How To Audit A Smart Contract

I was going through the Updraft Smart Contract Security course, and I realized I had been doing some things the wrong way. Here are a couple of things I started doing differently. I am basing this article on the PasswordStore repo here: 3-passwordstore-audit. Definitely check it out. It is only about 20 lines of contract code, and that is where nSLOC/CLOC comes in. It tells you how much actual code is in the codebase. Step 1: Trace Trust Boundaries Ask these questions: Who can write the value? Who can read the value? What does the constructor assume? What does the contract pretend is hidden? What breaks if the value is public? In PasswordStore.sol, the owner is set in the constructor, and the setter check msg.sender. That gives the shape of the access control. function setPassword(string memory newPassword) external { if (msg.sender != s_owner) { revert PasswordStore__NotOwner(); } s_password = newPassword; } The guard is there. The function is protected. So far so good. Step 2: What t