Awesome Open Source
Awesome Open Source

Auditing reference

What exactly is a Smart Contract audit?

A Smart Contract audit is the process investigating carefully a piece of code, in this case a Solidity contract to find bugs, vulnerabilities and risks before the code is deployed and used in the main Ethereum’s network where it won’t be modifiable. It’s just for discussion purposes.

Be aware of feature of blockchain and EVM limits

Solidity Code

Write simple and modular code and order your function code: conditions, actions, interactions


  • Using pragma version latest


  • Consider variable size (i.e uint8, uint16, ..., uint256)
  • Consider solidity automatically creates getter functions for state variable
  • Delete unused variables
  • Delete variables that have the same information
  • If you can infer a variable value through another variable, delete that variable
  • Do not use unnecessary temp variables
  • MAGIC NUMBER uses a constant
  • A constant of the same name must not have a different value in another contract
  • If you can infer true / false as an integer value, use bool
  • If the values ​​of the various state variables must maintain the relationship, consider implementing a mechanism to assert the integrity of invariants
  • Consider difference between string and byte


  • Validate the paramter
  • Multiple functions in the same logic make one function.
  • Delete unused function
  • If the return value is not used, remove the return parameter.
  • Use view if the function doesn't change state.
  • Use pure if the function doesn't even read state.
  • If you expect that the function will only ever be called externally, use external


  • If the modifier is used only once, it is confusing rather than useful
  • Consider whether logic such as the modifier's logic is in the function
  • Consider using modifiers when using common logic in multiple functions

control statements

  • for loop
    • Consider reviewing all for-loops and ensure that array maximum lengths are checked on iteration.
    • Consider the situation where loop exits out of gas.
    • Make sure that increment variable does not overflow.


  • Naming with clear meaning
  • It is recommended that the name of the event and the name of the function be different.


  • Consider using scientific notation to declare numeric constants to avoid typos

for ERC20

for crowdsale

  • Implement claimTokens function to prevent ERC20 tokens from being sent inadvertently.

Attack scenario


Events       Date     Loss
Roulette randomness private seed August 11, 2015 No loss
King of the Ether unchecked return value February 6, 2016 off-chain February 26, 2016 120 ETH
FirePonzi mixup underscore variables April 11, 2016 0.1 ETH
Rubixi mixup constructor April 11, 2016
TheRun randomness timestamp April 12, 2016
Rock paper scissors private randomness April 21, 2016
Governmental dos self-dosApril 26, 2016 April 26, 2016
Geth off-chain May 16, 2016 7,218 ETH
Maker DAO reentrancy June 17, 2016 No loss
DAO reentrancy June 17, 2016 615,391 ETH
HackerGold mixup January 4, 2017 No loss
Poloniex - Short Addresses off-chain short address April 6, 2017 No loss
Bithumb off-chain June 29, 2017
Classic Ether Wallet off-chain June 29, 2017
Augur Rep Token serpent July 13, 2017 No loss
CoinDash off-chain July 17, 2017
Parity multi-sig bug 1 re-init delegatecall bad library July 19, 2017 150,000 ETH
SmartBillions randomness blockhash October 5, 2017 400 ETH
Bancor front-running October 10, 2017 No loss
Parity multi-sig bug 2 delegatecall November 6, 2017 513,774 ETH and tokens stuck
Batch and proxy Overflow integer overflow April 22, 2018 Large loss in tokens
MyEtherWallet Domain-Hijacking off-chain bgp April 24, 2018 525 ETH

Write tests


Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Ethereum (13,958
Contracts (11,560
Attack (7,186