| SCSVS-COMP-1 |
S11.1.G1 |
No Test ID |
Verify validation of zero price transactions. |
- Does the protocol validate that the returned price from the price feed is non-zero? |
|
|
|
|
- What safeguards are in place to handle zero or invalid price values? |
|
|
|
|
- How does the protocol ensure that price feeds do not return zero values that could affect operations? |
| SCSVS-COMP-1 |
S11.1.G2 |
No Test ID |
Verify accuracy of price update time validation. |
- Does the protocol validate the last update timestamp of the price feed to ensure it is within an acceptable delay? |
|
|
|
|
- What mechanisms are in place to compare the price feed's update time against predefined maximum delays? |
|
|
|
|
- How does the protocol handle outdated price feeds to prevent inaccuracies in price usage? |
| SCSVS-COMP-1 |
S11.1.G3 |
No Test ID |
Verify enforcement of rollup sequencer validation. |
- Does the protocol validate the operational status of the rollup sequencer to ensure it is online? |
|
|
|
|
- Is there a method to check if the rollup sequencer is running to prevent stale price issues? |
|
|
|
|
- How does the protocol handle the scenario where the rollup sequencer is offline? |
| SCSVS-COMP-1 |
S11.1.G4 |
No Test ID |
Verify security of TWAP period calculations. |
- Can the TWAP period be adjusted to mitigate risks of price manipulation? |
|
|
|
|
- If the TWAP period is set, does it align with the protocol’s requirements for accurate price updates? |
|
|
|
|
- Are there mechanisms in place to adjust the TWAP period based on identified manipulation risks? |
| SCSVS-COMP-1 |
S11.1.G5 |
No Test ID |
Verify consistency of price feeds across chains. |
- Does the desired price feed pair consistently appear across all deployed chains? |
|
|
|
|
- If there is a process to verify price feed pairs, is it effective in maintaining consistency across chains? |
|
|
|
|
- Are there checks in place to ensure that price feed pairs remain uniform across all chains? |
| SCSVS-COMP-1 |
S11.1.G6 |
No Test ID |
Verify appropriateness of price feed heartbeat intervals. |
- Is the heartbeat of the price feed appropriate for the protocol’s specific use case? |
|
|
|
|
- If the price feed heartbeat is set, does it meet the operational needs of the protocol? |
|
|
|
|
- Are there controls to ensure the price feed heartbeat aligns with the protocol’s requirements? |
| SCSVS-COMP-1 |
S11.1.G7 |
No Test ID |
Verify suitability of price feeds for financial operations. |
- Are the price feeds accurately matched to the underlying assets they represent? |
|
|
|
|
- If using a price feed, does it correctly reflect the value of the underlying asset? |
|
|
|
|
- Are there checks to ensure the appropriateness of the price feeds for the underlying assets? |
| SCSVS-COMP-1 |
S11.1.G8 |
No Test ID |
Verify security of AMM spot price calculations. |
- Can the protocol be manipulated through AMM spot prices, especially with flash loans? |
|
|
|
|
- If spot prices from AMMs are used, are there additional checks to prevent manipulation? |
|
|
|
|
- Are there safeguards to ensure the reliability of price data from AMMs? |
| SCSVS-COMP-1 |
S11.1.G9 |
No Test ID |
Verify mitigation of flash crash price inaccuracies. |
- Does the system have measures to handle inaccuracies in price feeds during flash crashes? |
|
|
|
|
- If a flash crash occurs, are price feed values validated to be within an acceptable range? |
|
|
|
|
- Are there safeguards to manage potential flash crash vulnerabilities in price feeds? |
| SCSVS-COMP-1 |
S11.1.G10 |
No Test ID |
Verify secure usage of LzApp functions. |
- Is the _lzSend function correctly utilized in place of direct lzEndpoint.send calls? |
|
|
|
|
- Are there vulnerabilities associated with using direct calls to lzEndpoint.send? |
|
|
|
|
- How does the protocol ensure proper usage of _lzSend? |
| SCSVS-COMP-1 |
S11.1.G11 |
No Test ID |
Verify correct LayerZero user application configurations. |
- Is the ILayerZeroUserApplicationConfig interface implemented correctly? |
|
|
|
|
- Does the implementation include the forceResumeReceive function? |
|
|
|
|
- How does the system handle unexpected scenarios that require unblocking the message queue? |
| SCSVS-COMP-1 |
S11.1.G12 |
No Test ID |
Verify security of default contract configurations. |
- Are default configuration contracts used in the application? |
|
|
|
|
- What steps are taken to ensure applications are configured uniquely? |
|
|
|
|
- How are default settings avoided in the contract configuration? |
| SCSVS-COMP-1 |
S11.1.G13 |
No Test ID |
Verify correct handling of refunds for failed orders. |
- Does the protocol issue refunds for failed or partially filled orders? |
|
|
|
|
- What mechanisms are in place to handle refunds after swaps? |
|
|
|
|
- Are there clear procedures for managing failed or incomplete transactions? |
| SCSVS-COMP-1 |
S11.1.G14 |
No Test ID |
Ensure ERC20 Decimal Compatibility |
- Can the protocol handle ERC20 tokens with decimals other than 18? |
|
|
|
|
- Are there mechanisms in place to adjust for different decimal configurations of ERC20 tokens? |
| SCSVS-COMP-1 |
S11.1.G15 |
No Test ID |
Ensure ERC20 Token Compatibility |
- Does the protocol support all kinds of ERC20 tokens? |
|
|
|
|
- Is there a whitelist or compatibility check for ERC20 tokens? |
|
|
|
|
- Are there any unsupported token types clearly documented? |
| SCSVS-COMP-1 |
S11.1.G16 |
No Test ID |
Verify Reorg Vulnerability with CREATE |
- Does the contract deployment process use CREATE2 instead of CREATE to ensure contract stability across block reorgs? |
|
|
|
|
- Is there a fallback mechanism in place to handle contract creation failures due to block reorgs? |
|
|
|
|
- Has the protocol been tested for resilience against block reorgs affecting contract creation? |
| SCSVS-COMP-1 |
S11.1.G17 |
No Test ID |
Validate Token Decimal Handling |
- Does the AMM handle tokens with varying decimal places and types correctly? |
|
|
|
|
- Have you verified compatibility with tokens of different decimal configurations? |
|
|
|
|
- Is there validation for token types and decimal places before processing? |
| SCSVS-COMP-1 |
S11.1.G18 |
No Test ID |
Ensure Fee-On-Transfer Token Support |
- Does the AMM support fee-on-transfer tokens? |
|
|
|
|
- Have you accounted for discrepancies between the sent and received amounts with fee-on-transfer tokens? |
|
|
|
|
- Is there functionality to handle or adjust for fee-on-transfer tokens appropriately? |
| SCSVS-COMP-1 |
S11.1.G19 |
No Test ID |
Handle Rebasing Token Effects |
- Does the AMM support rebasing tokens? |
|
|
|
|
- Have you accounted for changes in balance due to rebasing tokens? |
|
|
|
|
- Is there functionality to correctly handle rebasing tokens and their balance changes? |
| SCSVS-COMP-1 |
S11.1.G20 |
No Test ID |
Mitigate ERC4626 Flashloan Manipulation |
- Can ERC4626 be manipulated through flashloans? |
|
|
|
|
- Are there protections in place against flashloan attacks in ERC4626-related operations? |
|
|
|
|
- Is the protocol aware of flashloan risks and has it implemented safeguards? |
| SCSVS-COMP-1 |
S11.1.G21 |
No Test ID |
Analyze Risks in Forked Code |
- Is the AMM using code forked from known projects? |
|
|
|
|
- Have you reviewed the forked code for known vulnerabilities? |
|
|
|
|
- Is there a comparison of the forked code against the original to identify potential security issues? |