Solidity bug slips through for Hegic - no automated tests


Today there was a case of Hegic protocol having a fatal flaw because of a typo in their Solidity code. Looks like their smart contracts suite lacked any of automated tests and this bug was a kind of that would have been easily caught in a test.

We should definitely increase the awarness of testing needed - letting a protocol launch without tests is a failure of the technical Ethereum community to uphold standards. Someone who knew better should have told them to pull a brake.

The project was audited by Trail of Bits, and the audit report is here: Looks like there was no recommendation to have automated test suite:

I hope Zeppein requires all of their clients to have some minimal automated test suite coverage.

1 Like

Hi @miohtama,

Thanks for sharing your thoughts. :pray:

This is the OpenZeppelin recommended checklist to follow before an audit:

I recommend everyone tests like a rockstar:

One final point, is that Trail of Bits did a 3 day security assessment which is not the same as an audit.

There is also a list of post-mortems: