How to audit a Smart Contract for Weakness and Vulnerabilities

The following is the list of 37 known smart contract weaknesses, each of which is registered under Smart Contract Weakness Classification (or SWC) with a specific code. Blockchain cybersecurity specialists will use them for auditing a blockchain smart contract before it goes to the production.  The application and priority of the following list varies from one platform to another. For instance, Ethereum or a public blockchain application is more vulnerable than a private platform like Hyperledger.

  • ID => Title
  1. SWC-136 => Unencrypted Private Data On-Chain
  2. SWC-135 => Code With No Effects
  3. SWC-134 => Message call with hardcoded gas amount
  4. SWC-133=> Hash Collisions With Multiple Variable Length Arguments
  5. SWC-132=> Unexpected Ether balance
  6. SWC-131=> Presence of unused variables
  7. SWC-130=> Right-To-Left-Override control character (U+202E)
  8. SWC-129=> Typographical Error
  9. SWC-128=> DoS With Block Gas Limit
  10. SWC-127=> Arbitrary Jump with Function Type Variable
  11. SWC-126=> Insufficient Gas Griefing
  12. SWC-125=> Incorrect Inheritance Order
  13. SWC-124=> Write to Arbitrary Storage Location
  14. SWC-123=> Requirement Violation
  15. SWC-122=> Lack of Proper Signature Verification
  16. SWC-121=> Missing Protection against Signature Replay Attacks
  17. SWC-120=> Weak Sources of Randomness from Chain Attributes
  18. SWC-119=> Shadowing State Variables
  19. SWC-118=> Incorrect Constructor Name
  20. SWC-117=> Signature Malleability
  21. SWC-116=> Block values as a proxy for time
  22. SWC-115=> Authorization through tx.origin
  23. SWC-114=> Transaction Order Dependence
  24. SWC-113=> DoS with Failed Call
  25. SWC-112=> Delegatecall to Untrusted Callee
  26. SWC-111=> Use of Deprecated Solidity Functions
  27. SWC-110=> Assert Violation
  28. SWC-109=> Uninitialized Storage Pointer
  29. SWC-108=> State Variable Default Visibility
  30. SWC-107=> Reentrancy
  31. SWC-106=> Unprotected SELFDESTRUCT Instruction
  32. SWC-105=> Unprotected Ether Withdrawal
  33. SWC-104=> Unchecked Call Return Value
  34. SWC-103=> Floating Pragma
  35. SWC-102=> Outdated Compiler Version
  36. SWC-101=> Integer Overflow and Underflow
  37. SWC-100=> Function Default Visibility

 

Once a smart contract passes the above 37 list, it must go through Known Vulnerability Analysis test where a line by line code analysis is performed against a checklist of known vulnerabilities, including but not limited to:

  •  Reentrancy
  •  Variable Shadowing
  • Storage Pointer Exploits
  • Over- and Underflows
  • Potential Denial of Service Attacks
  • Block Gas Limit Issues
  • Timestamp Dependencies
  • Insecure Random Number Generation
  • Incorrect Cryptographic Signature Validation
  • Transaction Ordering Assumptions

Need help in implementing above check-list effectively, contact us and we will be in touch with you shortly.


How we can help

We are a team of specialized blockchain architects and developers with several iterations of blockchain implementation projects with government and large companies. Along with our experience, our team members have authored and published numerous books on blockchain as well as books on several of the more widely-adopted blockchain platforms. 

At Hash Flow, we have rigorously audited and refined several critical smart contracts for productions at an enterprise level.  From Security Token to supply chain smart contracts, we have helped small to large businesses to deploy reliable, scalable and secure blockchain applications.