Security and Code Auditing

The following section covers the Security & Code Auditing strategy and implementation for all Smart Contracts in the Tru Reputation Token project including supporting Libraries & Smart Contracts.

1. Strategy

The Security & Code Auditing Strategy for the Tru Reputation Token Project is as defined below:

  • Due to the inherent financial risk of Cryptocurrency, and the evolving nature of threats and exploits within Solidity and EVM, standardised automated Security Auditing must be leveraged.
  • Automated Security Audits are the be generated on each commit to the Repository.
  • Auditing will include, as much as practicable, a scan against known vulnerabilities, exploits, and insecure coding patterns.
  • Manual Security Audits will be performed by an external third party at least every 3 months after Production Code Release.
  • Audits will be reviewed alongside Testing, Fuzz Testing and Code Coverage to ensure Best Practices and code security before being released to a public network.
  • The Tru Reputation Token Project will not be released without the above items being met.

2. Auditing Tools

Given the evolving nature of Solidity and the EVM, the tools available for performing Security Auditing are not as fully featured as in other code environments. However, several projects are generally effective when combined with full Unit Testing and Fuzz Testing as part of a multi- layered Security Strategy including manual code reviews, manual Audits, Penetration Testing and bug reporting.

The following tools are used within the Tru Reputation Token Project:

Name Description
EtherScan EtherScan Verify Contract provides the capability to independently verify that the published source of a Contract matches the instance, ensuring a match at a bytecode level on the Contract and providing assurance to users of it.
CoverAlls CoverAlls is used as part of the Project Testing Strategy to ensure Code Coverage of all utilised code and produces reports detailing the level and degree of code coverage against code execution branches.
Mythril Mythril is security analysis tool for Ethereum Smart Contracts that uses concolic analysis to detect various types of issues. It can be used to both analyse the code and produce a ‘ethermap’ of the Smart Contract.
Oyente Oyente is a tool for analysing Ethereum Smart Contracts and produces a report detailing whether well-known exploits can be achieved in the Contract scanned

Mythril and Oyente Audits are automatically performed on each commit to the Repository for each revision of the code, ensuring a continuous benchmark of Security Validation vs known exploits, and coding patterns that are known to open vulnerabilities.


All Mythril and Oyente Audits can be viewed on the ./audits/ directory, with separate sub-directories for each, and separate sub-directories within them for each version Audited.

3. Public Instances

The following sub-sections list Public Instances of Tru Reputation Token Project Smart Contracts and Libraries, which version they are, whether they have been validated via EtherScan Verify Contract and a relevant EtherScan link.

3.1. Rinkeby TestNet Instances

The following Contract & Library Instances exist on the Rinkeby Test Network:

Name TruAddress
Source File: /src/0.1.9/TruAddressFull.sol
Type Library
Version 0.1.9
Address 0xe3e9e6493c568a3e66577254a0931e4da95eda45
Source EtherScan Verified? Yes
Name TruReputationToken
Source File: /src/0.1.9/TruReputationTokenFull.sol
Type Smart Contract
Version 0.1.9
Address 0x3cc6363e5c791f804811e883b0af73cfba1b841d
Source EtherScan Verified? Yes
Name TruPreSale
Source File: /src/0.1.9/TruPreSaleFull.sol
Type Smart Contract
Version 0.1.9
Address 0x9a921ee90d0404c8f3f2eb974c8b3a415da142d5
Source EtherScan Verified? Yes
Name TruCrowdSale
Source File: /src/0.1.9/TruCrowdSaleFull.sol
Type Smart Contract
Version 0.1.9
Address Not Yet Deployed
Source EtherScan Verified? Not Yet Deployed

3.1. MainNet Instances

The following Contract & Library Instances exist on the Ethereum Ethereum Main Network: