This document outlines SlowMist's methodology, testing scope, and service coverage for blockchain and cryptocurrency security audits. It is intended as an overview of the audit approach for public blockchains, application-specific blockchains, smart contracts, and related blockchain applications.
SlowMist uses several classical security models to identify potential threats in cryptocurrency systems and to define audit priorities.
| Model | Core Content | Description |
|---|---|---|
| CIA | Confidentiality, Integrity, Availability | Defines the core objectives of a security architecture. |
| STRIDE | Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege | Helps systematically identify common threat categories and attack surfaces. |
| DREAD | Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability | Supports risk prioritization for discovered vulnerabilities. |
| PASTA | Define objectives, scope the technology, decompose the application, analyze threats, identify vulnerabilities, enumerate attack paths, and assess risk and impact | Provides a threat analysis process aligned with architecture and business context. |
Audit work typically combines black-box, gray-box, and white-box testing.
| Test Method | Description |
|---|---|
| Black-box testing | Verifies program behavior from the user perspective by observing outputs under different input scenarios, without access to internal implementation. |
| Gray-box testing | Designs test cases using a user perspective plus partial source-code awareness, focusing on inputs, outputs, and externally observable behavior. |
| White-box testing | Examines internal logic and implementation details in depth, including line-by-line analysis of critical code paths and potential defects. |
In black-box and gray-box testing, we use fuzzing, script-based testing, and similar techniques to feed interfaces or components with random data or specially structured inputs. This helps evaluate robustness and uncover abnormal behavior in edge cases, such as functional defects or performance anomalies.
In white-box testing, we analyze object definitions, critical flows, and implementation logic through methods such as code review. Combined with the security team's experience in known blockchain vulnerabilities, this helps verify whether key logic and core components contain known risks while also identifying potential 0day issues in new scenarios and emerging technologies.
The Common Vulnerability Scoring System (CVSS) is an open framework for describing the characteristics and severity of software vulnerabilities. CVSS includes Base, Temporal, and Environmental metrics: the Base metrics reflect intrinsic properties of the vulnerability, the Temporal metrics capture characteristics that change over time, and the Environmental metrics reflect the impact within a specific deployment context.
Based on the CVSS methodology, SlowMist further defines a vulnerability severity classification tailored to blockchain scenarios:
| Level | Description |
|---|---|
| Critical | Has a major impact on the security of the blockchain project and should be remediated immediately. |
| High | Significantly affects normal system operation and should be fixed as soon as possible. |
| Medium | Has a practical impact on project operation and should be scheduled for remediation. |
| Low | May affect system operation in specific scenarios and should be prioritized according to business context. |
| Weakness | Represents a theoretical security risk that is extremely difficult to reproduce in practice. |
| Suggestion | Does not necessarily constitute a direct vulnerability, but indicates better coding or architectural practices. |
| Information | Matches the intended design, but may still cause user asset loss or security misunderstanding under certain usage patterns. |
The SlowMist team's Blockchain Threat Intelligence system continuously tracks ongoing security incidents and applies threat intelligence to its security audit services.
The team also analyzes publicly known blockchain security issues and has compiled a Blockchain Common Vulnerability List to support risk identification and audit baseline construction.
Depending on the audit objective, SlowMist divides public blockchain security auditing into mainnet security and compliance audits, source code security audits, and application-chain audits tailored to specific development frameworks.
For public chains and Layer 2 mainnets that are already live or about to launch, the audit focuses on the robustness of infrastructure protection, node distribution and disaster recovery, consensus reliability, and the resilience of core code against attacks. Historical audit records and regulatory compliance requirements are also considered to assess the mainnet security baseline and compliance status, resulting in a professional assessment report.
Typical audit areas include:
- Infrastructure security assessment
- Network scale and node distribution assessment
- Consensus algorithm security assessment
- Core code security assessment
- Historical audit and compliance assessment
Source code security auditing adopts a "white-box" strategy and performs in-depth analysis of project source code. It typically combines automated static analysis with manual review to improve both coverage and precision.
The SlowMist team uses open-source or commercial code scanning tools for static analysis and manually reviews the findings. Supported mainstream languages include C/C++/Golang/Rust/Java/Node.js/C#.
The static analysis scope includes the following categories:
- Code quality and maintainability issues: unused variables or imports, inconsistent formatting, inconsistent naming, insufficient or outdated comments, poor readability, duplicated code, excessive complexity, poor testability, and design principle violations.
- Resource and execution safety issues: improperly closed resources, memory leaks, deadlocks, race conditions, infinite recursion, improper exception handling, and performance issues.
- Basic coding defects: magic numbers, hard-coded constants, type conversion errors, divide-by-zero errors, null pointer dereferences, integer overflow, and floating-point precision issues.
- Typical security risks: SQL injection, XSS, string formatting vulnerabilities, buffer overflow, insecure random number generation, path traversal, TOCTOU-style time and state issues, and hard-coded keys or sensitive information.
- Architecture and supply chain issues: high coupling, low cohesion, and outdated dependencies or dependencies with known security risks.
The SlowMist security team adopts a deep audit model combining "expert manual review + automated tool assistance" to analyze the underlying code line by line, accurately identifying potential coding defects and deep logic vulnerabilities. Our core audit scope comprehensively covers key dimensions of blockchain systems, mainly including:
-
Cryptographic Security: Rigorously examining the implementation and application of signature algorithms, hash functions, random number generation, and encryption protocols to ensure the underlying cryptographic foundation is unbreakable.
-
Account and Transaction Security: Conducting in-depth checks for replay attacks, double-spending attacks, privilege escalation, and transaction malleability risks to ensure absolute security for user assets and on-chain interactions.
-
RPC Security: Strictly verifying interface authentication, input filtering, and rate limiting mechanisms to prevent malicious exploitation or DDoS attacks on node external interaction channels.
-
P2P Security: Evaluating node discovery and routing mechanisms, testing network isolation, and comprehensively preventing eclipse attacks and Sybil attacks.
-
Consensus Security: Deeply analyzing the robustness of consensus algorithms (such as PoW/PoS/BFT, etc.), mitigating long-range attacks, fork vulnerabilities, and collusion among malicious nodes.
-
Business Logic Security: Reviewing architectural design defects, state machine anomalies, and various complex business layer logic vulnerabilities in conjunction with specific application scenarios and economic models.
For application-chain scenarios, SlowMist also adopts a "white-box" strategy and performs comprehensive testing with emphasis on common coding pitfalls and framework-level security issues, such as:
- Replay Vulnerability
- Reordering Vulnerability
- Race Conditions Vulnerability
- Authority Control Vulnerability
- Block data Dependence Vulnerability
- Explicit Visibility of Functions
- Arithmetic Accuracy Deviation Vulnerability
- Malicious Event Log
- Asynchronous Call Security
Currently supported:
- Cosmos-SDK framework-based blockchain audit
- Substrate framework-based blockchain audit
- Ethereum(Solidity) Smart Contract Security Audit
- EOS(C++) Smart Contract Security Best Practices
- Solana(Rust) Smart Contract Security Best Practices
- NEAR smart contract security audit
- Sui Move smart contract security audit
- Aptos Move smart contract security audit
- TON smart contract security audit
- Zero-Knowledge Circuit Security Audit
- Interchain Bridge Application Security Audit
- Browser Plugin Wallet Security Audit
- Exchange Security Audit
Refer to Knowledge-Base