How to audit a Smart Contract for Weakness and Vulnerabilities

The following is the list of 37 known smart contract weaknesses, each of which is registered under Smart Contract Weakness Classification (or SWC) with a specific code. Blockchain cybersecurity specialists will use them for auditing a blockchain smart contract before it goes to the production.  The application and priority of the following list varies from one platform to another. For instance, Ethereum or a public blockchain application is more vulnerable than a private platform like Hyperledger.

• ID => Title

1. SWC-136 => Unencrypted Private Data On-Chain
2. SWC-135 => Code With No Effects
3. SWC-134 => Message call with hardcoded gas amount
4. SWC-133=> Hash Collisions With Multiple Variable Length Arguments
5. SWC-132=> Unexpected Ether balance
6. SWC-131=> Presence of unused variables
7. SWC-130=> Right-To-Left-Override control character (U+202E)
8. SWC-129=> Typographical Error
9. SWC-128=> DoS With Block Gas Limit
10. SWC-127=> Arbitrary Jump with Function Type Variable
11. SWC-126=> Insufficient Gas Griefing
12. SWC-125=> Incorrect Inheritance Order
13. SWC-124=> Write to Arbitrary Storage Location
14. SWC-123=> Requirement Violation
15. SWC-122=> Lack of Proper Signature Verification
16. SWC-121=> Missing Protection against Signature Replay Attacks
17. SWC-120=> Weak Sources of Randomness from Chain Attributes
18. SWC-119=> Shadowing State Variables
19. SWC-118=> Incorrect Constructor Name
20. SWC-117=> Signature Malleability
21. SWC-116=> Block values as a proxy for time
22. SWC-115=> Authorization through tx.origin
23. SWC-114=> Transaction Order Dependence
24. SWC-113=> DoS with Failed Call
25. SWC-112=> Delegatecall to Untrusted Callee
26. SWC-111=> Use of Deprecated Solidity Functions
27. SWC-110=> Assert Violation
28. SWC-109=> Uninitialized Storage Pointer
29. SWC-108=> State Variable Default Visibility
30. SWC-107=> Reentrancy
31. SWC-106=> Unprotected SELFDESTRUCT Instruction
32. SWC-105=> Unprotected Ether Withdrawal
33. SWC-104=> Unchecked Call Return Value
34. SWC-103=> Floating Pragma
35. SWC-102=> Outdated Compiler Version
36. SWC-101=> Integer Overflow and Underflow
37. SWC-100=> Function Default Visibility

Once a smart contract passes the above 37 list, it must go through Known Vulnerability Analysis test where a line by line code analysis is performed against a checklist of known vulnerabilities, including but not limited to:

•  Reentrancy
•  Variable Shadowing
• Storage Pointer Exploits
• Over- and Underflows
• Potential Denial of Service Attacks
• Block Gas Limit Issues
• Timestamp Dependencies
• Insecure Random Number Generation
• Incorrect Cryptographic Signature Validation
• Transaction Ordering Assumptions

Need help in implementing above check-list effectively, contact us and we will be in touch with you shortly.

How we can help

We are a team of specialized blockchain architects and developers with several iterations of blockchain implementation projects with government and large companies. Along with our experience, our team members have authored and published numerous books on blockchain as well as books on several of the more widely-adopted blockchain platforms.

At DC Web Makers, we have rigorously audited and refined several critical smart contracts for productions at an enterprise level.  From Security Token to supply chain smart contracts, we have helped small to large businesses to deploy reliable, scalable and secure blockchain applications.