CCA Smart Contract Auditing Questions and Answers

Question 1

An auditor is reviewing a smart contract's token distribution function, which iterates through a large, externally-provided array of recipient addresses to execute transfers. As the number of recipients grows, transactions calling this function begin to fail consistently. What is the most likely vulnerability?

Accepted Answer

Denial of Service (DoS) due to block gas limit

Answer

This design is vulnerable to a Denial of Service (DoS) attack. Each operation within the loop consumes gas. If the array of recipients becomes too large, the total gas required to complete the loop will exceed the block's gas limit, causing any transaction that calls this function to fail. An attacker could potentially exploit this by adding many addresses to the distribution list to render the function unusable, trapping the funds.

Question 2

Which of the following tools is an auditor most likely to use for static analysis of Solidity code, which involves examining the contract's code without executing it to find common vulnerabilities and bad practices?

Accepted Answer

Slither

Answer

Slither is a widely-used static analysis framework for Solidity that detects a broad range of vulnerabilities and code quality issues by converting the source code into an intermediate representation and running a suite of detectors. Ganache, Hardhat, and Foundry are primarily development environments and testing frameworks, not specialized static analysis tools.

Question 3

While auditing a system using a transparent proxy for upgradability, an auditor discovers the implementation contract's `initialize` function is public and lacks protection. Why does this represent a critical security risk?

Accepted Answer

An attacker could call `initialize` on the implementation contract directly, take ownership, and potentially self-destruct it, bricking the proxy.

Answer

Even though users interact with the proxy, the implementation contract is still a deployed contract on the blockchain. If its `initialize` function is unprotected, an attacker can call it directly on the implementation contract's address. If the attacker becomes the owner of the implementation contract, they could then call a privileged function like `selfdestruct`, which would destroy the logic contract and render the proxy non-functional.

Question 4

An auditing firm is engaged to provide the highest possible level of assurance for a critical DeFi protocol's core logic. The technique they plan to use involves creating a formal specification of the contract's desired properties and using mathematical methods to prove that the code adheres to this specification under all possible conditions. What is this technique called?

Accepted Answer

Formal verification

Answer

Formal verification is a rigorous process that uses mathematical proofs to verify the correctness of a smart contract's code against a precise specification. Unlike testing or manual review which can find bugs, formal verification aims to prove the absence of specific types of bugs, offering the highest level of security assurance for critical properties.

Question 5

A smart contract written in an older version of Solidity (pre-0.8.0) calculates a user's reward by multiplying their stake amount by a `rewardRate`. An auditor flags a potential vulnerability where a user with a very large stake could interact with a high `rewardRate` and receive a near-zero reward. This is a classic example of what vulnerability?

Accepted Answer

Integer overflow

Answer

This scenario describes an integer overflow. Solidity integer types have a fixed size (e.g., uint256). If an arithmetic operation's result exceeds the maximum value for that type, it 'wraps around' to zero. In this case, a massive multiplication result could overflow the uint256 limit, resulting in a very small, incorrect value. Versions of Solidity 0.8.0 and newer have built-in checks to prevent this by reverting the transaction.

(CCA) Certified Cryptocurrency Auditor Practice Test

(CCA) Certified Cryptocurrency Auditor Practice Test

CCA Smart Contract Auditing Questions and Answers