Yearn Machine Learning proudly announced that the smart contract is successfully audited and passed through all tests. This means that a third party checked the code for possible errors, and performed security vulnerabilities.
This is explained in further detail in this post, taking you through all the steps that have been taken. In summary, the following steps are included in the audit:
– Specification of the code
– Running tests
– Automated symbolic execution
– Manual analysis
– Audit report
Specification of the code
The specification explains the goals of the project and its architecture. This is also explained in the whitepaper although that is not enough for auditing teams to know what the code should be doing. Therefore the specification part consists of the full code after the development was finished. After the YML team agreed with the auditing team on the finalized code, the so-called ‘code freeze’, the auditing team could run tests in order to check whether the code does what it should be doing and if there are any bugs etc.
The tests that were performed on the architecture of Yearn Machine Learning consisted of a range of different tests, including unit tests targeting individual functions to integration tests addressing larger chunks of code. High test coverage diminishes the number of easily detectable bugs making their way into the audit. In addition, tests help to ensure that all developers on the team have agreed upon the project’s intended performance and functionalities, preventing confusion during the audit. They also serve as informal documentation for the auditors, demonstrating another way to give the auditors insight into the expected functionality of the project. The easiest way to perform the necessary tests is by running a test suite, if all tests pass, then it’s less likely there are obvious issues.
Automated symbolic execution tools
Because the smart contract industry is rapidly growing, so does the development of automated bug detection software. Symbolic execution tools have been developed based on research on common vulnerabilities detected within Solidity smart contracts. These tools analyze a program to determine which inputs cause each part of a program to execute. This software streamlines the auditing process by making it much easier to identify common pitfalls in code, reducing audit turnaround time and freeing up human auditors to focus on complex and novel vulnerabilities.
Automated tools can help to easily pinpoint common vulnerabilities but may not understand a developer’s intention. Oftentimes, the software may not seem to contain vulnerabilities but differs from the intended functionality. As a result, manual inspection is necessary to enhance detection of potential vulnerabilities. The auditing team digests the specification, after which the project is confirmed to perform as expected. Oftentimes auditors will independently look at the code, and then compare their results afterward, minimizing the change of missed errors.
After Yearn Machine Learning went to all steps that are described above, the auditing team compiled a report for the team. After the report, the team has overlooked every step once again to be sure that everything works as it should. The auditing report can be found here:
Now that the auditing is completed, the team can focus on many other goals of the project, but the most important step is taken!