Testing and Review

Security - Testing and Review

Testing and review starts with a good understanding of the Forta Network itself through documentation, transparency, and public nature of the primary components of the network. Key pieces of the network are summarized below:

• Contracts (prod and test)

  • Polygon and Ethereum mainnet
  • Mumbai and Goerli Test Net

• Github repos (private and public)

  Public:

  • Scan Node software for the Forta Network
  • Forta Go Libraries
  • Forta Detection Bot SDK and CLI tool
  • Forta Contracts
  • Forta Threat Detection Kits
  • Airdrop Autotasks

  Private:

  • Forta Assigners
  • Forta Infra
  • Forta Airdrop Interface
  • Forta Airdrop Contracts
  • Forta GraphQL API

Testing of the code must happen through GitHub Actions on each pull request and gated upon successful tests. Code coverage data for the contract's tests can be found in the Codecov dashboard here. (Note: Code coverage tests exclude contracts in the contracts/components/_old folder since those are deprecated contracts.)

Adopting an attacker mindset, the Foundation went beyond employing secure design, development, deployment and testing and enlisted external security experts to assess the Forta Network after it was built. This helped to surface erroneous assumptions and uncover security gaps that may have remained hidden. Forta primarily engaged OpenZeppelin's smart contract auditing expertise as well as Dedalo's web2 and broad threat assessment expertise for other critical components of the Network. All such reports/findings are linked below:

• Dedalo's Airdrop Assessment, June 17th 2022
• OpenZeppelin's Airdrop Smart Contract Audit, June 9th 2022
• Dedalo's Forta Scan Node Assessment, April 7th 2022
• OpenZeppelin's Protocol Audit, February 7th 2022
• Dedalo's Web Security Assessment, January 5th 2022
• MixBytes' Security Assessment of slash proposal changes, September 2nd 2022
• Consensys' Security Assessment of Delegated Staking, November 2022