Methodology
As part of the ongoing audit contests, the solo auditors community utilizes the widest set of techniques to search for and detect potential vulnerabilities. This diversification, coupled with the unique mindset of each auditor, provides maximum coverage.
However, if we aggregate the most commonly applied audition techniques, they can be summarized as follows:
General Code Assessment
The code is reviewed for clarity, consistency, style, and whether it follows code best practices applicable to the particular programming language used, such as indentation, naming convention, commented code blocks, code duplication, confusing names, irrelevant
or missing comments, etc. This part is aimed at understanding the overall code structure and protocol architecture. Also, it seeks to learn overall system architecture and business logic and how different parts of the code are related to each other. Code Logic Analysis
The code logic of particular functions is analyzed for correctness and efficiency. The code is checked for what it is intended for, the algorithms are optimal and valid, and the correct data types are used. The external libraries are checked for relevance and correspond to the tasks they solve in the code. This part is needed to understand the data structures used and the purposes for which they are used. At this stage, various public checklists are applied in order to ensure that logical flaws are detected.
Entities and Dependencies Usage Analysis
The usages of various entities defined in the code are analyzed. This includes both internal usage from other parts of the code as well as possible dependencies and integration usage. This part aims to understand and spot overall system architecture flaws and bugs in integrations with other protocols.
Access Control Analysis
Access control measures are analyzed for those entities that can be accessed from outside. This part focuses on understanding user roles and permissions, as well as which assets should be protected and how.
Last updated