Security Score Guideline
DcentraLab Diligence guidelines for ranking the score of audited code repositories
To formalize the quality and risk assessment for decentralized applications, we have developed the following guidelines for ranking the score of audited code repositories.
The score is built from 2 parts:
- Risk Score: makes up 65% of the final score. The risk score is computed out of a hundred, and for each discovered issue, points are deducted per the index below. If negative points deducted add to more than 65, the entire audit will receive a score of 0. The final risk score is adjusted to give a maximum of 65 points to the final score.
- Quality Score: Up to 35% of the final score is given to the quality of the code base. Points are given to code quality, test coverage, documentation, and reliance on 3rd party libraries. The audited code can earn up to 35 points for the factors above, per the index below.
An audit will have two scores, one for the state of the audited scope before the audit and one for the audited scope following the final fixes review iteration, i.e., the final state of the audited code following the audit.
The general score translates to a risk level as follows:
1-25: Critical Risk
25-50: High Risk
50-75: Medium Risk
75-95: Low Risk
95-100: Minimal Risk
Risk Score:
Deduction points for discovered issues
Severity
Negative Score Points
Description
Informational
0
Informational issues are ones that do not have security implications therefore no points are subtracted from the security score.
Low
1-2
Low issues depending on sub-severity can take up to 2 points.
Medium
5
Medium issues depending on sub-severity can take from 3 up to 4 points.
High
20
High issues of any kind must be resolved in order for clients to pass the security audit.
Critical
50
Critical issues of any kind must be resolved in order for clients to pass the security audit.
Discussion
0-2
Discussions can have security implications depending on the case and based on their importance we can take away.
Quality Score:
Added points for quality, test coverage, etc...
Factor
Positive Score Points
Description
Presence of up to date documentation
1-5
Documentation is critical to proper code understanding, depending on the presence of documentation the risk of overseeing issues is reduced.
Code readability
1-5
Code readability heavily affects issue spotting abilities and prolongs the process of learning the flow.
Operational security of the team
1-5
Opsec of the team is critical to the safety of the project. We are inspecting general practices applied to the code and conclude the reliability of the team itself. Project safety can be easily compromised by an operational mistake. Required Opsec includes proper deployment scripts, bytecode checksum scripts for deployed contracts, structure checksum scripts for deployed contracts, proper network configs etc..
Code reliance on third-party software
1-10
Depending on the technique of code writing it can be more or less reliant on compiler or other software. Relying on others can increase the risk for the project.Ex. Curve Hack happened because of reliance on the Vyper compiler.
The score will vary depending both on amount of 3rd party lib reliance and the exposure/risk level of imported 3rd party libs and the level of reliance on these libs within the audited code.
Test Coverage
1-10
Proper test coverage is critical for ensuring the audited code works as expected and specified. The more thorough the coverage of tests, the better the chances the code will behave as expected and be secure from unwanted behaviors. The score for test coverage will depend on the number of tests, their scope vs the functional spec of the implemented code and the level of coverage of the tests respective to the implemented product code which is being audited.
Subscribe to DcentraLab Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.