SCSVS-CRYPTO
Temporary Checklist
This checklist contains the SCSVS v0.0.1 verification levels (L1, L2 and L3) which we are currently reworking into "security testing profiles". The levels were assigned according to the SCSVS v1 ID that the test was previously covering and might differ in the upcoming version of the SCSTG and SCS Checklist.
For the upcoming of the SCSTG version we will progressively split the SCSTG tests into smaller tests, the so-called "atomic tests" and assign the new SCS profiles to their respective SCWE weaknesses.
| SCG ID |
VR ID |
TEST ID |
Control / SCSTG Test |
Checklist |
| SCSVS-CRYPTO-1 |
S6.1.G1 |
No Test ID |
Verify protection against reentrancy in reward withdrawals. |
- Does the reward or withdrawal code of the protocol handle ETH transfers or NFT minting in a manner that prevents re-entrancy attacks? |
|
|
|
|
- Are all state changes completed before external calls to prevent re-entrancy vulnerabilities? |
|
|
|
|
- Can re-entrancy be exploited in the reward distribution or withdrawal process due to improper sequencing of operations? |
| SCSVS-CRYPTO-1 |
S6.1.G2 |
No Test ID |
Verify EVM opcode compatibility. |
- Are the EVM opcodes and operations used by the protocol compatible across all targeted chains? |
|
|
|
|
- What steps are taken to ensure compatibility with chains like Arbitrum and Optimism? |
|
|
|
|
- How does the system handle unsupported EVM operations? |
| SCSVS-CRYPTO-2 |
S6.2.G1 |
No Test ID |
Verify Failed Transaction Replay Protection |
- Is there a mechanism in place to prevent replay attacks on failed transactions? Verify the use of nonces or other protections. |
|
|
|
|
- How does the contract ensure that each transaction can only be executed once, even if it fails initially? |
|
|
|
|
- Are there specific measures to differentiate between unique and replayed transactions? |
| SCSVS-CRYPTO-2 |
S6.2.G2 |
No Test ID |
Verify Signature Replay Protection |
- Is there a protection mechanism to prevent signatures from being replayed on different chains? Verify the use of domain separators or chain-specific parameters. |
|
|
|
|
- How does the protocol ensure that signatures are only valid on the intended chain? |
|
|
|
|
- Are there safeguards to prevent cross-chain replay attacks on signed transactions? |
| SCSVS-CRYPTO-2 |
S6.2.G3 |
No Test ID |
Verify Event Emitting on State Change |
- Are events emitted for all critical state changes and function executions to ensure traceability? |
|
|
|
|
- Is there a comprehensive list of all state-changing functions that should emit events? |
|
|
|
|
- Does the contract's event logging cover edge cases and error scenarios effectively? |