Art Of Auditing
  • 👋Preface
  • 🧙Sages
    • @lonelysloth_sec
    • @bobface16
    • @zigtur
    • @J4X_Security
    • @0xEV_om
    • @cergyk
    • @akshaysrivastv
    • @kankodu
    • @gjaldon
    • @riproprip
    • @pkqs90
    • @DadeKuma
    • @EgisSec
    • @BowTiedDravee
    • @Draiakoo
    • @windhustler
    • @santipu_
    • @winnie
    • @Guhu95
    • @_blockian
    • @neumoXX
    • @Alex the Entreprenerd
    • @bahurum
    • @__nnez
    • @0xadrii
    • @deliriusz_eth
    • @el_hajin
    • @rootedrescue
    • @merkle_bonsai
    • @n4nika_
    • @Trungore
    • @m4rio_eth
    • @iamdirky
    • @Czar102
    • @csanuragjain
    • @0xFrankCastle
    • @Al_Qa_qa
    • @Haxatron1
    • @0xMinhT
    • @0xT1MOH
    • @Said
    • @0xSorryNotSorry
    • @NonseOdion
    • @0xArzzz
    • @abarbatei
    • @tpiliposian
    • @0xjuaan
    • @MrPotatoMagic
    • @krikoeth
    • @zzykxx
    • @bauchibred
    • @00xSEV
    • @0xCiphky
    • @peak_bolt
    • @pks_
    • @Stalin_eth
    • @0xb0g0
  • 🧱THE WALL
    • 📖WALL OF WISDOM
Powered by GitBook
  1. Sages

@Czar102

Previous@iamdirkyNext@csanuragjain

Last updated 4 months ago

| Security Researcher | prev. Head of Judging at Sherlock

Words of Wisdom

🧙
@_Czar102
"Blueprints" founder
Page cover image
Cover

"Think in properties"

Whenever you see any behavior in code, try to think what properties it is trying to enforce and what properties you'd imagine the code should have that it would break. For example, think in invariants: what should always be true about the contract?

Cover

"Ask yourself what's missing"

Checking that some code does what it should is usually relatively easy. It's easy to notice what's wrong, but it's difficult to notice what's missing. Always consider whether any other action should be executed or a check done.

Cover

"Audit restrictions"

In some reviews you'll do, you will find a lot of bugs and your client's fixes will be so huge, that it will require you to do a multiple of the work of the audit. Make sure you set the timeline for receiving fixes and that there is an upper limitation on how large the fix diff is. If any requirement is not fulfilled, the review requires a renegotiation. But don't be too strict about it.

Cover

"A-, Arch-, Architecture!"

Architecture is the most important thing about the codebase. If the developers thought about it enough, the codebase would be minimal. There will be few places to introduce bugs. If the contracts are large, it usually means that the architecture wasn't well done and it can pay off to look from the higher level: what is wrong with the current design?