2) Setup CI-CD Pipeline:

Smart contracts really required a pipeline during the time of development that is continuous integration. Let’s take an example to understand what is ‘Continuous integration’ and what are the features of CI-CD pipeline will help in developing a bug free Dapp.

What is continuous integration?

Continuous integration (CI) embody a culture, a set of operating principles, and collection of practices that enable application development teams to deliver code changes more frequently and reliably. The implementation is also known as the CI/CD pipeline.

Features of CI-CD will help protocols and Dapps to be built within a proposed timeline and without having a syntax error.

Some of the Features of CI-CD:

Smaller Code Changes possible Easy Fault Isolations Faster Mean Time To Resolution (MTTR) More Test Reliability Faster Release Rate Smaller Backlog Easy Maintenance and Updates

QuillPipeline will help you in achieving your goals within timeline and also without a bug.

QuillPipeline:

QuillPipeline will give you continuous assurance that your Ethereum smart contracts are safe and functional. It reports build status on every commit and runs a suite of security analyses so you get immediate security feedback. automate your contract audit process in your development lifecycle.

QuillPipeline is a product offered by QuillHash Technologies, that will help your project in continuous integration of the source code so that every time you push the code to your repository it will run the custom test cases and generate a report whether your smart contract is passing the test cases or not, QuillPipeline has used GitHub app to create CI for smart contracts.

What is GitHub app?

GitHub Apps can be installed directly on organisations and user accounts and granted access to specific repositories. They come with built-in web-hooks and narrow, specific permissions. When you set up your GitHub App, you can select the repositories you want it to access.

After the development phase, smart contract should go for 3rd party audited in order to validate use case of smart contract and to check security loopholes in smart contract.

How QuillPipeline works?

Developers can signup and login using their GitHub account on dashboard, afterwards developers need to subscribe their GitHub repos for continuous integration, Developers can subscribe multiple repositories.

After selecting repositories from GitHub app, Developers need to do a fresh commit on their GitHub repository, to run test cases. Developers can include other script commands as well. Once smart contracts code is pushed to repository , GitHub will send a notification to QuillPipeline with latest commit details, QuillPipeline will create an environment and install the dependencies to run test cases and other scripts as well.

Once dependencies will be installed, test commands will be executed and based on that test result will be declared. If all the test cases will be passed developer or organization will get the log results with test cases passed also correct tick will be assigned to that commit on GitHub repository, if test cases were failed than wrong tick is assigned that represents failed (Test cases), also developer or organizations will get the notifications on dashboard and through email with logs of test cases.

This will help projects, protocols in achieving timelines and milestones of project as all the test cases should be passed to develop a new feature, so that development and validation will go parallely in order to make a product with high quality measurements.

Once feature is implemented and combined with other modules of smart contracts and pushed to repository it will be validated instantly, previously without CI of smart contracts, smart contracts will only be tested when project was completed or while combining all the features of smart contracts, this will save much time.

Once project is completed and validated by development team, they can approach the QuillAudits team for the exhausted audit for their project.

3) Quill Audits Smart contracts security process:

Checkout Smart Contracts Security Audit Scope, Our Smart Contracts Security Audit process consists of the following stages:-

Stage 1 ) Specification gathering:

This is the most crucial stage because the detail is key for a successful smart contract Security audit, Here we will gather the specifications from the clients to know the intended behavior of smart contract. In this stage, we need a summary of the intended behavior of the smart contract from your side.

Stage 2 ) Manual Review:

Goals of manual review:-

a) Verify that every detail in the specification is implemented in smart contract.

b) Verify that the contract does not have any behavior that is not specified in specifications.

c) Verify that contract does not violate original intended behavior of specifications.

We will also ensure that your contract has some mechanism to defend against unknown vulnerabilities. Because the state of Ethereum is constantly changing and we cannot say which vulnerabilities will arise in the future so we must have a mechanism beforehand.

We would ensure that smart contract code must respond to bugs and vulnerabilities well. We would also ensure that there is no unnecessary code in the contract.

=> Best code practices will also be considered in this phase.

Stage 3) Manual testing:

Manual testing is king in smart contract auditing.

a) Smart contract will be manually deployed on any of the test network (Ropsten/rinkeby) using remix IDE.

b) All the transaction hashes will be recorded.

c) gas consumption and behavior of functions also noted.

Stage 4) Unit testing:

Goal: Writing and running a comprehensive test suite.

=> In this stage smart contract functions will be unit tested on multiple parameters and under multiple conditions to ensure that all paths of functions are functioning as intended.

=> In this phase intended behavior of smart contract is verified.

=> In this phase, we would also ensure that smart contract functions are not consuming unnecessary gas.

=> Gas limits of functions will be verified in this stage.

Stage 5 ) Testing with automated tools:

=> Testing with automated tools is important to catch those bugs that humans miss.

Some of the tools we would use are:-

Mythril

Oyente

Manticore

Solgraph

stage 6) Solidity-coverage:

Solidity coverage will let us know how much our unit test cases are efficient, it will highlight the uncovered code of contract.

Stage 7) Initial Audit report:

at the end, we would provide you a comprehensive report along with details of audit and steps to cover up with the vulnerabilities if we found any in your contracts.

Final Audit report:

After initial audit fixes, process is repeated again and Final audit report is delivered.