Preparing for an Audit Competition
Embarking on an audit competition with Hats Finance is a significant step towards ensuring the security and integrity of your smart contract. Proper preparation is key to a smooth and effective audit process. This guide provides an overview to help protocols prepare for a Hats Audit Competition. However, should you be at the point of wanting to get things rolling in real time, here is a link to the more detailed Hats Audit Competition onboarding template that walks you through preparatory activities step-by-step.
Define the Audit’s Scope and Objectives
Clearly outline what you hope to achieve with the audit. Are you looking for a general security check, specific vulnerability assessments, or both? Pinpoint critical components of your smart contract that require special attention. High-value pools, governance mechanisms, or any novel implementations are examples of such areas. Specify severity levels with clear definitions ensuring your criteria will incentivize security researchers to focus on what is of greatest value to you.
Be very specific about which code is in scope for the review, so that reviewers know where to look. Also, be very specific about which kind of vulnerabilities you will reward, and which vulnerabilities are not in scope - are you interested only in attacks in which money is lost or a protocol is halted, or will you reward deviations from the specifications, or suggestions for code improvements and gas optimizations as well?
Create Your Point System
Incorporate a customizable pointing system to evaluate vulnerabilities, assigning points to severity levels that match your project's priorities. For instance:
Low Severity: 1 point
Medium Severity: 12 points
High Severity: 25 points
Note: You should adjust these point values based on your audit's specific needs. Our team is ready to support you to define your point system should you so desire.
Each point represents a portion of the bounty pool, with payouts adjusted based on total points awarded. This ensures rewards are aligned with your audit objectives, encouraging researchers to prioritize findings that offer the greatest value to your project.
Document and Organize Your Codebase
Code Documentation: Ensure your code is well-documented: documentation will help auditors to quickly become familiar with the purpose of your code, and gives auditors a tangible way of seeing when a contract is not doing what it is supposed to do This includes clear comments within the code and a comprehensive readme file explaining the overall architecture and functionality.
Testing: Your code should come with a complete and thorough set of tests. This will not only help you to catch bugs and mistakes yourself, but it will also help auditors understand how you intend your code to be used. Use continuous integration - like github actions - to make sure your tests are reproducible and all pass.
Provide Deployment Scripts: Provide documented deployment procedures. Some on-chain vulnerabilities can be the result of a botched or misconfigured deployment - and having your deployment procedures audited will mitigate these risks as well .
Disclose Known Vulnerabilities
It is important for researchers to not waste time describing vulnerabilities that your team is already aware of, so you should be as clear and complete as possible in this regard. If you have (for example) github issues describing such vulnerabilities, mention these in the description of your scope. If your code was audited before, provide such earlier audit reports. And if your protocol has experienced security incidents in the past, provide details about them.
Understanding past vulnerabilities can help auditors focus on potential recurring issues or overlooked aspects of your code.
Establish Communication Channels
Dedicated Communication: Set up a dedicated channel for communication with auditors. This could be a Discord server, Telegram group, or an email hotline.
Availability for Queries: Allocate team members who can respond to queries from auditors. Prompt responses can significantly expedite the auditing process.
Prepare for Post-Audit Activities
Plan for Implementing Fixes: Have a strategy for addressing and implementing fixes or recommendations that emerge from the audit.
Reserve time for arbitrage: Some audit competitions receive a large number of submissions, and it may require a significant amount of time to read and judge each of them
Consider Arbitration Mechanisms: Understand the arbitration process offered by Hats Finance, especially if disputes arise regarding the findings.
Bonus Tips
Engage with the Community: Consider reaching out to the Hats community for preliminary feedback or suggestions before the official audit competition begins.
Stay Informed: Keep up with the latest developments in smart contract security to anticipate potential areas of vulnerability in your protocol.
By following these steps, you can set the stage for a thorough and effective audit competition with Hats Finance. Your proactive efforts in preparation not only facilitate a smoother audit process but also demonstrate your commitment to the security and reliability of your protocol. Begin your journey towards a secure future with Hats Finance today.
Last updated