| SCSVS-COMM-1 |
S5.1.G1 |
No Test ID |
Verify protection of exchange rates from sandwich attacks. |
- Does the protocol allow instant withdrawals that could be exploited through sandwich attacks? |
|
|
|
|
- Can an attacker manipulate the exchange rate through immediate deposits and withdrawals? |
|
|
|
|
- Is there a mechanism to prevent front-running and back-running attacks affecting ETH drainage from the protocol? |
| SCSVS-COMM-1 |
S5.1.G2 |
No Test ID |
Verify front-running protections for oracle price updates. |
- Can oracle price updates be front-run to manipulate outcomes? |
|
|
|
|
- If oracle price updates are vulnerable to front-running, are there protections in place? |
|
|
|
|
- Are there mechanisms to safeguard the protocol from front-running attacks on oracle price updates? |
| SCSVS-COMM-1 |
S5.1.G3 |
No Test ID |
Verify enforcement of Balancer flash loan fees. |
- Does the protocol currently use Balancer's flash loans, and how are potential fees handled? |
|
|
|
|
- If Balancer implements flash loan fees in the future, how will the protocol manage these fees? |
|
|
|
|
- Are there mechanisms to ensure the repayment of fees along with the original debt in the receiveFlashLoan function? |
| SCSVS-COMM-1 |
S5.1.G4 |
No Test ID |
Verify accuracy of Balancer oracle pricing. |
- Does the protocol rely on Balancer's Oracle for pricing? |
|
|
|
|
- If Balancer's Oracle is used, are there safeguards against price updates that do not reflect the true asset value? |
|
|
|
|
- What are the potential risks of using Balancer's Oracle, and how are they mitigated? |
| SCSVS-COMM-1 |
S5.1.G5 |
No Test ID |
Verify security of Balancer boosted pool supply calculations. |
- Does the protocol use Balancer's Boosted Pool, and if so, does it use virtualSupply correctly? |
|
|
|
|
- How is the total BPT supply in circulation determined in the context of Balancer's Boosted Pool? |
|
|
|
|
- Are there any discrepancies in using virtualSupply versus totalSupply? |
| SCSVS-COMM-1 |
S5.1.G6 |
No Test ID |
Verify Balancer vault pool liquidity security. |
- Does the protocol use Balancer vault pool liquidity status for pricing or other calculations? |
|
|
|
|
- How is the protocol protected against manipulation of token balances and BPT supply in Balancer pools? |
|
|
|
|
- Are there precautions in place to prevent inaccuracies caused by manipulation of external queries? |
| SCSVS-COMM-1 |
S5.1.G7 |
No Test ID |
Verify correct Chainlink VRF parameter configurations. |
- Are all parameters thoroughly verified before calling Chainlink VRF to ensure correct results? |
|
|
|
|
- What mechanisms are in place to validate parameters for Chainlink VRF calls? |
|
|
|
|
- How does the protocol handle potential issues with parameter verification in Chainlink VRF? |
| SCSVS-COMM-1 |
S5.1.G8 |
No Test ID |
Verify secure Chainlink VRF subscription mechanisms. |
- Is it ensured that sufficient LINK is maintained in the Chainlink VRF subscription to avoid pending states? |
|
|
|
|
- How does the protocol handle scenarios where the subscription is low on LINK? |
|
|
|
|
- What measures are in place to prevent vulnerabilities related to insufficient LINK in the Chainlink VRF subscription? |
| SCSVS-COMM-1 |
S5.1.G9 |
No Test ID |
Verify security of confirmation number selection. |
- Is the number of confirmations chosen appropriate for the chain's history and risks? |
|
|
|
|
- How does the choice of confirmations address past reorg events? |
|
|
|
|
- Are there any adjustments made based on the chain's reorg vulnerabilities? |
| SCSVS-COMM-1 |
S5.1.G10 |
No Test ID |
Verify correct cbETH rate control. |
- How is control over the cbETH/ETH rate determined? |
|
|
|
|
- Are there specific addresses with control due to the onlyOracle modifier? |
|
|
|
|
- Can centralization risks or manipulations arise from this control? |
| SCSVS-COMM-1 |
S5.1.G11 |
No Test ID |
Verify security of direct pool swap usage. |
- Is pool.swap() used directly in the application? |
|
|
|
|
- What security mechanisms are bypassed by using pool.swap() directly? |
|
|
|
|
- Does the system use the Router contract for swaps to enhance security? |
| SCSVS-COMM-1 |
S5.1.G12 |
No Test ID |
Verify correct use of Uniswap math libraries. |
- Is unchecked used appropriately with Uniswap's TickMath and FullMath libraries? |
|
|
|
|
- How does the application ensure compliance with Solidity version specifics regarding unchecked? |
|
|
|
|
- Are there any safety concerns with the current usage of unchecked? |
| SCSVS-COMM-1 |
S5.1.G13 |
No Test ID |
Verify protection against Slot0 manipulation. |
- Is pool.slot0 used for calculating sensitive information like current price and exchange rates? |
|
|
|
|
- What alternatives are used for sensitive calculations to avoid manipulation risks? |
|
|
|
|
- Are secure mechanisms like UniswapV3 TWAP or Chainlink Price Oracle used for price and rate calculations? |
| SCSVS-COMM-1 |
S5.1.G14 |
No Test ID |
Verify removal of hardcoded fee tiers. |
- Is there a hard-coded fee tier parameter in swap functions? |
|
|
|
|
- Can users specify the fee tier parameter when initiating Uniswap V3 swaps? |
|
|
|
|
- What impact does hard-coding the fee tier have on swap functionality? |
| SCSVS-COMM-2 |
S5.2.G1 |
No Test ID |
Verify Untrusted External Contract Calls |
- Are there any state changes after interactions with untrusted external contracts? Verify if these interactions are securely managed. |
|
|
|
|
- Does the contract use the check-effects-interactions pattern or reentrancy guards to handle external contract calls? |
|
|
|
|
- How does the protocol handle potential issues arising from external contract callbacks, such as multiple withdrawals or event order? |
| SCSVS-COMM-2 |
S5.2.G2 |
No Test ID |
Verify Input Validation |
- Are all function inputs validated for type, range, and format before processing? |
|
|
|
|
- Is there validation logic for boundary values and unexpected input scenarios? |
|
|
|
|
- Are there checks in place to prevent unauthorized or malicious data from being processed? |
| SCSVS-COMM-2 |
S5.2.G3 |
No Test ID |
Verify Output Validation |
- Are outputs validated for correctness and consistency before being returned or used? |
|
|
|
|
- Does the contract include checks to ensure outputs do not introduce security vulnerabilities or logical errors? |
|
|
|
|
- Is there validation to confirm that outputs are within expected ranges and formats? |
| SCSVS-COMM-2 |
S5.2.G4 |
No Test ID |
Verify Price Manipulation Vectors |
- How does the protocol obtain asset prices? Verify if the method is susceptible to manipulation through flash loans or donations. |
|
|
|
|
- Are there external or decentralized price oracles used to mitigate risks associated with price manipulation? |
|
|
|
|
- Does the contract include mechanisms to verify the accuracy and integrity of price data? |
| SCSVS-COMM-3 |
S5.3.G1 |
No Test ID |
Verify Arbitrary Input and Low-Level Calls |
- Are all low-level calls restricted or validated to prevent exploitation with arbitrary user input? |
|
|
|
|
- Does the contract include checks to ensure that arbitrary data used in low-level calls does not lead to unintended behavior? |
|
|
|
|
- Is there a mechanism to sanitize and validate user input before passing it to low-level calls? |
| SCSVS-COMM-3 |
S5.3.G2 |
No Test ID |
Verify External Contract Interaction Safety |
- Does the contract use the check-effects-interactions pattern to ensure safe interactions with external contracts? |
|
|
|
|
- Are there fallback mechanisms in place to handle failures or unexpected results from external contract interactions? |
|
|
|
|
- How does the contract ensure that external dependencies do not affect its core functionality or state? |