Smart Contract Security Audits

The Defyre Project is deploying the world's first blockchain initiative focused on empowering individual participants of DeFi projects to audit the security of any smart contract, at any time, without depending on developers to get them started. It also allows for results of security audits, including risk scores, to be queried directly from the blockchain - a revolutionary and unique concept to securing the blockchain community.

Voting on which projects to audit is entirely done by the community. All smart contract security audits are conducted through:

• Automated well-established tools and services, including Mythx, Mythril, Slither, Echidna, SmartCheck and Octopus.

• Manual code analysis by Defyre's development staff and 3rd party auditors.

• Sourcing information through public sources, including the developer's website, GitHub repositories, Ethereum Blockchain Explorer and Binance Blockchain Explorer.

• Sourcing information through public communication channels including Telegram, Twitter, and others.

Soft Audit vs. Hard Audit

There are two (2) types of security audits conducted by our team and/or automatically through smart contract triggers.

Soft Audits are automatically generated through a programmatic request, performed directly on the blockchain. These audits are generated through automated tools (further described in this page), and the data points generated are collected and pushed back into the blockchain directly onto our smart contract that holds the data. The data can then be queried by anyone on the blockchain. There is no human intervention in this process, and the entire lifecycle is automated.

• Soft Audits are initiated by calling a smart contract function, and paying a fee in Defyre Utility Token.

Hard Audits are conducted ad-hoc, or on request from the community, by our team of security auditors, developers and 3rd party consultants. These reports are published on our website, and similar to Soft Audits, the data collected during these audits is pushed into the blockchain directly onto our smart contract that holds the data for anyone to query. This process is a lot more in depth compared to Soft Audits, and is designed to provide a holistic view of the contract being audited rather than only focusing on data points collected by automated tools.

• Hard Audits are either a) Initiated through a request on our website or b) Voted by the community.

Data Points

Some of these data points include:

• Smart Contract Security Audit results, for audits performed by Defyre's audit team.

• Overall Risk Scores.

• Developer Reputation Scores.

• Static Code analysis Results including Smart Contract Weakness Classification findings from the SWC registry.

• Liquidity Risks including risks related to malicious "rug pulls".

• Social Sentiment scores.

• Contract Verification status from official sources (e.g. BSCScan.com, EtherScan.io).

Reference: Known Smart Contract Attacks

Ecosystem Integration

Our oracles collect and aggregate security data points regarding specific smart contracts and DeFi projects, and brings that information directly back into the blockchain itself, making it publicly accessible to any on-chain smart contract and DApp over standard ERC20 interfaces.

pageSentinel Data Aggregation OraclespageDefyre Data Platform

Risk Scores

A Risk score is a calculated number (score) that reflects the severity of a risk due to some specific underlying factors. Typically, risk scores are calculated by multiplying probability and impact though other factors, such as weighting may be also be part of calculation.

Risk Scores are calculated on a scale between 0 and 10. Below is an example output of what would be made available on the blockchain through a smart contract query:

{
    "id": 123,
    "symbol": XYZ,
    "name": "Example Contract",
    "verified": 1,
    "developer_website": "https://xyz.finance",
    "developer_risk": 5,
    "overall_risk": 8,
    "static_analysis_results": 4,
    "static_analysis_risk": 2,
    "swc_findings": 3,
    "liquidity_risk": 7,
    "social_sentiment_score": 3,
    ...
}

Tools

Some of the tools used in smart contract security audits include well-known, established and proven tools such as:

• Mythx

  • MythX is a professional-grade cloud service that uses symbolic analysis and input fuzzing to detect common security bugs and verify the correctness of smart contract code.

• Mythril

  • The Swiss army knife for smart contract security.

• Slither

  • Static analysis framework with detectors for many common Solidity issues. It has taint and value tracking capabilities and is written in Python.

• Echidna

  • The only available fuzzer for Ethereum software. Uses property testing to generate malicious inputs that break smart contracts.

• SmartCheck

  • Static analysis of Solidity source code for security vulnerabilities and best practices.

• Octopus

  • Security Analysis tool for Blockchain Smart Contracts with support of EVM and (e)WASM.

Reference: Consensys / Security Tools

SWC Registry

The Smart Contract Weakness Classification Registry (SWC Registry) is an implementation of the weakness classification scheme proposed in EIP-1470. It is loosely aligned to the terminologies and structure used in the Common Weakness Enumeration (CWE) while overlaying a wide range of weakness variants that are specific to smart contracts.

Smart contracts are audited against entries in the registry to ensure well-known vulnerabilities are either not present in a contract's solidity code, or mitigate by other factors. These findings play a role in assigning an overall risk score to any given smart contract.

Reference: SWC Registry

Audit Integrity / COI Fund Wallet

The COI Fund Wallet is a unique and revolutionary mechanism that avoids us, as the team behind the project, from issuing fake or inaccurate audit reports. The term "COI" refers to Conflict of Interest in this case. The mechanism itself is explained further in the COI Fund Wallet section.

pageCOI Fund Wallet