Skip to content

Latest commit

 

History

History
190 lines (159 loc) · 6.52 KB

6. Audit Techniques and Tools 101.md

File metadata and controls

190 lines (159 loc) · 6.52 KB
Raw

Q1 Which of the below is/are accurate?

  • A) Audits identify all security vulnerabilities and guarantee bug-free code
  • B) Audits cover only smart contracts but never the offchain code
  • C) Audits suggest fixes for issues identified and aim to reduce risk
  • D) None of the above
Click the reveal the answer C

Q2 Audit reports from audit firms typically include

  • A) Finding likelihood/difficulty, impact and severity
  • B) Exploit scenarios and recommended fixes
  • C) Formal verification of all findings with proofs and counterexamples
  • D) All of the above
Click the reveal the answer A,B

Q3 These audit techniques are especially well-suited for smart contracts (compared to Web2 programs)

  • A) Formal verification because contracts are relatively smaller with specific properties
  • B) Fuzzing because anyone can send random inputs to contracts on blockchain
  • C) Static source-code analysis because contracts are expected to be open-source
  • D) High-coverage testing because contract states and transitions are relatively fewer
Click the reveal the answer A,B,C,D

Q4 The following kinds of findings may be expected during audits

  • A) True positives after confirmation from the project team
  • B) False positives due to assumptions from missing specification and threat model
  • C) False negatives due to limitations of time and expertise
  • D) None of the above
Click the reveal the answer A,B,C

Q5 Which of the following is/are true?

  • A) Audited projects always have clear/complete specification and documentation of all contract properties
  • B) Manual analysis is typically required for detecting application logic vulnerabilities
  • C) Automated tools like Slither and MythX have no false negatives
  • D) The project team always fixes all the findings identified in audits
Click the reveal the answer B

Q6 Automated tools for smart contract analysis

  • A) Are sufficient therefore making manual analysis unnecessary
  • B) Have no false positives whatsoever
  • C) Are best-suited for application-level vulnerabilities
  • D) None of the above
Click the reveal the answer D

Q7 Which of the following is/are true?

  • A) Slither supports detectors, printers, tools and custom analyses
  • B) Echidna is a symbolic analyzer tool
  • C) MythX is a combination of static analysis, symbolic checking and fuzzing tools
  • D) None of the above
Click the reveal the answer A,C

Q8 Which of the following is/are correct about false positives?

  • A) They are findings that are not real concerns/vulnerabilities after further review
  • B) They are real vulnerabilities but are falsely claimed by auditors as benign
  • C) They are possible with automated tools
  • D) None of the above
Click the reveal the answer A,C

Q9 Audit findings

  • A) May include both specific vulnerabilities and generic recommendations
  • B) May not all be fixed by the project team for reasons of relevancy and acceptable trust/threat model
  • C) Always have demonstrable proof-of-concept exploit code on mainnet
  • D) None of the above
Click the reveal the answer A,B

Q10 Which of the following is/are typical manual review approach(es)?

  • A) Asset flow
  • B) Symbolic checking
  • C) Inferring constraints
  • D) Evaluating assumptions
Click the reveal the answer A,C,D

Q11 Access control analysis is a critical part of manual review for the reason(s) that

  • A) It is the easiest to perform because smart contracts never have access control
  • B) It is the fastest to perform because there are always only two roles: users and admins
  • C) It is fundamental to security because privileged roles (of which there may be many) may be misused/compromised
  • D) None of the above
Click the reveal the answer C

Q12 Which of the following is/are true about vulnerability difficulty and impact?

  • A) Difficulty indicates how hard it was for auditors to detect the issue
  • B) Difficulty is an objective measure that can always be quantified
  • C) Impact is typically classified as High if there is loss/lock of funds
  • D) None of the above
Click the reveal the answer C

Q13 Application-level security constraints

  • A) Are always clearly/completely specified and documented
  • B) Have to be typically inferred from the code or discussions with project team
  • C) Typically require manual analysis
  • D) None of the above
Click the reveal the answer B,C

Q14 Which of the following is/are typically true?

  • A) Static analysis analyzes program properties by actually executing the program
  • B) Fuzzing uses valid, expected and deterministic inputs
  • C) Symbolic checking enumerates individual states/transitions for efficient state space traversal
  • D) None of the above
Click the reveal the answer D

Q15 Which of the following is/are generally true about asset flow analysis?

  • A) Analyzes the flow of Ether or tokens managed by smart contracts
  • B) Assets should be withdrawn only by authorized addresses
  • C) The timing aspects of asset withdrawals/deposits is irrelevant
  • D) The type and quantity of asset withdrawals/deposits is irrelevant
Click the reveal the answer A,B

Q16 Which of the following is/are generally true about control and data flow analyses?

  • A) Interprocedural control flow is typically indicated by a call graph
  • B) Intraprocedural control flow is dictated by conditionals (if/else), loops (for/while/do/continue/break) and return statements
  • C) Interprocedural data flow is evaluated by analyzing the data used as argument values for function parameters at call sites
  • D) Intraprocedural data flow is evaluated by analyzing the assignment and use of variables/constants along control flow paths within functions
Click the reveal the answer A,B,C,D