AuditOne Blog
Auditing A Solidity Contract: Episode 7- Documentation and Reporting

Smart contracts can be complex, but clear documentation provides transparency. Keeping detailed records can simplify the auditing processes, eliminating guesswork in determining function and functionality. Today, we’ll focus on documentation and reporting for smart contracts. This is a great place to start if you want to learn about Solidity and how to audit smart contracts. This is one article in a series on auditing Solidity smart contracts. The series will cover vulnerabilities and resources that smart contract auditors use.

Documentation And Comments

Documentation and comments focus on increasing the auditors' understanding of the codebase. Clear explanations of functionality form the foundation of effective documentation. Prior to the audit, it's important to provide thorough descriptions of the purpose and behavior of each significant component within the contract.  

In cases where the logic or algorithms implemented in the contract are complex, detailed comments are required. These comments should break down the logic step by step, making it easier for auditors to follow the code's execution flow. Additionally, they can highlight any potential edge cases or considerations that influenced the design choices.

Consistency in documentation style is key to readability and comprehension. Adopting a standardized format for comments, such as using NatSpec or other markup languages, enhances consistency and facilitates automated documentation generation and static analysis. 

Updating documentation alongside code changes ensures its relevance and accuracy. Reviewing and revising the corresponding documentation and comments is essential as the contract evolves through updates or bug fixes. This practice ensures that the documentation accurately reflects the current state of the contract, preventing confusion.

What Is An Audit Report?

Upon completion of a smart contract audit, the auditors generate a report that outlines the audit scope and findings. The report also includes assessing the severity levels and specific recommendations for improvement. The result is a comprehensive report that contains actionable information.

Audit Reports

There are two audit reports involved in smart contract audits:

  • Initial Audit Report: Upon finalizing the audit, auditors create an initial report. This report provides a brief overview of identified code vulnerabilities and additional concerns and recommendations on how the project's development team can rectify them. It serves as a guide for rectifying the identified issues and ensuring the smart contract is thoroughly prepared for deployment.
  • Publication Of Final Audit Report: This involves releasing a comprehensive final audit report. This report offers in-depth insights into all discoveries, classifying each problem as addressed or unresolved. It's generally shared with the project's development team and made accessible to the public. This promotes transparency and enables users and stakeholders to make well-informed decisions regarding the protocol's security and dependability.

How To Write A Good Audit Report

Introduction: This section sets the stage for the audit report. Introduce the auditing team, including their credentials and expertise. Emphasize the importance of the audit process and its role in enhancing the security of smart contracts. Clearly state the purpose of the audit and the methodologies employed in the analysis.

Project Description: Provide a comprehensive overview of the project being audited. Detail the audit methodology, outlining the techniques and tools used during the evaluation. Specify the type of smart contracts that were audited, the programming language they are written in, and their ecosystem. Include information such as the project repository link, GitHub commit hash, documentation sources, unit testing details, project website, and audit submission and completion dates. 

Contracts In Scope: Define the scope of the audit by listing the smart contracts that were audited. 

Executive Summary: Write a concise summary of the audit process, including details about the evaluation criteria, audit dates, and the auditors involved. Provides an overview of the vulnerabilities discovered, categorizing them based on severity levels. Highlight the number of issues found, resolved, and acknowledged during the audit.

Severity Definitions: Define the severity levels used in the report and explain clearly what each level signifies, making it easier for readers to comprehend the implications of identified vulnerabilities.

Audit Overview: This section should include a security score that captures the overall security posture of the smart contracts. Evaluate the code and documentation quality, summarizing the strengths and weaknesses observed during the analysis. It should also provide a high-level view of the security status, serving as a quick reference point for the readers.

Audit Findings: Dive deep into the vulnerabilities and issues identified during the audit. Provide a detailed account of each vulnerability, explaining its nature, potential impact, and the steps required to reproduce it. Categorize the vulnerabilities based on severity levels, emphasizing critical issues requiring immediate attention. Use code snippets and examples to illustrate the vulnerabilities, enhancing the clarity of your explanations.

Recommendations: For each identified vulnerability, offer clear and actionable recommendations for resolution or mitigation. Detail the steps that developers should take to address the issues effectively. Provide code snippets, if applicable, and best practices that can be employed to improve the security of the smart contracts. Ensure the recommendations are practical, feasible, and tailored to the project's context.

Disclaimer: In this section, include a disclaimer outlining the limitations of the audit and the scope of the auditing team's responsibilities. While the audit aims to enhance security, it cannot guarantee absolute immunity from all potential threats. Highlight the collaborative nature of security, emphasizing the importance of continuous vigilance and proactive measures from the development team.

In Conclusion 

Effective documentation, comments, and reporting are essential for smart contracts. They help developers understand and verify contract functions, facilitate auditing and debugging, and allow stakeholders to monitor performance, fostering trust and accountability in the blockchain ecosystem. This is why smart contract audits, bug bounties, and reviews are crucial in every stage of development. They increase the number of eyes scouting for vulnerabilities and decrease the chance of critical vulnerabilities slipping through.

Stay safe. 

Related Articles:

  1. Auditing A Solidity Contract: Episode 1 - Re-entrancy Attack
  2. Auditing A Solidity Contract: Episode 2 - Delegatecall
  3. Auditing A Solidity Contract: Episode 3 - Security Analysis
  4. Auditing A Solidity Contract: Episode 4 - Testing
  5. Auditing A Solidity Contract: Episode 5 - Automated Tools
  6. Auditing A Solidity Contract: Episode 6- Frontrunning 
In this article
Author
Gracious Igwe
Smart Contract Triager
Share this with your community!
Recent Blogs
September 2, 2024

Healthy AI needs FAT: Auditing to keep AI systems in Check Introduction

As Artificial Intelligence (AI) continues to integrate deeply into various sectors, from healthcare to finance, it is important to ensure that AI systems are Fair, Accountable, and Transparent - what is referred to as FAT...
Raja Sekhar Thota
August 29, 2024

AMA with Rethink.Finance: Exploring Next-Gen Asset Management

In this exclusive AMA we covered the Rethink Protocol's advanced security practices, innovative asset management on Ethereum, and plans for future community engagement.
Alina K.
August 26, 2024

Security Audits & Web3

The role of websites and services in Web 3 is taken over by decentralized applications (dApps) as a central part of the next stage of the Internet evolution.
Eicke Schütze

Looking for more of engaging content?

Explore our community

Newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

For Projects

Request Audit
Submit a Bounty
AI Systems Audit
Penetration Test
KYC
360 Degree Audit
Price Calculator

For Auditors

Start Auditing
Auditing Tools
Academy

For Community

Lite Paper
Blog
Ambassador Program

Company

About Us
Partnerships
Docs
Careers
Privacy & Cookies
Impressum
©2024 Auditone. All rights reserved