Open Accelerator (for Blockchain Startups)

Ensuring Audits Are Completed

Audits are a critical step in preparing for the launch stage of a blockchain project. They provide confidence to users, investors, and partners by ensuring that the code is secure, functional, and compliant. A thorough auditing process identifies vulnerabilities and areas for improvement, allowing you to address them before going live.

Some parts of the code are more important than others. If there are smart contracts dealing with tokens (money!), they will need additional layers of attention. This could include formal verification techniques, extensive manual reviews, stress testing under various scenarios, and ensuring compatibility with integrated applications. Following established security standards and best practises can further mitigate risks. Be aware of apps that you deploy which interact with those contracts: they can be a source of high risk vulnerabilities.

For example, front-end applications have been known to introduce vulnerabilities by exposing private keys through improper handling, or by failing to validate user inputs correctly before passing data to the smart contract. Additionally, middleware layers connecting the front-end to the blockchain can sometimes introduce weak points if they are not properly secured or audited.

The auditing project should be lead by the Dedicated Security Lead (see ).

Key Steps in the Audit Process

Engage External Security Experts:
- Bring in a reputable external security firm for a final review to ensure unbiased evaluation.
- Firms specializing in blockchain security, such as OpenZeppelin or Trail of Bits, can provide additional assurance. It is important to research auditing firms thoroughly, as the level of assurance provided can vary significantly.
- Ensure the audit includes smart contracts, platform infrastructure, and any other critical components of your project.
Remediate Major Issues:
- Begin by addressing all identified major and critical issues flagged during the audit process.
- Prioritize fixes that affect security, functionality, or user safety. Recall that your product is dealing with money. Tokens have a monetary value. Consequently, this also leads to reputational damage.
- Create a plan for addressing lower-severity issues based on available resources and potential risks.
Thorough Review of Vulnerabilities:
- Conduct a comprehensive review of all identified vulnerabilities. Whoever has been designated as the security lead should handle this.
- Verify that remediation efforts have been successful and that no critical vulnerabilities remain.
- Use automated tools to complement manual reviews, ensuring no oversight in testing.

Considerations for the Audit Process

Budget for Audits: Quality audits can be expensive but are a necessary investment to ensure the long-term success of your project.
Iterative Auditing: Consider conducting multiple audits throughout development, not just a single audit at the end. Continuous auditing allows for early identification and resolution of issues. For the most operationally important parts of the code you could consider multiple auditors.
Post-Audit Remediation: Once the audit is complete, ensure all high-priority issues are resolved. Document changes and fixes in a clear and concise manner.
Internal Security Review: Conduct an internal review to double-check the external audit findings and any new changes made during remediation.
Community Engagement: Share a summary of the audit process, including key findings and how they were addressed. This not only informs users but also builds trust and demonstrates your commitment to security. Be careful about sharing the sensitive details of an audit. There are some details which should be kept internally (e.g. exploit vectors). Be sure not to share the details beyond the vulnerabilities are remediated.

Auditing is not just a one-time activity but an ongoing process that ensures your project remains secure and resilient. By investing in thorough audits and remediation, you set the foundation for a successful and secure launch.

PreviousLaunch Stage NextTest Launch and Early Access

Last updated 4 months ago

The auditing project should be lead by the Dedicated Security Lead (see ).

Key Steps in the Audit Process

Engage External Security Experts:
- Bring in a reputable external security firm for a final review to ensure unbiased evaluation.
- Firms specializing in blockchain security, such as OpenZeppelin or Trail of Bits, can provide additional assurance. It is important to research auditing firms thoroughly, as the level of assurance provided can vary significantly.
- Ensure the audit includes smart contracts, platform infrastructure, and any other critical components of your project.
Remediate Major Issues:
- Begin by addressing all identified major and critical issues flagged during the audit process.
- Prioritize fixes that affect security, functionality, or user safety. Recall that your product is dealing with money. Tokens have a monetary value. Consequently, this also leads to reputational damage.
- Create a plan for addressing lower-severity issues based on available resources and potential risks.
Thorough Review of Vulnerabilities:
- Conduct a comprehensive review of all identified vulnerabilities. Whoever has been designated as the security lead should handle this.
- Verify that remediation efforts have been successful and that no critical vulnerabilities remain.
- Use automated tools to complement manual reviews, ensuring no oversight in testing.

Considerations for the Audit Process

Budget for Audits: Quality audits can be expensive but are a necessary investment to ensure the long-term success of your project.
Iterative Auditing: Consider conducting multiple audits throughout development, not just a single audit at the end. Continuous auditing allows for early identification and resolution of issues. For the most operationally important parts of the code you could consider multiple auditors.
Post-Audit Remediation: Once the audit is complete, ensure all high-priority issues are resolved. Document changes and fixes in a clear and concise manner.
Internal Security Review: Conduct an internal review to double-check the external audit findings and any new changes made during remediation.
Community Engagement: Share a summary of the audit process, including key findings and how they were addressed. This not only informs users but also builds trust and demonstrates your commitment to security. Be careful about sharing the sensitive details of an audit. There are some details which should be kept internally (e.g. exploit vectors). Be sure not to share the details beyond the vulnerabilities are remediated.