SCSVS-AUTH

Temporary Checklist

This checklist contains the SCSVS v0.0.1 verification levels (L1, L2 and L3) which we are currently reworking into "security testing profiles". The levels were assigned according to the SCSVS v1 ID that the test was previously covering and might differ in the upcoming version of the SCSTG and SCS Checklist.

For the upcoming of the SCSTG version we will progressively split the SCSTG tests into smaller tests, the so-called "atomic tests" and assign the new SCS profiles to their respective SCWE weaknesses.

SCG ID	VR ID	TEST ID	Control / SCSTG Test	Checklist
SCSVS-AUTH-1	S4.1.G1	No Test ID	Verify Authorization Using msg.sender	- Does the contract use tx.origin in validation? If yes, this must be avoided as tx.origin phishing attacks are possible and can be exploited.
				- Are proper authorization mechanisms in place using msg.sender to ensure secure and accurate access control?
SCSVS-AUTH-1	S4.1.G2	No Test ID	Verify Role-Based Access Control Implementation	- Are there different roles that have been assigned and have different access control mechanisms?
				- If yes, check and verify that correct access control mechanisms are implemented and least privilege policy is implemented.
SCSVS-AUTH-1	S4.1.G3	No Test ID	Verify Modifier Logic	- Are all custom modifiers correctly implemented and applied to the intended functions?
				- Are there any modifiers that contain redundant or conflicting logic?
				- Have the modifiers been reviewed and tested for potential vulnerabilities?
SCSVS-AUTH-1	S4.1.G4	No Test ID	Verify debit function validation.	- Does the _debitFrom function properly verify token ownership and transfer permissions?
				- Are there any gaps in validation that could impact token security?
				- How does the function ensure that only authorized transfers occur?
SCSVS-AUTH-1	S4.1.G5	No Test ID	Verify presence of required code components.	- Is it checked if the target address of a call has code deployed?
				- How does the system handle calls to addresses without code?
				- What mechanisms are in place to verify code presence before making calls?
SCSVS-AUTH-1	S4.1.G6	No Test ID	Verify Access Control Implementation	- Are there any functions lacking access control mechanisms?
				- Are there any public functions that should have a more restricted visibility (e.g., internal, private)?
				- Are access controls correctly implemented to prevent unauthorized access or modifications?
SCSVS-AUTH-1	S4.1.G7	No Test ID	Verify Admin Asset Pull Privilege	- Can the admin of the protocol pull assets from the protocol? Verify the extent of the admin's privileges and access controls.
				- Are there constraints or timelocks in place to regulate admin access to protocol funds?
				- How does the protocol track and report admin actions that involve user funds?
SCSVS-AUTH-1	S4.1.G8	No Test ID	Verify Timelocks for Critical Functions	- Are timelocks implemented for all critical functions in the smart contract?
				- What is the duration of the timelock for each critical function? Is it adequate for review purposes?
				- Can timelocks be bypassed or modified? If so, under what conditions?
SCSVS-AUTH-1	S4.1.G9	No Test ID	Verify Whitelisting Implementation	- Are certain addresses required to be whitelisted to interact with the contract?
				- Is the whitelisting mechanism properly implemented and enforced?
SCSVS-AUTH-1	S4.1.G10	No Test ID	Verify Contract Initialization Functions	- Are initialization functions properly marked as internal?
				- Is there a mechanism in place to ensure initialization functions cannot be executed more than once?
				- Are there any fallback functions that might unintentionally allow reinitialization?
SCSVS-AUTH-1	S4.1.G11	No Test ID	Verify Secure Privilege Transfer	- Does the protocol allow the transfer of privileges?
				- If yes, is the transfer process secure and includes a two-step (request and confirmation) mechanism?
				- What happens during the transfer of privileges?
SCSVS-AUTH-2	S4.2.G1	No Test ID	Verify Critical Function Access Control	- Does the contract have the specified functions?
				- If yes, are proper access control measures in place?
SCSVS-AUTH-2	S4.2.G2	No Test ID	Prevent Arbitrary Calls Execution	- Can the contract make arbitrary calls based on user input?
				- Have you validated and sanitized user inputs to prevent executing unintended calls?
				- Is there a mechanism to prevent execution of arbitrary code based on user input?
SCSVS-AUTH-2	S4.2.G3	No Test ID	Verify Caller Address in Callbacks	- Does the integrating contract verify the caller address in its callback functions?
				- Have you implemented checks to validate the address of the calling contract in callback functions?
				- Is there a review of callback logic to ensure it prevents unauthorized access or manipulation?
SCSVS-AUTH-2	S4.2.G4	No Test ID	Mitigate Risks from Excessively High Allowances	- Does the protocol implement safeguards against excessively high allowances?
				- Is there a revert mechanism in place for overly high approval values?