During our smart contract audits, we came to the conclusion that there are two fundamentally different types of security issues — bugs and vulnerabilities. However, it seems that the community does not draw the line between them and treats them in the same way, which I personally find incorrect. Bugs and vulnerabilities require distinct approaches to detect and are prevented at various stages of SDLC. In this article, I will give definitions of a bug and a vulnerability. Also, I will describe in which aspects they are different or similar and tell what to do with both of them.

Definitions

Security issues can be divided into bugs and vulnerabilities. Firstly, let’s define what we consider a security issue.

A code feature that can lead to undesired consequences (i.e. can violate Confidentiality, Integrity, or Availability) is a security issue.

Secondly, what is the difference between a bug and a vulnerability? Me and my colleagues have found many definitions of a bug and a vulnerability. However, we had come up with the following one, which seems to be the strictest and to include all the others:

If an issue leads to a planned scenario not running, it is a bug ,

, If an issue leads to an unplanned scenario running, it is a vulnerability.

Let’s clarify this with an example:

If you try to login with correct credentials and fail, this is a bug.

If you try to login with fake credentials and succeed, this is a vulnerability.

Where they come from

According to the definition, a bug exists due to problems with a planned scenario. The reasons for such problems are poorly designed logic, bad implementation, or random mistakes (like typos). Vulnerabilities, on the other hand, appear due to insufficient understanding of certain aspects of the technology (e.g. smart contract languages Solidity/Vyper, EVM code execution, or compilers). Thus, bugs are unique, whereas vulnerabilities are rather standard and can be classified.

What they affect

Both bugs and vulnerabilities can violate critical properties of a program. On the one hand, functionality may be lost (for example, a token cannot be unpaused). On the other hand, the security issue can be exploited by hackers with different attacks. In addition, they both can increase gas consumption.

How to prevent them

The following approaches can be used to protect a project:

tests — automated tests for projects functionality,

coverage — checks code coverage with the tests,

tools — automated tools for finding known security issues,

code review — by a more experienced colleague,

bug bounty — competition for a community with good prizes,

audits — security check of the project (includes all methods above)

First of all, a project needs tests to check the execution of all planned scenarios. Also, code coverage is very important as it helps to make sure that project is tested sufficiently. Then, there are special security tools that find known vulnerabilities. And due to bugs uniqueness code should be checked manually. The best way for protecting project is a combination of code review, bug bounty program, and several independent audits. Their measures help both with bugs and vulnerabilities.