Sales

Walk-through: A Journey With Us to Secure Your Hyperledger Fabric Project

QuillAudits WhiteLabel Partnership Program

Walk-through: A Journey With Us to Secure Your Sui Smart Contract

Walk-through: A Journey With Us to Secure Your Polkadot Smart Contract

Walk-through: A Journey With Us to Secure Your Wallet

Pre-Launch Security Checklist for web3 Projects

Development-Process Checklist

Walk-through: A Journey With Us to Secure Your Starknet Smart Contract

Walk-through: A Journey With Us to Secure Your ZKSync Smart Contracts

Walk-through: A Journey With Us to Secure Your L1 Blockchain

Walk-through: A Journey With Us to Secure Your Smart Contracts

Walk-through: A Journey With Us to Assure Your Users and Gain the Trust You Deserve

Walk-through: A Journey With Us to Build Secure and Scalable Dapp Architecture

Walk-through: a journey with us to secure your dApp

Walk-through: a journey with us to secure Solana Smart Contracts.

Audit Readiness Checklist

QuillAudits Periodic On-Chain Analysis of your web3 Project

Miscellaneous

← Back to home

<aside> πŸ’‘ StarkNet is a layer-2 scaling solution for Ethereum that aims to improve the scalability, privacy, and usability of Ethereum-based decentralised applications (dApps). StarkWare, a blockchain technology company that specialises in zero-knowledge proof (ZKP) systems, is developing it.

StarkNet uses a technology known as Validium, which enables dApps to run off-chain while maintaining the security of the Ethereum mainnet. This means that dApps can benefit from the scalability and transaction throughput of off-chain computation while maintaining the Ethereum network's security and trustworthiness. Furthermore, StarkNet supports privacy-preserving computations via the use of ZKPs, allowing dApps to protect sensitive user data while still providing a transparent and auditable system.

Cairo, a low-level programming language that can be used to write StarkNet-specific code, is provided by StarkNet as a development kit. Cairo is optimised for zero-knowledge proofs (ZKPs) and is intended to provide a high level of flexibility and efficiency for building complex StarkNet applications.

</aside>

Why Cairo Smart contracts Need Security Audit?

<aside> πŸ’‘ Smart contracts, like any other software application, are vulnerable to a variety of security issues that can jeopardise their security, reliability, and performance.

Conducting a thorough security audit is one of the most important steps in developing secure and reliable smart contracts. Security audits are critical for identifying and mitigating potential vulnerabilities and ensuring that smart contracts written in Cairo for StarkNet function as intended.

</aside>

Some of the most common vulnerabilities that can affect Cairo smart contracts

<aside> ⚠️ Cairo Smart Contract Vulnerabilities:

  1. Reentrancy attacks: where an attacker exploits a vulnerability in the contract code that allows them to repeatedly call the same function before it has completed executing, leading to the loss of funds.
  2. Front-running attacks: where an attacker exploits a time delay in the execution of transactions to their advantage, by executing a similar transaction with a higher fee, resulting in a loss of profits or funds for the victim
  3. Time manipulation: where an attacker manipulates the time on a smart contract to execute a function at an unintended time, leading to a loss of funds or other unintended consequences.
  4. Malicious libraries: where a smart contract uses external libraries that have vulnerabilities or are malicious, leading to a potential loss of control of the contract or funds.
  5. Logic errors: These are bugs in the code that allow attackers to exploit unexpected smart contract behaviour. For example, an error in a conditional statement could allow an attacker to circumvent certain checks and balances.
  6. Reentrancy attacks: occur when an attacker repeatedly invokes a function in a smart contract before the previous invocation has been completed, resulting in unexpected behaviour or even financial losses.
  7. Overflows and underflows: integers occur when an arithmetic operation produces a number too large or too small to be stored in the available memory. Attackers can use these flaws to manipulate the state of the smart contract.
  8. Input validation issues: Issues with input validation occur when the smart contract fails to validate user input properly. Attackers can use these flaws to provide malicious input, jeopardising the smart contract's security.
  9. Insufficient Access Controls: Inadequate access control: These flaws occur when the smart contract properly restricts access to specific functions or data. Attackers can use these flaws to gain unauthorised access to the smart contract.

To mitigate these vulnerabilities, performing thorough security audits on Cairo-written smart contracts before deploying them to production is critical.

</aside>

Cairo Smart Contract Audit Process

Things We Cover in the Audit Process :

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we thoroughly scrutinise the smart contract to provide you with the Final Audit Report. Lets's dive deep into it and explore more.

image (2).png

Step 1 - Specification Gathering / Prepare For a Security Audit

<aside> βœ… The first step is to gather all the necessary information and prepare for a security audit. This stage is crucial for the success of the audit, and here is how you can prepare for it:

Step 2 - Manual Review

<aside> πŸ’» Manual review is a critical step that involves looking for undefined, unexpected behaviour and a Wide Variety of security vulnerabilities. The following aims are considered during the manual review:

Step 4 - Testing over the Latest Attack Vectors

<aside> βš™ The QuillAudits researches newly discovered attacks and tries to replicate them to ensure the project is safe from those attacks. Attack vectors could include:

Step 4 - Functional Testing

<aside> πŸ›  In this step, the smart contract will be manually deployed in a sandbox environment, and smart contract functions will be tested on multiple parameters and under multiple conditions.

This phase is intended to verify the intended behaviour of the smart contract and ensure that smart contract functions are not consuming unnecessary gas. Gas limits of functions will be verified in this stage.

</aside>

Step 5 - Automated Tool Testing

<aside> βš’οΈ Tool We Use

</aside>

Step 6 - Initial Audit Report

<aside> πŸ“– QuillAudits provide the project team with a comprehensive report called the Initial Audit Report (IAR). The report will contain details of the audit and Recommendations for any vulnerabilities in the smart contract.

The development team is expected to resolve the identified bugs & make suitable changes to the code. If necessary, the Quillaudits will connect with development partners for issues fixing.

</aside>

<aside> πŸ¦‹ How can you help? You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.

</aside>

Step 7 - Final Audit Report

<aside> πŸ”₯ After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. Even after your fixes, some issues are still unresolved, and/or those changes have led to a few more issues.

</aside>

Step 8: Quill Vigilant Squad*

Following the completion of the second audit review, the Fixed codebase, along with the comprehensive audit report, will be formally delivered to our dedicated Vigilant Squad. This elite team is comprised of world-class security researchers, each possessing extensive experience and expertise in identifying and analyzing vulnerabilities within complex systems. The Vigilant Squad will undertake a meticulous and in-depth review of both the codebase itself and the accompanying report. They will dedicate their full time and resources to this critical task, leveraging their specialized skills to proactively search for and uncover any potential security issues, however subtle they may be. In the event that the Vigilant Squad discovers any vulnerability, security flaw, or other issue, we will be notified immediately, ensuring swift action can be taken to mitigate any potential risks.

Step 9 - Delivery

<aside> βœ… After getting a green light from the previous step, we send the report to our designers. With their skills, they make a PDF version of the Audit Report and beautifully showcase everything.

</aside>

Step 10: Post-Audit

After the Final Audit report, we take your project in front of the masses through :

Social Media Announcements

LinkedIn X (Twitter) Telegram Reddit Medium