Hi,
Today there was a case of Hegic protocol having a fatal flaw because of a typo in their Solidity code. Looks like their smart contracts suite lacked any of automated tests and this bug was a kind of that would have been easily caught in a test.
We should definitely increase the awarness of testing needed - letting a protocol launch without tests is a failure of the technical Ethereum community to uphold standards. Someone who knew better should have told them to pull a brake.
The project was audited by Trail of Bits, and the audit report is here: Looks like there was no recommendation to have automated test suite: https://github.com/trailofbits/publications/blob/master/reviews/hegic-summary.pdf
I hope Zeppein requires all of their clients to have some minimal automated test suite coverage.
1 Like
Hi @miohtama ,
Thanks for sharing your thoughts.
This is the OpenZeppelin recommended checklist to follow before an audit:
I recommend everyone tests like a rockstar:
One does not simply test your dapp.
Among many other things while developing a decentralized application, testing it is something you always need to do. What most people still don’t do is automate those tests, which leads to a huge loss of time and drains the energy to code.
Automated tests have been around for a while and they have been gaining lots of traction in the last decade. Whilst blockchain and smart contract development are fairly new, we can still automate tests for these. We can, s…
One final point, is that Trail of Bits did a 3 day security assessment which is not the same as an audit.
There is also a list of post-mortems:
Note: Also check our Compiled List of Solidity Vulnerabilities .
When things go wrong with the development, testing and auditing processes, vulnerable contracts are deployed to mainnet and go into production.
These vulnerabilities are then either found by the good hackers and the project is patched, or they are exploited by the bad hackers and the project crashes. Sometimes weird things happen, when the definitions of good, bad, and crash are not very clear.
But this is how we learn. Things …