Codex
/
Defend
Process
Assembly Code Review
Last updated:
October 14, 2021

Inline assembly code can be a great way to optimize gas or access otherwise unavailable opcodes. Unfortunately, use of inline assembly bypasses certain built in security checks of Solidity (e.g., overflow/underflow, type consistency, memory management) and should be used very carefully. The consequences of getting it wrong are severe, inline assembly code can affect the behavior of code that precedes and follows it in opaque ways.

Identify what features of the EVM are used and review their behavior

When reviewing inline assembly code, it's important for the reviewer to understand the behavior of relevant parts of the EVM. For example, if external calls are invoked, do you understand how return values are assembled and where they are stored? Study the Yellow Paper for an up to date resource on EVM behavior and refer to Ethereum Virtual Machine Opcodes for opcode functionality.

Use a low-level transaction debugger to verify the assembly procedure

Use a low-level Transaction Debugger like Remix to review the assembly code behavior and how it affects relevant parts of EVM state. Think about what state is modified and how changes are cleaned up to allow execution to reserve normally.

See Also:
Risk Communication
Potential Integrations Review
Oracle Review
How to Do a Security Review
Formal Verification
Test Quality Review
Fuzzing
Echidna
How to Prepare for a Security Audit
Code Quality Review
Storage Analysis
Numerical Review
External Interactions Review
ERC Standards Review
Upgradeability Review
Visual Inspection Tool
Flow of Value Analysis
Solidity Visual Developer
Line-by-line Code Review
Vulnerability Scanning
Use Both Internal and External Security Reviews
State Transition Review
Access Control Review
Surya
How to Assess Security Risk?
What is the Defend Phase?
Slither
Static Analysis
Twitter
Medium
Terms
Privacy
Cookies
© 2021 Auditless Limited