Leveraging ChatGPT for Auditing Solidity Smart Contracts

mrudenkomrudenko
4 min read

Table of contents

In the realm of blockchain development, auditing smart contracts is a crucial step to ensure the security and efficiency of decentralized applications. Solidity, as a prominent smart contract language for the Ethereum blockchain, demands meticulous auditing to mitigate any potential vulnerabilities or bugs. The introduction of ChatGPT as an assistive tool in this endeavor has been a game changer. This post delves into how ChatGPT can significantly streamline the auditing process of Solidity smart contracts.

1. Exhaustive Vulnerability Assessment Prompt

A primary step in auditing is to identify all existing issues and vulnerabilities within a smart contract. A useful prompt for ChatGPT in this context could be:
Provide an exhaustive list of all issues and vulnerabilities inside the following smart contract. Be detailed in the issue descriptions and describe the actors involved. Include one exploit scenario in each vulnerability. Output as a valid markdown table with a list of objects that each has 'description', 'action', 'severity', 'actors', 'scenario', 'type', and 'line' columns. 'type' can be 'usability', 'vulnerability', 'optimization', or 'suggestion'. 'actors' is a list of the involved actors. 'severity' can be 'low + ice block emoji', 'medium' or 'high + fire emoji'. 'line' is the line number of the issue. Ensure that all fields of the table are filled out.

2. Reporting Template

When participating in auditing contests like Code4Rena, it's essential to have a structured report. Here’s a useful template for reporting findings:

Chat, please remember this template for writing reports:
# Title

## Impact
<Detailed description of the impact of this finding.>

## Proof of Concept
<Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.>

## Tools Used
Manual review

## Recommended Mitigation Steps
<steps…>

3. Smart Contract Reconnaissance with ChatGPT

A thorough understanding of the smart contract's architecture and functionalities is pivotal before diving into the auditing process. Here's how you can use ChatGPT for reconnaissance - you can order to chat to remember this strategy:

  • Basic Strategy:

    • Who are the actors of the system?

    • What is the value of the system?

    • What actions does the system have?

    • What constraints are in the system?

    • What are potential ways to break the system?

    • What are potential data ranges for the contract state?

    • What allowances does the system?

  • Architecture Strategy:

    • Economic incentives

    • Roles

    • Design decisions

    • Expected use cases

    • Failure modes

    • Integrations

    • Adversarial scenarios, etc.

  • Constraints and Flow Strategy:

    • Describe based on constraints, state changes in every function.

    • Provide information on the topics, solidity patterns, and DeFi patterns used.

    • Create flows showing the order of function execution, crucial points, and weakest parts.

  • Axioms Strategy:

    • Write positive and negative axioms based on the system information.

  • QA and Optimization Strategy:

    • List optimizations and code changes to improve the solidity of code (with code snippets).

Tip: Visual representation of data often provides a clearer understanding of the system's workings. When working with ChatGPT, it's advisable to request visualizations of the output, for instance, state modifications in ASCII symbol diagrams. Although not all visualizations may be meaningful, some can provide invaluable insights into the smart contract's operations.

4.Finding vulns

In essence, while ChatGPT may not replace a human auditor, it significantly augments the auditing process, providing a clearer understanding of protocol state transitions, constraints, invariants, and interoperability. The tool is especially powerful for grasping protocol state transitions and constraints. Although writing Proof of Concepts (PoCs) is not its forte, it's highly useful for elucidating documentation. Before auditing, feeding ChatGPT with relevant protocol documentation can enhance its contextual understanding, making the auditing process more insightful and less prone to oversight.
For instance, before delving into an audit, providing the chat with documentation about the protocol under review can significantly enhance the accuracy and relevance of the responses. It's as simple as mentioning, "This is the documentation to provide better context for <protocol_name> which I am auditing," before pasting the document.

4. Conclusion

In conclusion, ChatGPT emerges as a potent ally for auditors, providing a structured and insightful approach to auditing Solidity smart contracts. Its ability to streamline the reconnaissance phase, elucidate complex documentation, and assist in drafting structured reports makes it an indispensable tool in an auditor's toolkit. The blockchain space continues to evolve, and with tools like ChatGPT, the stride toward more secure and efficient smart contract deployments becomes a tangible reality.

Remember, a well-audited smart contract is the bedrock of a secure, reliable decentralized application.

0
Subscribe to my newsletter

Read articles from mrudenko directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Web3Smart Contractschatgptweb3securitySmartContracts

Written by

mrudenko
mrudenko