Skip to content

zk1tty/Solidity-Security-Checklist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
assets/audit-company-logo
assets/audit-company-logo
 
 
documents
documents
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Solidity-Security-Checklist

Checklist for solidity contract deployment onto mainnet.

When to conduct this checklist

This checklist suppose to be conducted before code freezing.

Methodology

I start scanning solidity smart contracts to figure out top 1.0% common and critical vulnerabilities.

  • How to list points:
    • Review the vulnerability report patterns from the top 10 projects within 2 months
  • Concentrate on the top 1% of critical issues.
    • Check the pattern of vulnerability report from top 10 projects

Vulnerability Severity Classification System

I refer to the latest version(v2.3) of Immunefi's vulnerability Severity Classification System.

4-levels of severity on each scope segment.

4-levels of Severity:

  • Critical
  • High
  • Medium
  • Low

Scope Segment:

Coverage

I filtered samples as the following criteria.

  • Project Inherited ERC721 or ERC1155, and ERC2918(NFT Royalties).

Policy

Keep it Simple, up to 10 points.

CheckList

1. ReentrancyGuard

  • function to input:

2. AccessControl

  1. critical flow
  2. extensional function for structs: tokenURI,
  3. Beneficiary of Royalty

3. Extensional operations

  1. whitelist
  2. royalty

4. External call after status udpate

  • Pattern

5. Input Validation

6. Coverage of Operations

References

Cited from the reports of following companies.

This checklist is inspired by OWAPS-Web-Checklist.

About

Checklist for solidity contract deployment onto mainnet

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published