Banshie is an independent Danish cyber security company specialized in helping companies protect themselves by testing and breaking their security, detecting breaches, and responding to incidents. Banshie's experienced staff has been working in cyber security for more than ten years. Professional smart-contract auditing for Ethereum and Solana has been part of Banshie's services since the beginning of 2021 saving clients from losses worth hundreds of millions of USD.
Smart contract audit process
The first step is to give us access to the version of the code to be audited.
For all software programs it is important that the developers can describe exactly what they have implemented, how, and why. If the purpose of the code is not defined, it is impossible to judge whether the program's behavior is intended or unintended. As most developers find writing of documentation rather boring, we know that many projects lack high quality documentation. To get around this, a presentation is sufficient and will allow the developers to show their code and explain its purpose. This initial step will save the auditor a lot of time trying to figure out the purpose of the code by himself.
As an initial step of the audit basic automated tools for static and dynamic analyses are used to identify any common defects in the code. This also includes execution of provided tests and their coverage. This step is purely to make sure that the code is mature enough for auditing. If needed feedback will include recommendations for automating analyses as part of the continuous integration pipeline.
The functionality of the smart-contract is searched manually for known vulnerabilities. This includes simple cases such as missing authorization checks and re-entrancy, design flaws such as introducing of race conditions, and more advanced attack chains.
The auditor's insight in the code may lead to further investigation of the smart-contract's real-time behaviour. Dynamic analysis tools and manual exploits can be used to demonstrate a vulnerability where in doubt. Exploits are always implemented and executed locally to avoid breaking a production system or exposing vulnerabilities in the open for malicious hackers to abuse.
At the end of the audit a report containing details on all findings and recommendations is delivered.
When the report has been delivered and the findings have been fixed by the developers, we offer to verify that the implemented fixes are sufficient.
During the audit progress, feedback, and questions are communicated directly to the developers. This will allow the developers to fix high and critical vulnerabilities as soon as they are discovered instead of waiting for the final report to appear.