| SCSVS-BRIDGE-1 |
S9.1.G1 |
No Test ID |
Verify handling of stale data in proof-of-reserves oracle. |
- Does the protocol verify the freshness of data retrieved from the Proof of Reserves Oracle? |
|
|
|
|
- Can the protocol process stale data due to lack of timestamp validation from the Oracle? |
|
|
|
|
- What measures are in place to ensure the data from the Proof of Reserves Oracle is current and reliable? |
| SCSVS-BRIDGE-1 |
S9.1.G2 |
No Test ID |
Verify removal of deprecated Chainlink functions. |
- Is the protocol using deprecated Chainlink functions like latestAnswer() that may return stale data? |
|
|
|
|
- Are there updated Chainlink methods in use to ensure accurate and current data retrieval? |
|
|
|
|
- How does the protocol handle deprecated functions to maintain data integrity? |
| SCSVS-BRIDGE-1 |
S9.1.G3 |
No Test ID |
Verify secure updating of price feed addresses. |
- Are price feed addresses hard-coded in the contract? |
|
|
|
|
- If price feed addresses are hard-coded, is there a mechanism to update them if they become deprecated? |
|
|
|
|
- Can the contract manage risks associated with outdated or inaccurate hard-coded price feed addresses? |
| SCSVS-BRIDGE-1 |
S9.1.G4 |
No Test ID |
Verify correct cETH token integration. |
- Does the protocol use the cETH token, and if so, how is the absence of underlying() handled? |
|
|
|
|
- If cETH token integration is utilized, are there any issues or errors due to the absence of the underlying() function? |
|
|
|
|
- Are integration tests performed to ensure proper functionality with the cETH token? |
| SCSVS-BRIDGE-1 |
S9.1.G5 |
No Test ID |
Verify management of cbETH rate decreases. |
- How does the system handle potential decreases in the cbETH/ETH rate? |
|
|
|
|
- What mechanisms are in place to inform users about significant rate changes? |
|
|
|
|
- Can users be affected by a dramatic decrease in the cbETH/ETH rate? |
| SCSVS-BRIDGE-1 |
S9.1.G6 |
No Test ID |
Verify secure sfrxETH detachment handling. |
- Does the system handle potential detachment of sfrxETH from frxETH during reward transfers? |
|
|
|
|
- Is there transparency regarding actions of the Frax team's multi-sig contract in managing sfrxETH and frxETH? |
|
|
|
|
- Are mechanisms in place to alert users about discrepancies between sfrxETH and frxETH? |
| SCSVS-BRIDGE-1 |
S9.1.G7 |
No Test ID |
Verify stability of sfrxETH rate calculations. |
- Does the system guarantee the stability of the sfrxETH/ETH rate, or can it change in the future? |
|
|
|
|
- Are users informed about potential changes to the sfrxETH/ETH rate? |
|
|
|
|
- Is there documentation available regarding the stability and future changes of the sfrxETH/ETH rate? |
| SCSVS-BRIDGE-1 |
S9.1.G8 |
No Test ID |
Verify handling of stETH rebasing mechanisms. |
- Is the application aware of the rebasing nature of stETH? |
|
|
|
|
- Does the system consider using wstETH for simpler DeFi integrations? |
|
|
|
|
- Are there mechanisms in place to handle complexities introduced by rebasing tokens? |
| SCSVS-BRIDGE-1 |
S9.1.G9 |
No Test ID |
Verify correct handling of stETH withdrawals. |
- Does the system account for overheads when withdrawing stETH or wstETH? |
|
|
|
|
- Are there mechanisms in place to handle queue time and limits associated with withdrawals? |
|
|
|
|
- How does the protocol address issues related to NFT receipt and withdrawal amount limits? |
| SCSVS-BRIDGE-1 |
S9.1.G10 |
No Test ID |
Verify secure stETH-wstETH conversions. |
- Does the system handle conversions between stETH and wstETH accurately? |
|
|
|
|
- Are the rebasing characteristics of stETH managed correctly during conversions? |
|
|
|
|
- What measures are in place to ensure correct handling of stETH to wstETH conversions? |
| SCSVS-BRIDGE-1 |
S9.1.G11 |
No Test ID |
Verify consistency of token order. |
- Is the order of token0 and token1 consistent across different chains? |
|
|
|
|
- What steps are taken to verify token order when interacting with various chains? |
|
|
|
|
- Can inconsistencies in token order impact functionality? |
| SCSVS-BRIDGE-2 |
S9.2.G1 |
No Test ID |
Verify blockchain compatibility. |
- Has the protocol been reviewed for compatibility with target chains? |
|
|
|
|
- What steps are taken to address differences between chains? |
|
|
|
|
- How does the system ensure compatibility with various chains? |
| SCSVS-BRIDGE-2 |
S9.2.G2 |
No Test ID |
Verify secure contract upgradability. |
- Have contract upgradability implications been evaluated for different chains? |
|
|
|
|
- What upgradability characteristics are documented for each chain? |
|
|
|
|
- How does the system address upgradability differences across chains? |
| SCSVS-BRIDGE-2 |
S9.2.G3 |
No Test ID |
Verify security of cross-chain messaging. |
- Have cross-chain messaging implementations been thoroughly reviewed for permissions and functionality? |
|
|
|
|
- What security checks are in place for cross-chain messaging? |
|
|
|
|
- How does the system ensure correct permissions for cross-chain messages? |
| SCSVS-BRIDGE-2 |
S9.2.G4 |
No Test ID |
Verify handling of unsupported chain messages. |
- Is there a whitelist of compatible chains for message handling? |
|
|
|
|
- What measures are in place to block messages from unsupported chains? |
|
|
|
|
- How does the system handle messages from non-whitelisted chains? |
| SCSVS-BRIDGE-2 |
S9.2.5 |
No Test ID |
Verify correct PUSH0 opcode support. |
- Is the PUSH0 opcode supported for Solidity version >=0.8.20 on the target chain? |
|
|
|
|
- What compatibility checks are performed for the PUSH0 opcode? |
|
|
|
|
- How does the system handle chains that do not support PUSH0? |
| SCSVS-BRIDGE-2 |
S9.2.G6 |
No Test ID |
Prevent Accounting Issues from Direct Transfers |
- Could direct transfers of assets affect the protocol's internal accounting? |
|
|
|
|
- Does the protocol rely on balanceOf or address.balance for accounting purposes? |
|
|
|
|
- Have you ensured that direct transfers do not disrupt the protocol’s logic or accounting? |
| SCSVS-BRIDGE-2 |
S9.2.G7 |
No Test ID |
Handle Small Residual Balances |
- What happens if a small residual amount (e.g., 1 wei) remains in the pool? |
|
|
|
|
- Does the protocol handle minimal residual amounts appropriately? |
| SCSVS-BRIDGE-2 |
S9.2.G8 |
No Test ID |
Verify Array Deletion Method |
- How does the protocol remove an item from an array? Verify the method used for array element removal. |
|
|
|
|
- Does the contract handle array reordering or element shifting after an item is deleted? |
|
|
|
|
- Are there mechanisms in place to update the array length or manage gaps created by delete? |
| SCSVS-BRIDGE-2 |
S9.2.G9 |
No Test ID |
Verify Array Index Usage |
- Does any function get an index of an array as an argument? Verify if this index is used in contexts where the array might be modified. |
|
|
|
|
- How does the contract handle index-based access in arrays where elements might be added or removed? |
|
|
|
|
- Are there checks to ensure that index values are valid and consistent with the current state of the array? |
| SCSVS-BRIDGE-2 |
S9.2.G10 |
No Test ID |
Verify Unique Array Validation |
- Is it acceptable to have duplicate items in the array? Verify the expected behavior of the array regarding uniqueness. |
|
|
|
|
- How does the protocol validate and handle duplicate entries in arrays, particularly user input arrays? |
|
|
|
|
- Are there checks or validations to enforce array uniqueness where required? |
| SCSVS-BRIDGE-2 |
S9.2.G11 |
No Test ID |
Verify Loop Edge Cases |
- Is there any issue with the first and last iteration of loops? Verify if these iterations have different logic or edge cases. |
|
|
|
|
- How does the contract ensure consistent behavior throughout all iterations, including the initial and final ones? |
|
|
|
|
- Are there specific tests for the edge cases of loop iterations to prevent potential vulnerabilities? |
| SCSVS-BRIDGE-2 |
S9.2.G13 |
No Test ID |
Verify Loop Control Statements |
- Is there a break or continue statement inside a loop? Verify how these statements are used within the loop. |
|
|
|
|
- How does the contract ensure that the use of break or continue does not lead to unexpected behaviors or logic errors? |
|
|
|
|
- Are there tests to cover scenarios where loop control statements might affect the loop's functionality? |
| SCSVS-BRIDGE-2 |
S9.2.G14 |
No Test ID |
Verify State Variable Initialization |
- Are all important state variables explicitly initialized in the constructor or initialization functions? |
|
|
|
|
- Have you reviewed the contract to ensure no uninitialized state variables could lead to vulnerabilities or errors? |
|
|
|
|
- Is there a clear initialization strategy for all state variables used in the contract? |
| SCSVS-BRIDGE-2 |
S9.2.G15 |
No Test ID |
Verify Proper Deletion of Nested Structures |
- Does the deletion logic ensure that all nested fields within a structure are properly handled and reset? |
|
|
|
|
- Are there mechanisms in place to delete or reset nested fields before removing the top-level field? |
|
|
|
|
- Have you verified that nested structures are correctly managed to avoid residual data issues? |
| SCSVS-BRIDGE-2 |
S9.2.G16 |
No Test ID |
Verify External State Changes Impact |
- Does the contract rely on external states that can be modified by other actors? Verify how these external changes impact critical functions. |
|
|
|
|
- Are there protections against state changes that could disrupt normal user transactions, particularly for crucial operations like withdrawals or repayments? |
|
|
|
|
- How does the contract ensure that its core functionality remains intact despite potential manipulations by external actors? |
| SCSVS-BRIDGE-2 |
S9.2.G17 |
No Test ID |
Verify Edge Case Handling |
- Are edge cases (such as zero or maximum values) specifically tested to ensure the contract handles them correctly? |
|
|
|
|
- Is there logic in place to handle unusual or extreme input values gracefully without failure? |
|
|
|
|
- Does the contract have mechanisms to validate and handle boundary values appropriately? |