Contract optimization and security
Author of this section: @Fish
vulnerability List Contribution: @Fish, @Ethan
this lecture will briefly talk about contract security, and you are also welcome to submit contract vulnerabilities in this course to help improve the document.
About Contract Security and Optimization
contract security is a very important part of DApp development. Vulnerabilities in smart contracts may lead to the loss of assets, so you need to be extra careful when developing contracts. Because most blockchain contracts cannot be updated once deployed, they can only be redeployed. And the contract code is usually open source, so once a problematic contract is deployed, it is easy for hackers to exploit it, or assets are accidentally frozen in the contract, which may also produce unexpected wrong results.
Therefore, contract security becomes very important. Generally speaking, the contract will be audited by a professional team before it is officially released, and the safety report can be released. For more contract security content, please refer to WTF Academy's contract Security part of the course.
In addition to the security of the contract, the optimization of the contract is also very important. Because the execution of the contract consumes GAS, and the code cannot be updated after the contract is released, it is also important to optimize the code of the contract before the contract goes online.
Use AI to audit contracts
at present, the audit of the contract still needs to be guaranteed by the expert team, but there are also some AI tools that can do some audits, which is also an effective means to conduct a preliminary review of the contract to avoid some primary and common problems.
Here we try to use ZAN's AI Scan the service to do a simple audit, as shown in the figure below, we submitted an audit task.
Finally, we will get a report, which is based on some existing contract-only vulnerability database generation, providing some possible vulnerabilities and suggestions. For example, as shown in the figure below, because our contract does not support the trading of native tokens, we do not do the withdrawal of native tokens either. payable in fact, it is not necessary, on the contrary, it may also lead to accidental transfer of native tokens to the contract and then unable to withdraw.
In addition, there are common possible vulnerabilities such as re-entry attacks and overflow attacks:
the full report you can get through https://zan.top/review/reports/public/51d6c489-8b2e-4f9a-b132-9916a30083b0 view.
Wtfswap contract vulnerability and Optimization Case Collection
of course, AI to audit the contract can not fully guarantee the security of the contract, a lot of logic, especially when it comes to specific business logic, need to be similar. ZAN Expert Audit such a service requests a security expert to review the contract. Such Bevmswap-20240328.pdf it's an expert audit report.
Due to resource reasons, we are also unable to conduct a complete review of the Wtfswap contract. We welcome the community to submit vulnerabilities to our contract.
You can submit directly Pull Request to submit the vulnerability you found and add a vulnerability file bugs help community students learn.
Vulnerability list:
The above are the vulnerabilities or optimization points of the Wtfswap contract that have been discovered. Community students are welcome to submit additional cases.