LogoLogo
  • WELCOME TO ALEPH ZERO
  • EXPLORE
    • About Aleph Zero
    • AlephBFT Consensus
    • The Economy of Aleph Zero
    • Where to Buy AZERO
    • Decentralized Governance on Aleph Zero
    • Ecosystem
    • Aleph Zero Foundation Treasury Management
    • Community
    • Glossary
    • Audit & Research Papers
  • USE
    • Wallets
    • Explorer
    • Ledger
    • Telegram Notifications
    • Aleph Zero Signer
      • General introduction
      • What does Signer do?
      • What are Sub-accounts and Sub-account paths?
      • Why is it critical to store your Secret Phrase in a safe place?
      • How to forget and restore accounts?
      • What are Networks?
      • What are Trusted apps?
    • Dashboard
      • Dashboard basics
      • Overview
    • Stake
      • Staking Basics
      • Staking Menu Overview
      • How to Start Staking with the Aleph Zero Dashboard
      • How to Start Staking With the Developer Wallet
      • How to start staking using Ledger hardware wallet
      • How to Change Nominations
      • How to Stop Staking
      • Staking Rewards
      • Validators
      • Commission and Foundation Nodes
      • Proxy Accounts
    • Validate
      • Validating Overview
      • Hardware requirements
      • Running an Aleph Node on Testnet
        • Downloading and running the node
        • Verifying your setup
        • Customizing your setup
        • Building and running from source [advanced]
          • Building from source
          • Set environment variables
          • Download DB snapshot
          • Running the binary
        • Appendix: Ports, addresses, validators, and archivists
      • Running an Aleph Node on Mainnet
        • Running the node
        • Building and running from source [advanced]
      • Setting your identity
      • Making the node validate
      • Securing your validator
      • Troubleshooting
      • Elections and Rewards Math
      • Testnet Validator Airdrop
      • Foundation Nomination Program
    • Using the EVM-layer
    • Governance
      • Token
      • Multisig Accounts
  • BUILD
    • Aleph Zero smart contracts basics
      • Setting up a Testnet account
      • Installing required tools
      • Creating your first contract
      • Deploying your contract to Aleph Zero Testnet
      • Extending your contract
    • Cross contract calls
      • Using references
      • Using dynamic calls
    • Migrating from Solidity
    • Writing e2e tests with ink-wrapper
    • Aleph Zero Signer integration
    • Front-end app: smart contract interaction
    • Security Course by Kudelski Security
      • ink! Developers Security Guideline
      • Lesson 1 - Getting started with ink!
      • Lesson 2 - Threat Assessment
      • Lesson 3 - Integer Overflow
      • Lesson 4 - Signed-integer
      • Lesson 5 - Role-Based Access Control
      • Lesson 6 - Address Validation
      • Lesson 7 - Smart Contract Control
    • Development on EVM-layer
  • PROTOCOL DETAILS
    • Shielder
      • Overview
      • Design against Bad Actors
      • Preliminaries - ZK-relations
      • Notes and Accounts
      • ZK-ID and Registrars
      • Anonymity Revokers
      • PoW Anonymity Revoking
      • Relayers
      • Deterministic Secret Management
      • SNARK-friendly Symmetric Encryption
      • SNARK-friendly Asymmetric Encryption
      • Cryptography
      • Token shortlist
      • User Wallet
      • Versioning
      • PoC
      • Version 0.1.0
      • Version 0.2.0
    • Common DEX
      • Common Whitepaper - Differences
      • Dutch Auctions
  • FAQ
  • Tutorials
    • Withdrawing coins from exchanges
      • How to withdraw your AZERO coins from KuCoin
      • How to withdraw your AZERO coins from MEXC Global
      • How to withdraw your AZERO coins from HTX
  • Setting up or restoring a wallet
    • How to set up or recover your AZERO account using Aleph Zero Signer
    • How to set up or recover your AZERO account using the official mainnet web wallet
    • How to set up or recover your AZERO account using Nova Wallet
    • How to set up or recover your AZERO account using SubWallet
    • How to set up or recover your AZERO account using Talisman
  • Staking
    • How to stake via a direct nomination using the Aleph Zero Dashboard
    • How to stake via a nomination pool using the Aleph Zero Dashboard
    • How to destroy a nomination pool via the Aleph Zero Dashboard
Powered by GitBook
On this page
  • Pre-Audit
  • Documentation
  • Collaborative environment
  • Audit
  • Maintenance

Was this helpful?

  1. BUILD
  2. Security Course by Kudelski Security

Lesson 7 - Smart Contract Control

This lesson targets to improve the security culture within the Aleph Zero community, as a common error may occur in the community.

This part aims to help preparing for a security audit which is necessary to achieve the highest level of security possible. It is important to view an audit as a partnership between your team and the auditing company. Therefore, it is crucial to prepare the necessary documents for the good functioning of audit.

Pre-Audit

Documentation

A complete documentations for a security audit should contains the following elements:

  • An explanation of the purpose of the smart contract, this could include:

    • An overview of the smart contract and its purpose.

    • An explanation of how it works.

  • Documentation and explanation of all smart contract's functions and variables.

  • Examples and use cases:

    • This will demonstrate how the smart contract can be used. This will help the security audit team to understand the smart contract and facilitate their examination of the threat and vulnerabilities of the smart contract.

  • Security considerations: Document any security considerations or vulnerabilities associated with the smart contract. This should include information on how to mitigate risks and ensure the contract's secure operation.

  • Machine setup, installation, deployment and testing instructions:

    • This will allow the security audit team to deploy the smart contract and try to exploit any of the vulnerabilities that they found in the code.

    • Document how to test the smart contract to ensure that it is working correctly. This should include information on testing methodologies and tools, as well as any test scripts or scenarios that have been developed.

  • Additional Documentation:

    • architecture diagrams;

    • threat models;

    • academic papers;

    • whitepapers;

    • blog posts;

    • or any other piece of documentation relevant to the project.

Collaborative environment

It is important to view an audit as a collaborative effort. Something to avoid is to interact only at the start of the audit and then receive a report at the end of the engagement. To create a collaborative engagement, we recommend the following steps:

  • A secure communication channel using end-to-end encryption needs to be initialized between technical people on you side and the audit team. Popular communication channels used during audit include:

    • Telegram

    • Microsoft Teams

    • Slack

  • The credential for auditors needs to granted:

  • Share the repository with the audit team

  • Share Documentation

  • The smart contract needs to be frozen. In other words, no modifications are made while the audit is being performed.

    • Inform the commit hash value to the audit team.

  • Verify that the audit team can answer the following questions

    • What does it do?

    • Who does it do this for?

    • What kind of information will it hold/handle?

    • How does it handle entities or identities?

    • What aspects seem most concerning?

Audit

During the audit, you should make sure that you perform the following task:

  • Schedule regular meetings between your engineers and the audit team

  • Make sure that high-risk findings have been escalated immediately via a secure channel.

  • Answer any questions from the audit team.

  • Correct or review all findings, with high-impacting findings taking priority.

Maintenance

Once the contract has been deployed, the following element needs to be discussed:

  • Keep monitoring new security attacks and evaluate your contracts accordingly.

  • Apply remedies to the smart contracts immediately if new vulnerabilities are discovered.

    • Ensure that the contract is upgradable.

  • Run automated code analysis tools whenever new commits are added to the repository.

  • Pause the smart contract when an unusual event occurs.

    • Contract needs to have a pause option.

  • Consider re-auditing your smart contracts if significant updates have been made.

  • Feel free to contact security partners for evaluating and scoping.

PreviousLesson 6 - Address ValidationNextDevelopment on EVM-layer

Last updated 1 year ago

Was this helpful?