
Thinking about post-deployment planning, monitoring and maintaining is just as important as the development itself.
In future posts, we'll be delving into the various tools utilized in conducting security reviews. Trust me, you'll need to get your hands dirty with tools like
Static Analysis
Fuzzing/Invariant Tests
Formal Verification
AI
Before a protocol is even ready for an audit, they should consider where they stand on the Rekt Test or other checklists like nacentxyz's simple-security-toolkit
We need to always be improving as security researchers and adopt an attacker vs defender mindset. It's only by staying informed and constantly improving that we can stay ahead of the problem.
We touched on top attack vectors that are hitting Web3 to this day (including re-entrancy which has been around since 2016!).
Hopefully, with you taking this course we can learn from the mistakes in the past and finally reign in the exploitation in Web3.