-1.png?width=300&height=47&name=OZ_logo_color%20(3)-1.png "OpenZeppelin"){kind=logo}
We are pleased to release a new Comprehensive Audit Readiness Guide, which is intended to provide any smart contract project with best practices to ensure the greatest possible benefit from a security audit. Whether developers choose OpenZeppelin or another qualified audit provider, following these guidelines will help ensure that the audit process goes smoothly. More broadly, the guidelines are also useful points to consider in developing any successful Web3 protocol.
Smart contract audits have become a widely accepted standard within the Web3 community. A team of experts going through a protocol line by line can greatly improve its security posture. Moreover, a public report detailing what vulnerabilities they found and how those vulnerabilities were fixed can go a long way toward assuring prospective users that the protocol is safe.
Since audits have such obvious benefits, should developers rush to get them? Not necessarily. For a protocol to get the most from an audit, it must have reached a certain level of maturity. Generally, this means the code is already tested, documented, and ready for deployment. If the audit happens too soon in the development process, further changes to the code negate its value as an assurance of safety. If the audit happens after the code is deployed, the options for remedying vulnerabilities are much more limited.
Check out the OpenZeppelin’s Comprehensive Audit Readiness Guide here.
Audit Readiness Considerations
OpenZeppelin encourages developers to think of audit readiness in terms of three key categories: the development team, the protocol community, and the code. These three areas—explained in detail in the guide—are briefly outlined below.
- The Team: Developing a successful protocol requires a team built for success. First, the team must have all the skills and knowledge necessary to implement the project. (In addition to project-specific skills, the guide outlines eight others that every team should have.) Second, the team must have a consistent, effective method of planning and executing work. Third, project owners should select a team leader with the skills and judgment necessary to solve problems and herd cats. The guide provides detailed questions and helpful resources to shape the way teams think about these issues.
- The Community: A successful Web3 project will have an active and vibrant community. Project teams must consider the ways they will ensure outside developers will participate and prospective users will invest. To these ends, the guide discusses choosing a software license, conducting community outreach, and channeling community input.
- The Code: Obviously, the state of the code is the most critical aspect of audit readiness. First, the code itself should be clean, readable, and modular. The guide provides suggestions and resources for naming conventions, style, organization, and other important considerations. Second, the code should have a fast and thorough test suite. Auditors view the condition of a test suite as a good proxy for the condition of the code itself. Third, the code should be well documented, with a Readme, rich documentation, inline comments, and other clear, consistent, and up-to-date sources of information about the project. The guide describes good practices for all of these areas in detail.
An audit is about relationships
It is important to remember that an audit is about more than just checking the code. Its purpose is to help build the trust necessary to attract a thriving community that is willing to invest its time and resources into a project. Fostering that community requires thorough planning and disciplined execution across all areas outlined in the guide. For this reason, a reputable auditor will engage a prospective client in a conversation on each point in the guide to gauge whether a project is ready to get the most out of an audit.
Prospective clients who wish to engage OpenZeppelin’s team of smart contract security experts should fill out the form here. The OpenZeppelin team will review the code submitted and provide a quote and timeline. In the meantime, we encourage developers to consider other OpenZeppelin security tools and the Audit Readiness Checklist itself to help improve a project’s code and security posture.
Check out the OpenZeppelin’s Comprehensive Audit Readiness Guide here.
Ship faster with the security of OpenZeppelin Defender – Automate smart contract operations to deliver high-quality products with lower risk. Sign up.
Real-time threat detection for smart contracts – Get real-time alerts on cybersecurity, financial, governance, and operational threats. Sign Up.
Smart Contract Security Advisory Services – Work with a Security Advisor on strategic matters related to smart contract security. Get in touch.
