Sales

Miscellaneous

Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.

About us

QuillAudits is a leading web3 cybersecurity firm committed to securing blockchain projects with our cutting-edge web3 security solutions.

We provide smart contracts auditing and DApps pen testing services for web3-based, DeFi, and NFT-based gaming projects.

Polkadot Blockchain

<aside> <img src="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f5756f8c-2192-4af9-b0f7-4c1ca08035fe/images.png" alt="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f5756f8c-2192-4af9-b0f7-4c1ca08035fe/images.png" width="40px" /> Polkadot blockchain protocol is designed to enable interoperability between different blockchain networks. It was created by the Web3 Foundation and is built on Substrate, a blockchain development framework.

Polkadot allows different blockchain networks to communicate with each other through a shared security model, allowing them to exchange information and assets. It also allows developers to create and customize their blockchain networks with specific features and functionalities.

The programming language used to write smart contracts on the Polkadot network supports several languages, including Rust, C++, and Solidity. However, the most widely used language is Rust, which is the primary language used in the development of Substrate and the Polkadot ecosystem. Rust is a safe and efficient systems programming language that enables developers to write secure and performant smart contracts for the Polkadot network.

</aside>

Why Do We Need Polkadot Contract Auditing?

<aside> ⚠️ Polkadot smart contract hacks have an average exploit value of $3 million, emphasizing the need for a Polkadot smart contract audit.

One notable example of a smart contract hack on the Polkadot network was the Apron Network attack, which took place in November 2021. In this attack, a hacker exploited a vulnerability in the smart contract code to steal $50 million worth of cryptocurrencies. The vulnerability was related to how the smart contract handled the distribution of rewards to liquidity providers.

Another example was the recent hack on the Karura network, which is built on the Polkadot ecosystem that allowed a malicious hacker to steal $200 million worth of crypto leveraging the smart contract vulnerabilities lying in the handling of loans and collateral.

These hacks demonstrate the importance of smart contract audits and the need for continuous testing and monitoring of smart contracts to ensure their security and reliability.

</aside>

<aside> 💭 Connecting with you You must have been added to a closed group with the Auditing Team by now. You would be connected with the Project Manager and the Auditors through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!

</aside>

Multi-Layer Audit Process

Things We Cover in the Audit Process :

Code Review
Smart Contract Architecture Review
Threat Modeling
Checking for Potential Attack Vectors
Checking Runtime Modules
Business Logic Review
Authorization and Access Control
Cross-Contract Interactions
Upgradability and Governance
Reporting and Documentation

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Let's dive deep into it and explore more.

image (2).png

Step 1 - Specification Gathering / Prepare For a Security Audit

This is the most crucial stage because the detail is key for a successful smart contract security audit. Here is how you can prepare for it:

Code quality • Remove dead code and comments. • Consistent coding style. • Follow the Rust (Polkadot) style guide.

Use comments to document complex parts of the code and ensure these are consistent with the code.

Test the code • Make sure the contracts can be compiled and thoroughly tested. • Perform high coverage and high-quality unit tests.

This will maximize focus on the difficult parts of the code. Auditing should not discover that some functions are uncallable or do not do what they are expected to do under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, and adversarial behaviour.

Code freeze • Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.

After freezing the code, we will gather the specifications from you to know the expected behaviour of the smart contract through the 'Smart Contract Specification' document.

<aside> 🦋 How can you help? Please ask your developers to fill out the specification doc - It would allow us to understand & verify the business logic and facilitate confirming everything thoroughly.

</aside>

Step 2 - Manual Review

Here we would look for undefined, unexpected behaviour and common security vulnerabilities. The goal is to get as many skilled eyes on contract code as possible. Aims of manual review:

Review the smart contract code to ensure it adheres to best coding practices and standards and identify any potential vulnerabilities or bugs in the code.
Conduct a thorough security analysis of the smart contract to identify any potential vulnerabilities or weaknesses that attackers could exploit.
Identifying ways to optimize the smart contract's gas usage to reduce transaction costs and improve efficiency.
Focus on security, attacks, mathematical errors, logical issues, etc.
Check the code for any vulnerabilities that can be exploited.

Step 3 - Functional Testing

Functional testing is essential to the smart contract auditing process, ensuring that the contract functions as intended and meets the specified requirements.

Input Validation: Check whether the contract performs proper input validation to ensure it only accepts valid inputs and rejects invalid or malicious ones.
Contract Behavior: Verify the behaviour of the contract by testing various scenarios and inputs to ensure that it functions as intended and produces the expected outputs.
Function Parameters: Check the function parameters to ensure they match the contract's specifications and requirements and are properly used throughout the code.
State Changes: Verify the state changes within the contract due to various actions or transactions to ensure that they align with the expected outcomes and don't introduce unintended side effects.
Gas Usage: Test the contract's gas usage to ensure it is efficient and optimized to minimize transaction costs and improve performance.

Step 4 - Testing over the Latest Attack Vectors

The substrate is a modular framework for building blockchains, including the Polkadot network. Rust is the primary programming language used to develop Substrate-based blockchains. Substrate-based blockchains are susceptible to security threats and attacks like any other software system.

Reentrancy Attacks
Integer Overflow/Underflow
Access Control Vulnerabilities
Denial of Service (DoS) Attacks
Lack of Input Validation
Malicious Code Injection
Time-Dependent Attacks
Front-running

Step 5 - Testing with Automated Tools

Testing with automated tools is essential to catch those bugs that humans miss. Some of the tools we would use are (based on the requirement/auditor preference, we use specific tools) :

Cargo-audit
RustSec
Rust-Analyzer

Step 6 - Initial Audit Report

In the end, we will provide you with a comprehensive report, which we call the Initial Audit Report (IAR):

<aside> 🦋 How can you help? You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would allow us to identify the changes and test them rigorously.

</aside>