Blog

Must Have skills as an Auditor

As an auditor, you must be able to Identify all possible call paths for each function. Different entry functions can have various impacts based on their parameters and the context in which they are called.

After you have read the thread, check out the function and spot the bug.




Consider a scenario where these functions have an additional parameter, like from to deposit, withdraw, or harvest from a permissioned address, or to to withdraw to a different address or deposit into a different address. This complexity introduces numerous potential call paths

When you audit a function, you must consider every possible way that function can be called. This means not just looking at the function in isolation but understanding how it interacts with the rest of the contract and potentially external contracts as well.

What to look for (1):

Security Vulnerabilities: Each call path can introduce potential security vulnerabilities, such as reentrancy attacks, access control issues, or unexpected interactions with other internal functions or external contracts.

What to look for (2):

Functionality Bugs: A function might behave as intended when called in one context but could fail or behave unexpectedly in a different context.

Methodology (1):

Map Out All Call Paths: Start by identifying all possible call paths that lead to the function. This includes direct calls from users, as well as calls from other functions within the contract or from external contracts.

Methodology (2):

Analyze Each Path Individually: For each path, consider the permissions required, the state of the contract before the call, and how the state changes after the call.

Methodology (3):

Consider External Interactions: If the function interacts with external contracts, consider the state and behavior of those contracts as well.

Methodology (4):

Look for Edge Cases: Pay special attention to edge cases, such special boundaries, or calls that might result in numerical underflows or overflows.

If you came until here, you should now be able to find the bug. Comment it and retweet if you found it (familiarity with Synthetix Staking Rewards is necessary).