Audit report template

Since we are on the topic, here is a template you're free to use for audit reports.

It's a little opinionated in some ways. You can certainly just use only part of it or none at all...

The title should describe the contract or contract system this report pertains to followed by some standard service name (i.e. "Contract Security Audit").

Examples:

Favvom Contract Security Audit
Favvom Multisig Contract Security Audit
SRQj Contract Security Audit

It's recommended that your overall title use capitalization like a book title but then your later headings "Do capitalization like this".

Your report might then continue into the following...

Table of contents

  • Introduction
    • Disclaimer
    • Document structure
    • Overview
  • Audit summary
    • Per-contract vulnerability summary
  • Summary of findings
  • Detailed findings
    • Example finding 1
    • Example finding 2
    • Example finding n
  • Appendix A: Test suite
  • Appendix B: Finding rating classification

Introduction

Ethereum Security Blog was retained by Acme Corp to perform a security audit on their Acmechain contract...

Disclaimer

Ethereum Security Blog makes every effort but is in no way responsible for...

Document structure

The first section contains an overview of the contract functionality contained in the scope of this security audit...

Overview

The Acmechain serves multiple purposes...

Audit summary

This security audit was conducted on the version of Acmechain contained within the Git commit of hash 8a7b840. This included the file Acmechain.sol which instantiates one contract (Acmechain) and one library (Acmemath).

Per-contract vulnerability summary

Acmemath (Acmechain.sol)

No findings to report.

Acmechain (Acmechain.sol)

2 must fix findings, 1 informational finding.

Summary of findings

ID Name Classification
1 Example finding 1 Must fix
2 Example finding 2 Must fix
n Example finding n Informational

Detailed findings

Example finding 1

Classification: Must fix

Asset: AcmeChain.sol

Description

Lorem ipsum blah blah blah.

Recommendations

Lorem ipsum blah blah blah.

Example finding 2

Classification: Must fix

Asset: AcmeChain.sol

Description

Lorem ipsum blah blah blah.

Recommendations

Lorem ipsum blah blah blah.

Example finding n

Classification: Informational

Asset: AcmeChain.sol

Description

Lorem ipsum blah blah blah.

Recommendations

Lorem ipsum blah blah blah.

Appendix A: Test cases

(Ideally work out something here with test cases, hopefully automated ones, as a value-add to the customer)

Appendix B: Finding rating classification

Some pop-up firms doing smart contract audits have chosen to take an "OWASP-like" approach to this. See the table below.

They also tend to call this "vulnerability severity classification" instead of the more generalized "finding rating classification".

The writers of this course believe smart contracts, especially those out in public on the Ethereum blockchain, are a different animal. They don't warrant the same rating scale as traditional web apps. It's better to chunk findings into the following:

  • Must fix
  • Consider fixing
  • Informational

And to say "findings" over "vulnerabilities" because then you get the berth for informational stuff. Like, hey we couldn't help but notice you could save some gas doing fill-in-the-blank.

Overall this appendix B might just contain the table below.

Rating Description
Must fix TODO
Consider fixing TODO
Informational TODO