Sales
Walk-through: A Journey With Us to Secure Your Hyperledger Fabric Project
QuillAudits WhiteLabel Partnership Program
Walk-through: A Journey With Us to Secure Your Sui Smart Contract
Walk-through: A Journey With Us to Secure Your Polkadot Smart Contract
Walk-through: A Journey With Us to Secure Your Wallet
Pre-Launch Security Checklist for web3 Projects
Walk-through: A Journey With Us to Secure Your Starknet Smart Contract
Walk-through: A Journey With Us to Secure Your ZKSync Smart Contracts
Walk-through: A Journey With Us to Secure Your L1 Blockchain
Walk-through: A Journey With Us to Secure Your Smart Contracts
Walk-through: A Journey With Us to Assure Your Users and Gain the Trust You Deserve
Walk-through: A Journey With Us to Build Secure and Scalable Dapp Architecture
Walk-through: a journey with us to secure your dApp
Walk-through: a journey with us to secure Solana Smart Contracts.
QuillAudits Periodic On-Chain Analysis of your web3 Project
Miscellaneous
Hi there! Welcome onboard with QuillAudits. We are glad you chose us; let's buckle up and begin.
QuillAudits is providing pen-testing services to enhance the security of your blockchain project. We also offer advanced Ethereum, BSC, Tron, Matic (Polygon), Polkadot, Solana smart contracts audit, Blockchain Protocol Security, dApps Audits, and formal verification to ensure your platform's integrity.
Connecting with you - By this time, you must have been added to a closed group with the Pentesting Team. You would be connected with the Project Manager and the Pentesters through this dedicated channel during the process for collaboration and instant resolution. At any point, if you face any query or find a need to discuss anything - we are just a message away!
It’s great to know that you are concerned about the security of your platform and want to make sure the utmost security of your users' Funds and Data. As we can see from the below Pie Chart the Majority of Hacks are happening due to vulnerabilities in Platform (23.66%) or Smart Contract (44.20%). So, we need to ensure that before coming into the full-fledged production stage it should have performed a security audit, and dApps pen testing and is safe enough for users to keep their money in your platform.
Types of Vulnerabilities covered during Vulnerability Assessment & Pentesting Process :
We ensure your Pentesting goes through all the stages, from manual code review to automated testing, before generating the Initial Audit Report. Once your team updates the in-scope domain & repository, we do thorough scrutiny to provide you with the Final Audit Report. Let's dive deep into it and explore more.
a) External testing (Black Box)
External penetration tests target the assets of a company that is visible on the internet, e.g., the web application itself, the company website, and email and domain name servers (DNS). The goal is to gain access to and extract valuable data.
b) Internal testing (Grey Box)
In an internal test, a tester with access to an application behind its firewall simulates an attack by a malicious insider. This isn’t necessarily simulating a rogue employee. A common starting scenario can be an employee whose credentials were stolen due to a phishing attack.
In this step first, we gather documentation from your team like a whitepaper, logic flow diagram, audit scope, etc. Also, we are gathering information using a variety of techniques to gather information on a target. The most common methods are Reconnaissance, Enumeration, and OSINT. The Information gathered could be used for many things such as creating an Attack Tree or digging deeper for additional Information Gathering.
Aims of this step:
The next step is to understand how the target application will respond to various intrusion attempts. This is typically done using: • Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass. • Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.
Aims of this step:
In this step, the pentester should understand the overall business logic. Typically, a pentester should understand various other components and how to code snippet function in a business and map the logic, business, and data flow of the application. So after that pentester trying broken or non-existent validation of user-supplied data might allow users to make arbitrary changes to application critical values or submit nonsensical input. Bypassing unexpected values into server-side logic, a pentester can potentially induce the application to do something that it isn't supposed to.
In this step, the objective is to use any weaknesses or security loopholes found in the Discovery stage. This is frequently done manually to get rid of false positives. The exploitation phase also involves the exfiltration of data from the target and looking after perseverance.
This step includes:
In the end, we would provide you with a comprehensive report, which we call the Initial Audit Report (IAR):
<aside> 🦋 How you can help - You have to prepare an 'Updation Summary' or 'Comment Report' carrying details of the changes you've made after getting the IAR; this would help us identify the changes and test them rigorously.
</aside>
Note - Please acknowledge that once the In-Scope details are fixed, we start the Pentest Process. In case, you make any changes to the code in-between the process, we will be able to check the updated code only after delivering the Initial Audit Report. We cannot abort the process in between and start working on the updated code.
After initial audit fixes, the process is repeated, and the Final Audit Report is delivered. There is a possibility that even after the fixes you've made, some issues are still not resolved, and/or those changes have led to a few more issues.
So, after receiving the Final Audit report, you have to take a call (based on the severity table containing the unresolved issues) on whether to alter the code again or to move forward as it is. The report would dig into detail about each issue, as well as analysis which would include mapping out steps to mitigate the vulnerability.
This phase includes: