Sales

Miscellaneous

Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.

About us

QuillAudits is a leading name in Web3 security, offering top-notch solutions to safeguard projects across DeFi, GameFi, NFT gaming, and all blockchain layers. With Seven years of expertise, we've secured over 1400+ projects globally, averting over $30 billion in losses. Our specialists rigorously audit smart contracts and ensure DApp safety on major platforms like Ethereum, BSC, Arbitrum, Algorand, Tron, Polygon, Polkadot, Fantom, NEAR, Solana, and others, guaranteeing your project's security with cutting-edge practices.

<aside> 💭 Connecting with you - By this time, you must have been added to a closed group with the Auditing Team. You would be connected with the Project Manager and the Auditors through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!

</aside>

Multi-Layer Audit Process

Things We Cover in Audit Process :

Business Logics Review
Functionality Checks
Access Control & Authorization
Signer authorization
Account data matching
Sysvar address checking
Owner checks
Type cosplay
Initialization
Arbitrary cpi
Duplicate mutable accounts
Bump seed canonicalization
PDA Sharing
Incorrect closing accounts
Missing rent exemption checks
Arithmetic overflows/underflows
Numerical precision errors
Solana account confusions
Casting truncation
Insufficient SPL token account verification
Signed invocation of unverified programs

We ensure your smart contract goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the code, we do a thorough scrutiny of the smart contract to provide you with the Final Audit Report. Lets's dive deep into it and explore more.

image (2).png

Step 1 - Specification Gathering / Prepare For a Security Audit

This is the most crucial stage because the detail is key for a successful smart contract Security audit. Here is how you can prepare for it:

Code quality • Remove dead code and comments • Consistent coding style. • Follow the Rust (Solana) style guide.

Use comments to document complex parts of the code but also make sure these are. consistent with the code

Test the code • Make sure the contracts can be compiled and fully tested. • Perform high coverage and high-quality unit tests.

This will maximize focus on the difficult parts of the code. Auditing should not be discovered that some functions are uncallable, or do not do what they are expected to do under entirely straightforward inputs. Optimal auditing should focus on unexpected, corner-case, possibly adversarial behavior.

Code freeze • Freeze the code and specify the commit hash. Or, deploy the code on testnet and share the link.

After freezing the code, we will gather the specifications from you to know the intended behavior of the smart contract through the 'Smart Contract Specification' document.

<aside> 🦋 How you can help - Please ask your developers to fill the specification doc - It would help us to understand & verify the business logic, and facilitate confirming everything thoroughly.

</aside>

Step 2 - Manual Code Review

Here we would look for undefined, unexpected behavior and common security vulnerabilities. The goal is to get to as many skilled eyes on contract code as possible. Aims of manual review:

Focus on issues regarding security, attacks, mathematical errors, logical issues, etc.
Check the code for any vulnerabilities that can be exploited.
Verify that every detail in the specification is implemented in the smart contract.
Verify that the contract does not have any behavior that is not specified in specifications.
Verify that the contract does not violate the original intended behavior of specifications.
The smart contract will be manually deployed locally in a local cluster.
All the transaction hashes will be recorded.
Accessibility of the accounts’ data in a secure manner by the programs.
Determining the user-controlled parameters where arbitrary data could be passed.

Step 3 - Functionality Testing

Smart contract functions will be unit tested on multiple parameters and under multiple conditions to ensure that all paths of functions are functioning as intended.
In this phase, the intended behavior of the smart contract is verified.
In this phase, the total accounts(data) needed for a program are verified and tested.
We also verify the data in accounts that will be fetched by the Solana programs.
Tests are conducted in either Typescript or JavaScript to make sure that bugs related to syntax misunderstandings are coverable with tests and not just replicated in tests.

Step 4 - Testing over Latest Attack Vectors

Team researches over newly discovered attacks(like market manipulation, LP pricing, front running vectors, and more), and try to replicate them on the project in order to make sure, the project is safe from those attacks
In case, if the current implementation is found to be vulnerable to some of the newly discovered attacks, we provide a recommendation to the developer team so that they can patch the vulnerability in an efficient manner without any (or with some) changes in the code’s logic.
We provide testing on the following attack vectors as well:

Replay Vulnerability
Re-entrancy
Integer Overflow and Underflow Vulnerability
Arithmetic Accuracy Deviation Audit
Arbitrary signed program invocation