Smart Contract Security - Recon: Context

Support

_Follow along with this video:_ --- ### First Step: Understanding The Codebase Alright, we're ready to begin our recon, if you haven't already clone the repo our client has provided us. ```bash git clone https://github.com/Cyfrin/3-passwordstore-audit.git cd 3-passwordstore-audit code . ``` If we're following `The Tincho` method, our first step is going to be reading the docs and familiarizing ourselves with the codebase. In VS Code, you can click on the `README.MD` file in your workspace and use the command `CTRL + SHIFT + V` to open the preview mode of this document. > You can also open the preview pane by opening your command pallet and typing `markdown open preview`. _Quick tip: Check if an extension must be installed for VS Code if it's not working for you._ ::image{src='/security-section-3/7-context/context2.png' style='width: 100%; height: auto;'} Already, we should be thinking about potential attack vectors with the information we've gleaned. _Is there any way for an unauthorized user to access a stored password?_ Once you've finished reading through the documentation, we can proceed to... ### Scoping Out The Files Following Tincho's advice our next step will be to organize the files of the protocol in scope and assess their respective complexity. (Spoiler, this first example is pretty simple). 1. Download and install the [**Solidity Metrics**](https://marketplace.visualstudio.com/items?itemName=tintinweb.solidity-metrics) extension for VS Code. ::image{src='/security-section-3/7-context/context3.png' style='width: 100%; height: auto;'} 2. Once installed, you can right-click the appropriate folders to run the tool on and select `Solidity: Metrics` from the context menu. > _Pro-tip: If your repo has more than one applicable folder, you can CTRL + Click to select multiple simultaneously._ ::image{src='/security-section-3/7-context/context4.png' style='width: 100%; height: auto;'} After generating the report, navigate to the command palette and locate 'export this metrics report'. Once exported, you'll have HTML access to the report for future reference. ::image{src='/security-section-3/7-context/context5.png' style='width: 100%; height: auto;'} Applying Tincho's methodology to this process, we can: 1. Scroll down to the section containing the various files and their lengths. 2. Copy this info and paste it onto any platform that allows for easy viewing and comparison— like Google Sheets or Notion. > Please note that if your codebase contains a solitary file like ours, this step won't be necessary. Some aspects I'll draw your attention to in this metrics report are the `Inheritance Graph`, `The Call Graph`, and `The Contracts Summary`. It's not super obvious with such a simple protocol, but these are going to provide valuable insight down the line. Familiarize yourself with them now (way at the bottom). ::image{src='/security-section-3/7-context/context6.png' style='width: 100%; height: auto;'} Understanding your codebase and its functionalities is the first step towards securing it. ### Wrap Up Now that we've got a sense of what lies before us, with the help of our tools like CLOC and Solidity Metrics, we're ready to assess the code. Let's see what we can find.

Recon: Context

Starting in on PasswordStore using The Tincho! Read and understand context & docs, leveraging Solidity Metrics VS Code extension.

Solidity Developer

Smart Contract Security

Course Introduction

Duration: 25min

Section 1: Review

Duration: 1h 18min

Section 2: What is a smart contract audit

Duration: 35min

Section 3: Your First Audit | PasswordStore

Duration: 2h 28min

1. Your First Security Review

All the things we'll cover in this section! High-level info. Learn to conduct audits, prepare PDF reports, scope, reconnaissance, vulnerability identification & reporting. Duration: 5min

2. Scoping: Etherscan

Learn why test suites and deployment frameworks are important prerequisites in a security review/audit. REKT Test discussed as an evaluation tool. Duration: 6min

3. Scoping: Audit Details

Exploring the codebase, examining contracts in scope for audit, starting with PasswordStore.sol - simple, key concepts for Solidity & smart contract security. Duration: 13min

4. Scoping: cloc

CLOC demonstration - Measure nSLOC, estimate code base audit time. Duration: 3min

5. Recap I

Recap of smart contract scoping & review tips with Patrick. Focus on mature code bases, test suites, and documentations. Review onboarding form usage for engaging clients. Duration: 3min

6. "The Tincho"

Learn how the legendary Tincho approaches his audits in this overview of his systematic technique, brought to us by Tincho himself! Duration: 15min

7. Recon: Context

Starting in on PasswordStore using The Tincho! Read and understand context & docs, leveraging Solidity Metrics VS Code extension. Duration: 5min

8. Recon: Understanding the code

Demonstrates step-by-step approach, note-taking, communication with team. Gain understanding, identify vulnerabilities. Duration: 3min

9. Exploit: Access control

Missing Access Control - Vulnerability Discovered! Duration: 3min

10. Exploit: Public Data

Exploit Public Data - Private Variables Aren't Private! Explore this vulnerability in PasswordStore. Duration: 3min

11. Recap II

Patrick recaps the vulnerabilities found so far: No Owner Check, Erroneous Parameter, Unsafe Storage on Chain. Duration: 1min

12. Protocol Tests

Validating protocol tests and coverage, emphasizing thoroughness! Duration: 3min

13. Writing an amazing finding

Patrick explains reporting process. How to create a detailed report with Markdown. Discusses importance of issues & solutions. Duration: 4min

14. Writing an amazing finding: Title

Learn how to write better findings: focus on repetition, use clear titles with root causes & impact, example of effective title creation in a security report. Duration: 2min

15. Writing an amazing finding: Description

Writing a description for our report detailing all the necessary information about our discovered vulnerability. Duration: 4min

16. Writing an amazing finding: Proof of code

Writing a proof of code to indisputably prove the vulnerabilities we've found! Duration: 3min

17. Writing an amazing finding: Recommended Mitigation

Writing a great recommended mitigation for the issues found in PasswordStore! Duration: 2min

18. Finding Writeup

Recap finding write ups: Structured format, clear communication, specific details (code snippets). Duration: 2min

19. Access Control Writeup

Add missing access control in PasswordStore's set password function. Use code examples & tips on markdown formatting. Duration: 3min

20. Missing Access Controls Proof Of Code

Vulnerability proof: Write test case using the protocols test suite Duration: 5min

21. Finding Writeup Docs

Writing up our finding for incorrect NatSpec! Duration: 3min

22. Augmented Report With Ai

Using AI to improve our writing and grammar. Duration: 3min

23. Quick Primer On What We Are Learning Next

Audit data, severity ratings, PDF report creation. Instructions by Patrick on accomplishing tasks using tools & resources. Duration: 2min

24. Severity Rating Introduction

Learn how to determine severity ratings for findings in security reviews with the CodeHawks docs as a guide! Duration: 4min

25. Assessing Highs

Audit report severity evaluation using likelihood & impact methodology, demonstrated with examples & steps. Duration: 4min

26. Severity Rating Informational

Assessing informational severity as a potential issue, unlikely to disrupt code functionality. Duration: 3min

27. Timeboxing

In this video, Patrick discusses timeboxing in reviewing codebases & moving on when needed. Learn effective time management for security research. Duration: 2min

28. Making A Pdf

Generate a professional PDF report from a markdown file! Duration: 12min

29. Building Your Portfolio

Creating a GitHub public repo for storing smart contract audit and security journey in PDF format. Build that portfolio and get your name out there! Duration: 2min

30. Exercises

Celebrate progress, join CodeHawks! Rest & prep for bigger challenges ahead. Duration: 4min

31. Isolated Dev Environments

Duration: 12min

32. Recap & Congrats

Patrick recaps your first security review steps: onboarding, docs, scope, vulnerabilities, mitigation and reporting Duration: 9min

Section 4: Puppy raffle

Duration: 5h 03min

Section 5: TSwap

Duration: 5h 22min

Section 6: Thunder Loan

Duration: 4h 33min