New courses now live: Wallets, deployment and formal verification. Sign up to get started đ
Lesson 6: "The Tincho"
Reconnaissance
We've finally scoped out our client's code base and we're ready to dive into looking more closely at the code.To do this, we're going to learn some best practices and a technique I've dubbed
The Tincho from the master himself - Tincho Abbate.Introducing Tincho
Tincho is a legend in Web3 security and is a member of The Red Guild, a smart contract and EVM security firm. He was a previous lead auditor for the security firm atOpenZeppelin and he even helped me create this course!We're lucky to have Tincho walk us through his high-level way to approach security reviews.
What follows is derived from a video featuring Tincho's point of view
The Tincho Auditing Method
To illustrate the Tincho auditing method, we're going to refer to a video where Tincho performs a live auditing of the Ethereum Name Service (ENS)."I don't have a super formal auditing process. I will just show you briefly some things that I do..." - Tincho
First Step
First thing's first - download the code, and read the documentation. You need to familiarize yourself with the content and context of the codebase, learn the jargon you can expect to see in the code and become comfortable with what the protocol is expected to do.READ THE DOCUMENTATION
Tools and Frameworks
Tincho describes a number of tools he uses while performing security reviews, bring the tools you're most familiar and best with.- VS Codeium: a text editor with a privacy focus. It's based on VS Code but removes a lot of the user tracking telemetry
- Foundry: As a framework for reviewing codebases Foundry is incredibly fast and allows for quick testing with it's robust test suite
- CLOC: A simple command-line utility that helps count lines of code which can give a sense of the complexity of different parts of the codebase.
- Solidity Metric: Another tool developed by Consensys that provides useful metrics about your Solidity codebase.
By leveraging
CLOC and Solidity Metrics, a security researcher can organize the codebase by complexity and systemically go through the contracts - marking them each complete as appropriate. This pragmatic approach ensures no stone is left unturned.It's recommended to start with the smaller and more manageable contracts and build upon them as you go.
There's a point in an audit where your frame of mind should switch to an adversarial one. You should be thinking "How can I break this..."
Given even simple functions like above, we should be asking ourselves
- "Will this work for every type of token?"
- "Have they implemented access control modifiers properly?"
USDT is a 'weird ERC20' in that it doesn't return a boolean on transferFrom calls
Audit, Review, Audit, Repeat
Keeping a record of your work is crucial in this process.Tincho recommends taking notes directly in the code and maintaining a separate file for raw notes/ideas.
Remember, there is always a risk of diving too deep into just one part of the code and losing the big picture. So, remember to pop back up and keep an eye on the over-all review of the code base.
Not everything you'll be doing is a manual review. Applying your knowledge of writing tests to verify suspicions is incredibly valuable. Tincho applies a
fuzz test to his assessment of functions within the ENS codebase.Communication
Tincho describes keeping an open line of communication with the client/protocol asfundamental. The protocol is going to possess far more contextual understanding of what constitutes intended behavior than you will. Use them as collaborators. Trust but validate."I would advise to keep the clients at hand. Ask questions, but also be detached enough." - Tincho
Wrapping it Up
Sometimes it can feel like there's no end to the approaches you can make to a codebase, no end to the lines of code you can check and verify.Tincho advocates for time-bounding yourself. Set limits and be as thorough as possible within them.
"The thing is...I always get the feeling that you can be looking at a system forever." - Tincho
The Audit Report and Follow Up
The last stage of this whole process is to present an audit report to the client. It should be clear and concise in the detailing of discovered vulnerabilities and provide recommendations on mitigation.It's our responsibility as security researchers to review the implementation of any mitigations the client employs and to assure that new bugs aren't introduced.
Aftermath of a Missed Vulnerability
There will always be the fear of missing out on some vulnerabilities and instead of worrying about things that slip through the net, aim to bring value beyond just identifying vulnerabilities. Be that collaborative security partner/educator the protocol needs to employ best practices and be prepared holistically.As an auditor it's important to remember that you do not shoulder the whole blame when exploits happen. You share this responsibility with the client.
This doesn't give you free reign to suck at your job. People will notice.
A last takeaway from Tincho:
"Knowing that youâre doing your best in that, knowing that youâre putting your best effort every day, growing your skills, learning grows an intuition and experience in you."
Join the discussions!
Testimonials
Students Reviews
Read what our students have to say about this course.
If thereâs one resource that Web3 developers point to, itâs Cyfrinâs ultimate tutorials. Theyâre standout resources that have empowered countless developers to learn blockchains, learn Solidity, and dive deep into Web3 development.
Chainlink
Chainlink
We can build systems for Ethereum scaling but without education, itâs all for nothing. Updraft is the first step towards adoption for Web3 education. We can now mint security focused developers at scale!
Tony Olendo
Lead Devrel Engineer, Polygon
Cyfrin's course was a cornerstone of my journey into Web3, providing me with the fundamentals and hands-on experience that have been pivotal to my journey in the blockchain space.
Raza
Lead Developer Relations, Scroll
Cyfrin Updraft videos on smart contract development have been instrumental in my blockchain journey, standing out with their clarity and accessibility. Their readiness to support and engage with learners makes me excited for more of their interactive and insightful content in the Web3 space
Francesco Andreoli
MetaMask
I took Cyfrin course and Iâve been working as a solutions developer at OpenZeppelin for the last few months. It was by far the most comprehensive resource and the one that really teached me the fundamentals and made me want to switch from web2 to web3
Gustavo Gonzalez
Solutions Engineer, OpenZeppelin
The Cyfrin courses were a game-changer for me. They provided a well-structured and comprehensive introduction to web3 and blockchain development. The knowledge I gained allowed me to transition into a full-time role as a blockchain developer. I can't recommend these courses enough!
Albert Hu
DeForm Founding Engineer
I took Cyfrinâs courses, and I took them seriously. At least one hour every day, documented the progress, didnât skip any second. Havenât found a better web3 course since. Now Iâm full-time in web3, working as Senior Developer Advocate at Ceramic Network.
Radek
Senior Developer Advocate, Ceramic
Cyfrin have been an absolute game-changers in my journey into blockchain. Saying their courses were remarkable, would be an understatement. Thanks to their expert guidance, I gained a deep understanding of blockchain to its roots. I'm forever grateful for their role in helping me get started in web3.
Boidushya
WalletConnect
Cyfrin blockchain and Foundry/AI courses were incredible. I've gained valuable knowledge, grown, empowering myself and others. Thank you, Cyfrin!
Idris
Developer Relations Engineer, Axelar