Security and Code Auditing¶
The following section covers the Security & Code Auditing strategy and implementation for all Smart Contracts in the Tru Reputation Token project including supporting Libraries & Smart Contracts.
1. Strategy¶
The Security & Code Auditing Strategy for the Tru Reputation Token Project is as defined below:
- Due to the inherent financial risk of Cryptocurrency, and the evolving nature of threats and exploits within Solidity and EVM, standardised automated Security Auditing must be leveraged.
- Automated Security Audits are the be generated on each commit to the Repository.
- Auditing will include, as much as practicable, a scan against known vulnerabilities, exploits, and insecure coding patterns.
- Manual Security Audits will be performed by an external third party at least every 3 months after Production Code Release.
- Audits will be reviewed alongside Testing, Fuzz Testing and Code Coverage to ensure Best Practices and code security before being released to a public network.
- The Tru Reputation Token Project will not be released without the above items being met.
2. Auditing Tools¶
Given the evolving nature of Solidity and the EVM, the tools available for performing Security Auditing are not as fully featured as in other code environments. However, several projects are generally effective when combined with full Unit Testing and Fuzz Testing as part of a multi- layered Security Strategy including manual code reviews, manual Audits, Penetration Testing and bug reporting.
The following tools are used within the Tru Reputation Token Project:
| Name | Description |
|---|---|
| EtherScan | EtherScan Verify Contract provides the capability to independently verify that the published source of a Contract matches the instance, ensuring a match at a bytecode level on the Contract and providing assurance to users of it. |
| CoverAlls | CoverAlls is used as part of the Project Testing Strategy to ensure Code Coverage of all utilised code and produces reports detailing the level and degree of code coverage against code execution branches. |
| Mythril | Mythril is security analysis tool for Ethereum Smart Contracts that uses concolic analysis to detect various types of issues. It can be used to both analyse the code and produce a ‘ethermap’ of the Smart Contract. |
| Oyente | Oyente is a tool for analysing Ethereum Smart Contracts and produces a report detailing whether well-known exploits can be achieved in the Contract scanned |
Mythril and Oyente Audits are automatically performed on each commit to the Repository for each revision of the code, ensuring a continuous benchmark of Security Validation vs known exploits, and coding patterns that are known to open vulnerabilities.
3. Public Instances¶
The following sub-sections list Public Instances of Tru Reputation Token Project Smart Contracts and Libraries, which version they are, whether they have been validated via EtherScan Verify Contract and a relevant EtherScan link.
3.1. Rinkeby TestNet Instances¶
The following Contract & Library Instances exist on the Rinkeby Test Network:
| Name | TruAddress |
| Source File: | /src/0.1.9/TruAddressFull.sol |
| Type | Library |
| Version | 0.1.9 |
| Address | 0xe3e9e6493c568a3e66577254a0931e4da95eda45 |
| Source EtherScan Verified? | Yes |
| Name | TruReputationToken |
| Source File: | /src/0.1.9/TruReputationTokenFull.sol |
| Type | Smart Contract |
| Version | 0.1.9 |
| Address | 0x3cc6363e5c791f804811e883b0af73cfba1b841d |
| Source EtherScan Verified? | Yes |
| Name | TruPreSale |
| Source File: | /src/0.1.9/TruPreSaleFull.sol |
| Type | Smart Contract |
| Version | 0.1.9 |
| Address | 0x9a921ee90d0404c8f3f2eb974c8b3a415da142d5 |
| Source EtherScan Verified? | Yes |
| Name | TruCrowdSale |
| Source File: | /src/0.1.9/TruCrowdSaleFull.sol |
| Type | Smart Contract |
| Version | 0.1.9 |
| Address | Not Yet Deployed |
| Source EtherScan Verified? | Not Yet Deployed |
3.1. MainNet Instances¶
The following Contract & Library Instances exist on the Ethereum Ethereum Main Network: