AuditOne Blog
Auditing A Solidity Contract: Episode 7 - Documentation and Reporting

Smart contracts can be complex, but clear documentation provides transparency. Keeping detailed records can simplify the auditing processes, eliminating guesswork in determining function and functionality. Today, we’ll focus on documentation and reporting for smart contracts. This is a great place to start if you want to learn about Solidity and how to audit smart contracts. This is one article in a series on auditing Solidity smart contracts. The series will cover vulnerabilities and resources that smart contract auditors use.

Documentation And Comments

Documentation and comments focus on increasing the auditors' understanding of the codebase. Clear explanations of functionality form the foundation of effective documentation. Prior to the audit, it's important to provide thorough descriptions of the purpose and behavior of each significant component within the contract.  

In cases where the logic or algorithms implemented in the contract are complex, detailed comments are required. These comments should break down the logic step by step, making it easier for auditors to follow the code's execution flow. Additionally, they can highlight any potential edge cases or considerations that influenced the design choices.

Consistency in documentation style is key to readability and comprehension. Adopting a standardized format for comments, such as using NatSpec or other markup languages, enhances consistency and facilitates automated documentation generation and static analysis. 

Updating documentation alongside code changes ensures its relevance and accuracy. Reviewing and revising the corresponding documentation and comments is essential as the contract evolves through updates or bug fixes. This practice ensures that the documentation accurately reflects the current state of the contract, preventing confusion.

What Is An Audit Report?

Upon completion of a smart contract audit, the auditors generate a report that outlines the audit scope and findings. The report also includes assessing the severity levels and specific recommendations for improvement. The result is a comprehensive report that contains actionable information.

Audit Reports

There are two audit reports involved in smart contract audits:

  • Initial Audit Report: Upon finalizing the audit, auditors create an initial report. This report provides a brief overview of identified code vulnerabilities and additional concerns and recommendations on how the project's development team can rectify them. It serves as a guide for rectifying the identified issues and ensuring the smart contract is thoroughly prepared for deployment.
  • Publication Of Final Audit Report: This involves releasing a comprehensive final audit report. This report offers in-depth insights into all discoveries, classifying each problem as addressed or unresolved. It's generally shared with the project's development team and made accessible to the public. This promotes transparency and enables users and stakeholders to make well-informed decisions regarding the protocol's security and dependability.

How To Write A Good Audit Report

Introduction: This section sets the stage for the audit report. Introduce the auditing team, including their credentials and expertise. Emphasize the importance of the audit process and its role in enhancing the security of smart contracts. Clearly state the purpose of the audit and the methodologies employed in the analysis.

Project Description: Provide a comprehensive overview of the project being audited. Detail the audit methodology, outlining the techniques and tools used during the evaluation. Specify the type of smart contracts that were audited, the programming language they are written in, and their ecosystem. Include information such as the project repository link, GitHub commit hash, documentation sources, unit testing details, project website, and audit submission and completion dates. 

Contracts In Scope: Define the scope of the audit by listing the smart contracts that were audited. 

Executive Summary: Write a concise summary of the audit process, including details about the evaluation criteria, audit dates, and the auditors involved. Provides an overview of the vulnerabilities discovered, categorizing them based on severity levels. Highlight the number of issues found, resolved, and acknowledged during the audit.

Severity Definitions: Define the severity levels used in the report and explain clearly what each level signifies, making it easier for readers to comprehend the implications of identified vulnerabilities.

Audit Overview: This section should include a security score that captures the overall security posture of the smart contracts. Evaluate the code and documentation quality, summarizing the strengths and weaknesses observed during the analysis. It should also provide a high-level view of the security status, serving as a quick reference point for the readers.

Audit Findings: Dive deep into the vulnerabilities and issues identified during the audit. Provide a detailed account of each vulnerability, explaining its nature, potential impact, and the steps required to reproduce it. Categorize the vulnerabilities based on severity levels, emphasizing critical issues requiring immediate attention. Use code snippets and examples to illustrate the vulnerabilities, enhancing the clarity of your explanations.

Recommendations: For each identified vulnerability, offer clear and actionable recommendations for resolution or mitigation. Detail the steps that developers should take to address the issues effectively. Provide code snippets, if applicable, and best practices that can be employed to improve the security of the smart contracts. Ensure the recommendations are practical, feasible, and tailored to the project's context.

Disclaimer: In this section, include a disclaimer outlining the limitations of the audit and the scope of the auditing team's responsibilities. While the audit aims to enhance security, it cannot guarantee absolute immunity from all potential threats. Highlight the collaborative nature of security, emphasizing the importance of continuous vigilance and proactive measures from the development team.

In Conclusion 

Effective documentation, comments, and reporting are essential for smart contracts. They help developers understand and verify contract functions, facilitate auditing and debugging, and allow stakeholders to monitor performance, fostering trust and accountability in the blockchain ecosystem. This is why smart contract audits, bug bounties, and reviews are crucial in every stage of development. They increase the number of eyes scouting for vulnerabilities and decrease the chance of critical vulnerabilities slipping through.

Stay safe. 

Join AuditOne as an Auditor: https://www.auditone.io/auditors

Book A Smart Contract Audit: https://calendar.app.google/cgZHGcPmpFP1mPZ18

Related Articles:

Auditing A Solidity Contract: Episode 1 - Re-entrancy Attack

Auditing A Solidity Contract: Episode 2 - Delegatecall

Auditing A Solidity Contract: Episode 3 - Security Analysis

Auditing A Solidity Contract: Episode 4 - Testing

Auditing A Solidity Contract: Episode 5 - Automated Testing Tools

Auditing A Solidity Contract: Episode 6 - Frontrunning

Auditing A Solidity Contract: Episode 8 - Benefits of Auditing

In this article
Author
Gracious Igwe
Smart Contract Triager
Share this with your community!
xtelegramlinkedin
Recent Blogs

Looking for more of engaging content?

Explore our community