2019 is supposed to be a year of STOs (Security Token Offers). According to regulators, it is necessary to conduct external technical audit of STOs including smart contracts and infrastructure.

The presentation contains full detailed methodology of smart contracts audit.

The first part is about smart contract testing process. It contains steps to setting up testing environment, special features of writing tests for smart contracts in contrast to other kinds of applications, tips for using Solidity-Coverage tool.

The second part describes which security tools are appropriate for different cases of audit and shows the best practices of using them. The reviewed tools are Mythril, Solhint, Surya, Echidna, ContractFuzzer, Manticore, Slither and some proprietary software.

The third part is about manual searching for vulnerabilities and non-optimal gas consumption in smart contracts. Main patterns were collected while researching dozens of smart contracts.