FYEO's Approach to Blockchain and Smart Contract Security Audits
Smart contracts are programs on top of the blockchain with predefined rules and functionalities and are typically used to automate the execution of an agreement/action without the help of a middleman. When used in decentralized finance solutions, these agreements often involve the transfer of funds or minting/burning tokens. Unfortunately, they are also the cause of seemingly weekly headlines surrounding high-profile hacks where hundreds of millions of dollars are lost, oftentimes due to a vulnerability in a smart contract.
Most of the major blockchains and/or smart contract languages are still in development and smart contracts are often designed and written very quickly on top of these blockchains. As a result of this haste, it is very likely that vulnerabilities exist in the written code. And sometimes, like in the case of Audius’s recent vulnerability, may not be spotted for years.
A code review performed by professional, experienced blockchain developers before launch and updates allows an independent organization the opportunity to detect vulnerabilities before they're exploited by malicious actors.
About FYEO’s Blockchain Security Division
FYEO was founded with a simple mission: to help transition the world to Web3. What started as a digital transformation firm focused on helping enterprises understand how emerging technologies fit in their organization, turned into a robust blockchain security audit company with an elite team of some of the most sought after Defi logic experts in the world – working to improve security across multiple layer-1 cores, as well as, the smart contract layer. FYEO’s team of experts has worked across hundreds of projects finding vulnerabilities in these projects’ code bases and has helped to resolve countless code errors before real harm could occur.
The difference in the FYEO Audit lies in our approach
We are not a drive-by audit shop. A FYEO Audit is an interactive audit where your team receives updates in real-time throughout the duration of our line-by-line auditing process. This provides your team the opportunity to work in collaboration with our reviewers - to ask questions, engage in conversation, and begin to recognize how to prevent future exploits - saving you time, money, and reputational risk.
We have developed a simple, but rigorous code review process because quality is our number one goal. This process is broken down into four phases with unique milestone criteria that must be met, illustrated and further elaborated on below:
Milestone 1 - Research Phase:
After a kickoff call with clients, we begin with a research phase where we study the project design, supporting documentation, and do some initial static analyses. We also work with the development team in this phase to understand what the current security assumptions are, as well as, certain design choices.
Milestone 2 - Initial Review:
In this phase, we will review the data flow and perform input/return validations, identify critical external function calls and complex code, such as cryptographic functions, that will require a deeper understanding, and verify third party applications.
Milestone 3 - Deep Review:
This is a very important phase where we review application specific and business logic, look for potential math issues, and blockchain specific or programming language vulnerabilities. We also delve deeper into the previously identified complex code.
Milestone 4 - Self-review and peer-review:
Last but not least, the first half of the final milestone is met by a thorough self-review by the project’s auditor of all of the work performed thus far. This includes a presentation of the findings and a walk through of the work performed to the whole code review team. The second half of milestone 4 is met by the completion of a peer-review by a senior auditor on the team. A senior auditor is tasked with ensuring quality by reviewing findings and confirming all previous milestones have been met.
At FYEO, we also believe that the most important aspect of any business is its people. FYEO attracts the best talent in the world because of our technical leadership and retains elite engineers with a fully remote lifestyle, autonomous work environment, and competitive payment packages to work on exciting projects. Quite simply, we thrive on our reputation as security auditors and the implicit trust of an audit relationship requires the best talent in the world. FYEO aligns our engineers with the ecosystems, code languages, and technologies in which they have extensive expertise and we cooperate actively with all stakeholders, even concurrent audit teams, to ensure the reviewed code is not only made more secure, but is also improved throughout the course of an engagement.
At FYEO, our goal with a code review is not to simply provide a “rubber stamp of approval” to share with the community and investors and then part ways, never to engage again. We want you to succeed by learning and to be the best you can be. By integrating our review team with your development team, you will reap the maximum benefit from our review work, taking away priceless insights from our experienced experts. We believe security should be a key feature in every development roadmap from the beginning and should remain a priority as future developments are released; and we support this effort by offering priority scheduling and assistance in roadmap planning to our retainer clients.
Ready for an audit or want to learn more about our process? Fill out this form here and we’ll be in touch!