Skip Menu

Security baseline checking framework for Tezos smart contracts

By Inference staff24 March 2022

Inference recently published the first version of the security assessment checklist for smart contracts on Tezos. Readers may have noticed that the security assessment checklist also refers to a security baseline checking framework and various test cases where security-relevant mechanics of the underlying system for the smart contracts on Tezos can be checked, e.g. on a regular basis or on new upgrades.

It is the opinion of Inference that this is an important part of the security assessment checklist, since it provides developers and security assessors the knowledge and trust that the underlying system for Tezos smart contract has not changed.

This knowledge and trust forms the “baseline” for smart contracts developers and security assessors. Changes in the mechanics of the underlying system for smart contracts can have disastrous implications on smart contracts since, for instance, developers and security assessors may develop or assess smart contracts based on a wrong understanding of the underlying system.

Version 1.0 of the security assessment checklist is built on the mechanics of the current underlying system. The checklist will potentially require an update as soon as the underlying system change.

However, the current testing framework is work in progress and still has lots of room for improvement. The current security baseline checking framework is still basic, composed of hacky bash scripts and few test cases. The goal is to have a security baseline checking framework which can be easily run on different protocols, using different versions of high-level smart contract compilers, etc.

In order to improve this security baseline checking framework Inference kindly invites everybody to contribute by sharing their ideas, developing the security baseline checking framework, submitting test cases, improving test case documentation, etc. All and any help is welcome!

If you have any feedback, please contact us via [email protected]