Michelson code reviews
The Tezos blockchain offers several high-level programming languages for smart contracts such as the two most popular ones, SmartPy and Ligo. These high-level languages allow writing smart contracts on Tezos with ease, as developers familiar with these languages (Python, JavaScript, Pascal, and more) can benefit from a flat learning curve and start in a familiar environment.
All high-level programming languages used for smart contracts on Tezos are compiled to Michelson code, which is Tezos' native language for smart contracts. Once deployed to the Tezos blockchain, Michelson code gets executed when called. An advantage of Michelson code is that it’s readable and easy to understand for humans. And thus, the Michelson code that is executed by the Tezos blockchain can be reviewed.
Inference’s methodology for smart contract security assessments on Tezos is a combination of
- Review of the smart contract source code written in a high-level language, and
- Review of the resulting compiled code in Michelson.
The review of the Michelson code allows to rule out any issues based on the compiling from the high level smart contract language to Michelson code such as the deprecation of decorators.
Our competency to review both high-level smart contract languages and Michelson code allows for complete coverage and results in no gaps between the security assessment report and the actually deployed code. Otherwise, on-chain applications could suffer from compiler security issues or changes introduced by the development team after a completed security assessment. This way, Inference can directly provide assurance to readers of our reports that the deployed smart contract has been reviewed by an independent third party.
In our second blog part, we provide some additional examples why Michelson code reviews are worth doing.