At Quantstamp, we believe in positive redundancy and allocate a minimum of three audit engineers on every project. Many firms only allocate one or two auditors so we are quite unique in that sense.
Each auditor will conduct their own code review, using a mixture of manual auditing as well as using proprietary tooling. During the audit, this team frequently compares notes dn strategies as well as notifying the client immediately of any serious issues.
Once each auditor team has conducted the full review, they collate their findings into a preliminary report. The findings are categorized based on the severity of the issue, with our audit team also documenting potential ways to fix or mitigate them.
The auditors create a Slack channel with the project team and there is ongoing communication from engineers with client engineers for questions and clarifications, which give Quantstamp audits a true sense of collaboration. When the preliminary findings are shared confidentially with the project, and the team does a code walk through with the client to talk through the issues that were found.
There is then a period time (usually two weeks) given for the project to fix vulnerabilities and address the findings contained within the initial report. On completion of fixes, the audit team will conduct a ‘Fix Review’ in order to check the changes that have been made. The original issues will be marked ‘Fixed,’ ‘Mitigated,’ ‘Acknowledged’ or left as ‘Unresolved.’
The audit report is updated and a final version delivered to the project. Often our reports are made public by the project themselves, but public reports can also be viewed (and also verified) on our website. A quality audit report can help a project get listed on a centralized exchange or bring in investments.
Examples of good documentation:
public
function that can be made external
should be made external
. This is both to save the gas and to reduce the possibility of bugs since external functions cannot be accessed internally.