├── .gitignore ├── 0.1 ├── Makefile ├── en │ ├── 0x00-Header.yaml │ ├── 0x01-Frontispiece.md │ ├── 0x02-Preface.md │ ├── 0x03-Using-SCSVS.md │ ├── 0x04-Assessment_and_Certification.md │ ├── 0x10-S1-Architecture_Design_and_Threat_Modeling.md │ ├── 0x11-S2-Policies_Procedures_and_Code_Management.md │ ├── 0x12-S3-Business_Logic_and_Economic_Security.md │ ├── 0x13-S4-Access-Control_and_Authentication.md │ ├── 0x14-S5-Secure-Interactions_and_Communications.md │ ├── 0x15-S6-Cryptographic-Practices.md │ ├── 0x16-S7-Arithmetic_and_Logic-Security.md │ ├── 0x17-S8-Denial-of-Service-DoS.md │ ├── 0x18-S9-Blockchain-Data_and-State-Management.md │ ├── 0x19-S10-Gas-Usage-Efficiency_and-limitations.md │ ├── 0x20-S11-Component-Specific-Security.md │ ├── 0x90-Appendix-A_Glossary.md │ └── 0x91-Appendix-B_References.md ├── generate-all.sh ├── images │ ├── credshields-logo.png │ ├── license.png │ ├── owaspLogo.png │ ├── owasp_logo_1c_notext.png │ ├── owasp_logo_header.png │ ├── solidityscan-black-logo.png │ └── solidityscan-logo.png ├── templates │ ├── eisvogel.tex │ ├── header-eisvogel.tex │ └── reference.docx └── tools │ ├── cyclonedx.py │ ├── export.py │ ├── generate_document.sh │ ├── install_deps.sh │ └── scsvs.py ├── 404.html ├── CONTRIBUTING.md ├── Gemfile ├── LICENSE.md ├── README.md ├── SECURITY.md ├── SUPPORTERS.md ├── _config.yml ├── assets └── images │ ├── Credshields_logo_w.png │ ├── README.md │ ├── credshields-logo.png │ ├── scsvs-banner.png │ ├── solidityscan-black-logo.png │ └── solidityscan-logo.png ├── compiling.md ├── docker └── Dockerfile ├── index.md ├── info.md ├── leaders.md ├── release.md └── tab_supporters.md /.gitignore: -------------------------------------------------------------------------------- 1 | /Gemfile 2 | /Gemfile.lock 3 | /favicon.ico 4 | _site/ -------------------------------------------------------------------------------- /0.1/Makefile: -------------------------------------------------------------------------------- 1 | PROJDIR=$(realpath $(CURDIR)) 2 | BUILDDIR=build 3 | DISTDIR=dist 4 | TOOLSDIR=tools 5 | TEMPLATEDIR=templates 6 | TARGETNAME=OWASP_Smart_Contract_Security_Verification_Standard-0.0.1_ 7 | 8 | LANGDIRS=en #fr 9 | # Add the language directories to the project directory 10 | # Create build and dist directories and language subdirectories 11 | BUILDDIR=$(PROJDIR)/build 12 | DISTDIR=$(PROJDIR)/dist 13 | SOURCEDIR=$(PROJDIR) 14 | 15 | SOURCE_FOLDERS := $(foreach lang, $(LANGDIRS), $(SOURCEDIR)/$(lang)) 16 | BUILD_FOLDERS := $(foreach lang, $(LANGDIRS), $(BUILDDIR)/$(lang)) 17 | DIST_FOLDERS := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)) 18 | SOURCE_FILES := $(foreach lang, $(LANGDIRS), $(shell find $(SOURCEDIR)/$(lang) -type f -name "*.md")) 19 | BUILD_FILES := $(patsubst $(SOURCEDIR)/%, $(BUILDDIR)/%, $(SOURCE_FILES)) 20 | 21 | MD_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/source_$(lang).md) 22 | PDF_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).pdf) 23 | TEX_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).tex) 24 | DOCX_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).docx) 25 | ODT_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).odt) 26 | JSON_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).json) 27 | JSON_CDX_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).cdx.json) 28 | JSON_FLAT_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).flat.json) 29 | CSV_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).csv) 30 | XML_FILES := $(foreach lang, $(LANGDIRS), $(DISTDIR)/$(lang)/$(TARGETNAME)$(lang).xml) 31 | 32 | #TARGETS=$(addprefix $(DISTDIR)/,$(wildcard $(SOURCES))) 33 | TARGETS=$(addprefix $(BUILDDIRS)/,$(wildcard $(SOURCE_FILES))) 34 | EXPORT_TOOL=$(TOOLSDIR)/export.py 35 | 36 | # Change LaTeX engine 37 | PANDOC_MD_FLAGS=-f gfm -s -t markdown 38 | 39 | PANDOC_PDF_FLAGS=-f markdown -s -t latex --pdf-engine=xelatex 40 | 41 | PANDOC_TEX_FLAGS=-f markdown -s -t latex 42 | 43 | PANDOC_DOCX_FLAGS= -s \ 44 | -t docx \ 45 | -f markdown \ 46 | --toc \ 47 | --columns 10000 \ 48 | --reference-doc=./templates/reference.docx 49 | 50 | PANDOC_ODT_FLAGS= -s \ 51 | -t odt \ 52 | -f markdown \ 53 | --toc \ 54 | --columns 10000 \ 55 | --reference-doc=./templates/reference.odt 56 | 57 | .PHONY: md pdf docx json json_flat cdx_json csv xml odt tex clean rm-build rm-dist 58 | 59 | all: $(TARGETS) pdf docx json json_flat cdx_json csv xml rm-build 60 | 61 | $(BUILDDIR): 62 | mkdir -p $@ 63 | 64 | $(DISTDIR): 65 | mkdir -p $@ 66 | 67 | # transform origin md files. needed by the next stages 68 | $(BUILDDIR)/%.md: $(SOURCE_FILES) $(BUILD_FOLDERS) $(BUILDDIR) 69 | sed -E 's#(\| ?)([0-9]{1,4})( ?\|)#\1[\2](https://cwe.mitre.org/data/definitions/\2.html)\3#; s#^(\| :?---:? \| :?)---( .*)#\| :-----: \| :---------------------------------------------------\2#; s#.(./images/)#\1#; s#(\\)([rntv])#\\escape{\2}#g' $(patsubst $(BUILDDIR)/%, $(SOURCEDIR)/%, $@) > $@ 70 | echo "\newpage" >> $@ 71 | 72 | $(DIST_FOLDERS): $(DISTDIR) 73 | echo $@ 74 | mkdir -p $@ 75 | 76 | $(BUILD_FOLDERS): $(BUILDDIR) 77 | echo $@ 78 | mkdir -p $@ 79 | 80 | $(MD_FILES): $(BUILD_FILES) $(DIST_FOLDERS) $(BUILD_FOLDERS) 81 | mkdir -p $(@D) 82 | pandoc $(PANDOC_MD_FLAGS) -o $@ $(patsubst $(DISTDIR)/%, $(BUILDDIR)/%, $@) 83 | sed -Ei 's#../images/#./images/#' $@ 84 | md: $(MD_FILES) 85 | echo $(MD_FILES) 86 | 87 | $(PDF_FILES): $(BUILD_FOLDERS) $(TARGETS) $(DIST_FOLDERS) transform-md 88 | pandoc $(PANDOC_PDF_FLAGS) --include-in-header=$(TEMPLATEDIR)/header-eisvogel.tex -o $@ --template $(TEMPLATEDIR)/eisvogel.tex $(subst dist,build,$(@D)/*.md) $(subst dist,,$(@D)/0x00-Header.yaml) 89 | pdf: $(PDF_FILES) 90 | 91 | $(TEX_FILES): $(BUILD_FOLDERS) $(TARGETS) $(DIST_FOLDERS) 92 | pandoc $(PANDOC_TEX_FLAGS) --include-in-header=$(TEMPLATEDIR)/header-eisvogel.tex -o $@ --template $(TEMPLATEDIR)/eisvogel.tex $(subst dist,build,$(@D)/*.md) $(subst dist,,$(@D)/0x00-Header.yaml) 93 | tex: $(TEX_FILES) 94 | 95 | $(DOCX_FILES): $(BUILD_FOLDERS) $(TARGETS) $(DIST_FOLDERS) 96 | pandoc $(PANDOC_DOCX_FLAGS) -o $@ $(subst dist,build,$(@D)/*.md) $(subst dist,,$(@D)/0x00-Header.yaml) 97 | docx: $(DOCX_FILES) 98 | 99 | $(ODT_FILES): $(BUILD_FOLDERS) $(TARGETS) $(DIST_FOLDERS) 100 | pandoc $(PANDOC_ODT_FLAGS) -o $@ $(subst dist,build,$(@D)/*.md) --metadata-file=$(SOURCEDIR)/0x00-Header.yaml 101 | odt: $(ODT_FILES) 102 | 103 | $(JSON_FILES): $(SOURCE_FOLDERS) $(DIST_FOLDERS) 104 | python3 $(EXPORT_TOOL) --format json --language "$(subst dist,,$(@D))" > $@ 105 | json: $(JSON_FILES) 106 | 107 | $(JSON_FLAT_FILES): $(SOURCE_FOLDERS) $(DIST_FOLDERS) 108 | python3 $(EXPORT_TOOL) --format json_flat --language "$(subst dist,,$(@D))" > $@ 109 | json_flat: $(JSON_FLAT_FILES) 110 | 111 | $(JSON_CDX_FILES): $(SOURCE_FOLDERS) $(DIST_FOLDERS) 112 | python3 $(EXPORT_TOOL) --format cdx_json --language "$(subst dist,,$(@D))" > $@ 113 | cdx_json: $(JSON_CDX_FILES) 114 | 115 | $(CSV_FILES): $(SOURCE_FOLDERS) $(DIST_FOLDERS) 116 | python3 $(EXPORT_TOOL) --format csv --language "$(subst dist,,$(@D))" > $@ 117 | csv: $(CSV_FILES) 118 | 119 | $(XML_FILES): $(SOURCE_FOLDERS) $(DIST_FOLDERS) 120 | python3 $(EXPORT_TOOL) --format xml --language "$(subst dist,,$(@D))" > $@ 121 | xml: $(XML_FILES) 122 | 123 | rm-build: $(BUILDDIR) 124 | rm -rf $(BUILDDIR) 125 | 126 | rm-dist: $(DIST_FOLDERS) 127 | rm -rf $(DIST_FOLDERS) 128 | 129 | clean: rm-build rm-dist 130 | 131 | transform-md: $(BUILD_FILES) 132 | -------------------------------------------------------------------------------- /0.1/en/0x00-Header.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | title: "Smart Contract Security Verification Standard 0.0.1" 3 | subtitle: "Bleeding Edge Version" 4 | date: 2024 5 | titlepage: true 6 | titlepage-rule-height: 0 7 | titlepage-logo: "images/owasp_logo_1c_notext.png" 8 | table-use-row-colors: true 9 | toc: true 10 | toc-own-page: true 11 | geometry: "left=2cm,right=2cm,top=3cm,bottom=3cm" 12 | CJKmainfont: "Noto Sans CJK JP" 13 | mainfont: "Source Serif 4" 14 | sansfont: "Source Sans 3" 15 | --- -------------------------------------------------------------------------------- /0.1/en/0x01-Frontispiece.md: -------------------------------------------------------------------------------- 1 | # Frontispiece 2 | 3 | ## About the Standard 4 | 5 | The **Smart Contract Security Verification Standard (SCSVS)** is a list of specific security requirements or tests for smart contracts, primarily written in Solidity and deployed on EVM-based blockchains. These requirements are intended to be used by architects, developers, testers, security professionals, tool vendors, and consumers to define, build, test, and verify secure smart contracts, decentralized applications (dApps) and blockchain protocols. The standard promotes best practices for ensuring the security and integrity of smart contracts and decentralized finance (DeFi) systems. 6 | 7 | 8 | ## Copyright and License 9 | 10 | Version 0.0.1 (Bleeding Edge version), 2024 11 | 12 | ![license](../images/license.png) 13 | 14 | Copyright © 2008-2024 The OWASP Foundation. This document is released under the [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/). For any reuse or distribution, you must make clear to others the license terms of this work. 15 | 16 | ## Project Leads 17 | 18 | | | 19 | |---------------------- | 20 | | [Shashank](https://in.linkedin.com/in/shashank-in) (CredShields) | 21 | 22 | ## Major Contributors and Reviewers 23 | 24 | | | | | 25 | |---------------- |------------------ |--------------------- | 26 | | [Pratik Lagaskar](https://www.linkedin.com/in/pratik-lagaskar/) |[Nehal Pillai](https://www.linkedin.com/in/nehal-pillai) | [Aditya Dixit](https://in.linkedin.com/in/ad17ya) | | | 27 | 28 | If a credit is missing from the 0.0.1 credit list above, please log a ticket at GitHub to be recognized in future 0.x updates. 29 | 30 | The **Smart Contract Security Verification Standard (SCSVS)** is built upon the initial research performed into smart contract security by various blockchain security experts. Much of the concept, structure, boilerplate, and tooling for the SCSVS has been adapted from the OWASP ASVS project. We extend our gratitude to all those previously involved in the OWASP ASVS for their contributions. 31 | 32 | ## Major Supporter and Sponsor 33 | This initiative would not have been possible without the support of our sponsor and the resources they have provided. We would like to express our gratitude to the following for their support. 34 | 35 | ### CredShields 36 | 37 | 38 | ![CredShields](../images/credshields-logo.png){ width=300px } 39 | ![SolidityScan](../images/solidityscan-black-logo.png){ width=300px } 40 | 41 | 42 | 43 | The OWASP SCSVS project was initiated to share the knowledge gained from the CredShields Security Team's research into Smart Contract security while developing [SolidityScan.com](https://solidityscan.com), an AI-powered vulnerability scanner for Smart Contracts. We extend our gratitude to [CredShields](https://credshields.com) for their efforts in defining the initial requirements and founding this project. -------------------------------------------------------------------------------- /0.1/en/0x02-Preface.md: -------------------------------------------------------------------------------- 1 | # Preface 2 | 3 | Welcome to the alpha release of the **OWASP Smart Contract Security Verification Standard (SCSVS)**, which serves as a framework for assessing the security of smart contracts built on **Ethereum Virtual Machine (EVM)-based blockchains**, specifically those developed using **Solidity**. 4 | 5 | Smart contracts are autonomous programs that execute on decentralized blockchain networks, facilitating a wide range of applications, including decentralized finance (DeFi), governance systems, and tokenized assets. However, the immutability and high-value nature of blockchain ecosystems introduce unique risks and challenges. This makes security in smart contract development not only critical but also highly specialized. 6 | 7 | The SCSVS aims to provide **comprehensive, actionable guidelines** that support developers, auditors, security professionals, and architects in building and maintaining secure smart contracts, particularly within the Solidity ecosystem on EVM-based blockchains. It seeks to address common and emerging vulnerabilities, such as **reentrancy attacks**, **integer overflows/underflows**, **gas optimization issues**, and **economic attacks**—all of which pose significant risks to smart contract security and user trust. 8 | 9 | This alpha release is the result of a collaborative effort by professionals and experts across various sectors, including blockchain security, financial technology, and decentralized application (dApp) development. The SCSVS is designed to offer **flexible and evolving guidance** for securing smart contracts, addressing both **functional** and **non-functional security aspects**. 10 | 11 | ### Scope and Purpose 12 | 13 | The SCSVS provides detailed verification requirements that focus on the **design**, **implementation**, and **testing** phases of smart contract development. It seeks to guide stakeholders through: 14 | 15 | - **Designing with security in mind**: Ensuring that security is a core principle during the planning stages of smart contract development. 16 | - **Implementing secure coding practices**: Emphasizing Solidity-specific security measures to mitigate risks inherent to the EVM environment. 17 | - **Auditing and Testing**: Offering best practices for conducting rigorous security audits, penetration testing, and ongoing monitoring of smart contracts once deployed. 18 | 19 | This standard is particularly relevant for developers who work on **DeFi protocols**, **token contracts**, **decentralized exchanges (DEXs)**, and any application that interacts with assets or governance in a decentralized manner. Its guidelines are aligned with the broader needs of the Ethereum and EVM-based blockchain ecosystems, though many principles apply to other smart contract platforms as well. 20 | 21 | ### A Collaborative Effort 22 | 23 | The security challenges facing smart contract developers are constantly evolving, as adversaries seek new ways to exploit weaknesses in decentralized systems. The **SCSVS alpha release** is designed to be a starting point, and we openly invite contributions from the community to help expand, refine, and adapt these guidelines. 24 | 25 | We understand that no security standard can be entirely comprehensive, especially in the dynamic field of blockchain technology, which is rapidly advancing. The aim is to foster **collaboration** and **continuous improvement**. Your feedback and active participation will be invaluable in ensuring that the SCSVS remains practical, effective, and up to date with emerging threats and technologies. 26 | 27 | ### Looking Ahead 28 | 29 | The OWASP Smart Contract Security Verification Standard is not a final document. This alpha release is the foundation for a **living standard** that will grow and adapt with the needs of the community and advances in smart contract development. We encourage the community to engage actively with this project—whether by contributing ideas, identifying gaps, or proposing enhancements. 30 | 31 | In the spirit of OWASP’s mission, this standard seeks to improve the security posture of the smart contract ecosystem, safeguarding both developers and users alike. We sincerely thank all contributors, and we look forward to your continued support in shaping the future of secure smart contract development. 32 | 33 | **Together, we can build a safer decentralized future.** 34 | -------------------------------------------------------------------------------- /0.1/en/0x03-Using-SCSVS.md: -------------------------------------------------------------------------------- 1 | # Utilizing the SCSVS 2 | 3 | The OWASP Smart Contract Security Verification Standard (SCSVS) serves several key purposes: 4 | 5 | - **Assisting Development Teams**: Guide smart contract developers in designing, implementing, and maintaining secure decentralized applications (dApps) and contracts, particularly on EVM-based blockchains. 6 | 7 | - **Framework for Security Teams**: Assist security professionals in setting requirements, conducting security audits, and performing penetration tests against smart contract systems to ensure they meet robust security standards. 8 | 9 | - **Aligning Security Benchmarks**: Establish a common security framework that can be adopted by blockchain platforms, vendors, developers, and clients regarding security expectations in smart contracts and decentralized applications. 10 | 11 | ## Security Verification Layers 12 | 13 | The SCSVS categorizes security verification into three distinct levels, each aimed at different levels of security assurance in smart contract development and deployment: 14 | 15 | 1. **SCSVS Level 1 - Basic Security**: This level is designed for smart contracts with lower security risks. It focuses on fundamental security controls, ensuring baseline protection for any decentralized application. 16 | 17 | 2. **SCSVS Level 2 - Moderate Security**: Ideal for smart contracts that handle sensitive data, financial transactions, or are part of a DeFi ecosystem. Level 2 provides a more balanced approach to security, addressing common vulnerabilities like reentrancy attacks, gas inefficiencies, and access control weaknesses. 18 | 19 | 3. **SCSVS Level 3 - High Assurance Security**: This level is tailored for mission-critical smart contracts where significant financial assets, governance, or high-value transactions are at stake. Level 3 ensures extensive security measures and covers advanced protections such as formal verification, multi-signature wallets, and decentralized governance. 20 | 21 | Each level of the SCSVS provides a detailed set of security requirements, mapping these to essential security features and practices needed to build secure smart contracts. Whether developing, auditing, or deploying smart contracts, the SCSVS offers a clear roadmap to help teams at every stage. 22 | 23 | ## Assumptions 24 | 25 | When utilizing the SCSVS, it's important to consider the following assumptions: 26 | 27 | - The SCSVS is not a replacement for standard secure development practices such as **secure coding** or following a **Secure Software Development Life Cycle (SSDLC)**. It should complement these practices by addressing specific security needs for **EVM-based smart contracts** and decentralized applications. 28 | 29 | - The SCSVS is not intended to replace comprehensive **threat modeling** or **security reviews**. It serves as a specialized guide to help identify and mitigate vulnerabilities unique to smart contracts. Employing the SCSVS should enhance, not replace, traditional security risk assessments and penetration tests. 30 | 31 | While the SCSVS offers a solid framework for improving the security of smart contracts, it cannot ensure complete security on its own. It should be considered a foundational security standard, with additional protective measures added as necessary to address specific vulnerabilities and evolving threats in decentralized environments. 32 | -------------------------------------------------------------------------------- /0.1/en/0x04-Assessment_and_Certification.md: -------------------------------------------------------------------------------- 1 | # Assessment and Certification 2 | 3 | ## OWASP's Stance on SCSVS Certifications and Trust Marks 4 | 5 | OWASP, as a vendor-neutral not-for-profit organization, does not currently certify any vendors, verifiers, or smart contracts. 6 | 7 | All such assurance assertions, trust marks, or certifications are not officially vetted, registered, or certified by OWASP. Therefore, organizations relying on third-party verification or certifications must carefully evaluate the trust placed in any external entity or trust mark claiming **Smart Contract Security Verification Standard (SCSVS)** certification. 8 | 9 | This should not discourage organizations from offering security verification or audit services, as long as they do not claim to provide official OWASP certification. 10 | 11 | ## Guidance for Certifying Organizations 12 | 13 | For Smart Contract Security Verification Standard (SCSVS) compliance, an "open book" review is recommended, where assessors are granted access to essential resources such as smart contract developers, project documentation, source code, and authenticated blockchain interfaces (including access to the blockchain explorer, transaction logs, and testing environments). It's essential that assessors gain access to at least one account for each user role, particularly if the contract supports permissioned or role-based access. 14 | 15 | It is important to note that the SCSVS only covers the security requirements specific to **EVM-based smart contracts** and does not extend to general application security controls (e.g., web interfaces, databases, or other non-blockchain components). Any additional systems or non-blockchain elements should be verified against appropriate security standards, such as the [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/). 16 | 17 | ### Certification Reports 18 | 19 | Certification reports should clearly define the scope of the verification, specifying which smart contracts, components, or decentralized applications (dApps) were reviewed, and should list any excluded items from the review. The report should summarize the findings, detailing both passed and failed security controls, alongside guidance on how to remediate any failures. 20 | 21 | Industry-standard practices for security certification require thorough documentation of the verification process. This should include: 22 | 23 | - **Work papers**: Notes and records on each step of the verification process. 24 | - **Screenshots**: Evidence of security control tests, such as transaction hashes or audit results. 25 | - **Scripts**: Used for testing and replication of discovered issues. 26 | - **Blockchain logs**: Detailed records of the verification process including contract interactions, transactions, and gas usage. 27 | 28 | Automated tools alone are insufficient to verify SCSVS compliance. All verification reports must provide conclusive, manually validated evidence that demonstrates the thorough and accurate testing of all required controls. In case of disputes, documentation should include adequate evidence to confirm that each control has been appropriately tested and validated. 29 | -------------------------------------------------------------------------------- /0.1/en/0x10-S1-Architecture_Design_and_Threat_Modeling.md: -------------------------------------------------------------------------------- 1 | # S1. Architecture, Design, and Threat Modeling 2 | 3 | ## S1.1 Secure Design Patterns 4 | 5 | ### Control Objective 6 | Ensure that smart contracts are designed with modularity, upgradability, and separation of concerns to enable secure operations, upgrades, and maintenance. Contracts should be designed to minimize security risks related to complex upgrades, privilege transfers, and mismanagement of dependencies. 7 | 8 | ### Security Verification Requirements 9 | 10 | ### S1.1.A Modularity and Upgradability 11 | 12 | | Ref | Requirement | L1 | L2 | L3 | SWE | 13 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 14 | | S1.1.A1 | Verify that the contract is divided into modular components or contracts. | | ✓ | ✓ | | 15 | | S1.1.A2 | Ensure that upgrade mechanisms are designed to allow secure and controlled updates. | | ✓ | ✓ | | 16 | | S1.1.A3 | Check that module boundaries are clearly defined and that dependencies are managed. | | ✓ | ✓ | | 17 | | S1.1.A4 | Ensure that changes to storage variable order or types between contract versions are managed to avoid storage collisions and data corruption. | | ✓ | ✓ | | 18 | | S1.1.A5 | Verify that critical privilege transfers are conducted in a two-step process to ensure secure and reliable privilege changes. | | | ✓ | | 19 | | S1.1.A6 | Verify that the data location of parameters and return variables is correctly handled when overriding internal and public functions to avoid generating invalid code during virtual function calls. | | | ✓ | | 20 | 21 | ### S1.1.B Separation of Concerns 22 | 23 | | Ref | Requirement | L1 | L2 | L3 | SWE | 24 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 25 | | S1.1.B1 | Verify that different functionalities are separated into distinct contracts or modules. | | ✓ | ✓ | | 26 | | S1.1.B2 | Ensure that each module has a single responsibility and minimal dependencies on other modules. | | ✓ | ✓ | | 27 | | S1.1.B3 | Check for any cross-module dependencies that could lead to security risks. | | ✓ | ✓ | | 28 | | S1.1.B4 | Ensure that the protocol maintains consistent and reliable operation during the transfer of privileges, with considerations for various edge cases. | | | ✓ | | 29 | | S1.1.B5 | Verify that proxy contracts use the `onlyInitializing` modifier instead of `initializer` to ensure proper initialization. | | | ✓ | | 30 | | S1.1.B6 | Verify that storage layouts between contract versions are consistent to prevent data corruption and unpredictable behavior. | | | ✓ | | 31 | | S1.1.B7 | Ensure that immutable variables are consistent across implementations during proxy upgrades. | | | ✓ | | 32 | | S1.1.B8 | Verify that implementations of the same logic across different parts of the contract are consistent to avoid introducing errors or vulnerabilities. | | | ✓ | | 33 | | S1.1.B9 | Ensure that ETH and WETH are handled separately with appropriate checks to avoid errors due to incorrect assumptions about exclusivity. | | | ✓ | | 34 | | S1.1.B10 | Verify that contracts with constructors are not used in a proxy setup, and initializer logic is used instead. | | | ✓ | | 35 | 36 | ## S1.2 Proxy Patterns 37 | 38 | ### Control Objective 39 | Ensure that proxy patterns and upgrade mechanisms are implemented securely and managed properly, to mitigate risks during contract upgrades, deprecations, and transitions between contract versions. 40 | ### Security Verification Requirements 41 | ### S1.2.A Upgrade Mechanisms 42 | 43 | | Ref | Requirement | L1 | L2 | L3 | SWE | 44 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 45 | | S1.2.A1 | Verify that an upgrade mechanism (e.g., proxy pattern) is implemented for the contract. | | ✓ | ✓ | | 46 | | S1.2.A2 | Ensure that the upgrade process includes safeguards against unauthorized upgrades. | | ✓ | ✓ | | 47 | | S1.2.A3 | Check that the upgrade mechanism is documented and reviewed for security. | | ✓ | ✓ | | 48 | | S1.2.A4 | Verify that immutable variables are consistent across implementations during proxy upgrades to prevent misuse. | | | ✓ | | 49 | | S1.2.A5 | Verify that `selfdestruct` and `delegatecall` in implementation contracts do not introduce vulnerabilities or unexpected behaviors in a proxy setup. | | | ✓ | | 50 | | S1.2.A6 | Verify that UUPSUpgradeable contracts are protected against vulnerabilities that may affect uninitialized implementation contracts, ensuring secure upgrade mechanisms. | | | ✓ | | 51 | 52 | ### S1.2.B Managing Deprecation 53 | 54 | | Ref | Requirement | L1 | L2 | L3 | SWE | 55 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 56 | | S1.2.B1 | Verify that deprecated contract versions are correctly marked and handled. | | | ✓ | | 57 | | S1.2.B2 | Ensure that access to deprecated versions is restricted or disabled. | | | ✓ | | 58 | | S1.2.B3 | Check that migration paths from deprecated versions to new versions are secure. | | | ✓ | | 59 | 60 | ### S1.2.C Transparent vs. Opaque Proxies 61 | 62 | | Ref | Requirement | L1 | L2 | L3 | SWE | 63 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 64 | | S1.2.C1 | Verify whether a transparent or opaque proxy pattern is used and its suitability for the contract. | | ✓ | ✓ | | 65 | | S1.2.C2 | Ensure that the proxy pattern is correctly implemented and does not introduce vulnerabilities. | | ✓ | ✓ | | 66 | | S1.2.C3 | Check that the proxy pattern’s choice is documented and justified. | | ✓ | ✓ | | 67 | | S1.2.C4 | Ensure that uninitialized contracts cannot be taken over by attackers and that initialization functions are secured with the correct modifiers. | | | ✓ | | 68 | | S1.2.C5 | Verify that `TransparentUpgradeableProxy` and similar proxy patterns handle selector clashes and non-decodable calldata correctly to maintain transparency. | | | ✓ | | 69 | 70 | ## S1.3 Threat Modeling 71 | 72 | ### Control Objective 73 | Identify, assess, and mitigate security threats for smart contract systems by implementing a thorough threat modeling process, ensuring that risks are minimized and protections are in place for critical contract features. 74 | ### Security Verification Requirements 75 | ### S1.3.A Identifying Threats 76 | 77 | | Ref | Requirement | L1 | L2 | L3 | SWE | 78 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 79 | | S1.3.A1 | Verify that potential threats are identified and documented. | ✓ | ✓ | ✓ | | 80 | | S1.3.A2 | Ensure that the threat identification process includes input from security experts. | | ✓ | ✓ | | 81 | | S1.3.A3 | Check that threats are categorized based on their impact and likelihood. | | ✓ | ✓ | | 82 | | S1.3.A4 | Implement protections against front-running in governor proposal creation to prevent attackers from blocking proposals or gaining undue advantages. | | | ✓ | | 83 | 84 | ### S1.3.B Assessing Risks 85 | 86 | | Ref | Requirement | L1 | L2 | L3 | SWE | 87 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 88 | | S1.3.B1 | Verify that risk assessments are performed for identified threats. | | ✓ | ✓ | | 89 | | S1.3.B2 | Ensure that risks are prioritized based on their potential impact and likelihood. | | ✓ | ✓ | | 90 | | S1.3.B3 | Check that risk assessment results are documented and reviewed. | | ✓ | ✓ | | 91 | 92 | ### S1.3.C Implementing Mitigations 93 | 94 | | Ref | Requirement | L1 | L2 | L3 | SWE | 95 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 96 | | S1.3.C1 | Verify that mitigations are implemented for high-priority risks. | | ✓ | ✓ | | 97 | | S1.3.C2 | Ensure that mitigation strategies are documented and tested. | | ✓ | ✓ | | 98 | | S1.3.C3 | Check that the effectiveness of implemented mitigations is reviewed and validated. | | ✓ | ✓ | | 99 | -------------------------------------------------------------------------------- /0.1/en/0x11-S2-Policies_Procedures_and_Code_Management.md: -------------------------------------------------------------------------------- 1 | # S2. Policies, Procedures, and Code Management 2 | 3 | ## Control Objective 4 | Ensure that development policies and procedures are in place to promote secure coding practices, thorough code reviews, and comprehensive testing. The aim is to prevent vulnerabilities and enhance the maintainability and clarity of smart contract code. 5 | 6 | ## S2.1 Development Policies 7 | 8 | ### Control Objective 9 | Establish and enforce secure coding standards and review processes to minimize vulnerabilities and ensure best practices are followed throughout the development lifecycle. 10 | 11 | ### S2.1.A Secure Coding Standards 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S2.1.A1 | Ensure that developers do not use outdated compiler versions and adhere to the latest compiler recommendations. | | ✓ | ✓ | | 16 | | S2.1.A2 | Verify that deprecated functions are not used in the code. | | ✓ | ✓ | | 17 | 18 | ### S2.1.B Code Review Processes 19 | 20 | | Ref | Requirement | L1 | L2 | L3 | SWE | 21 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 22 | | S2.1.B1 | Verify that all smart contract code changes are reviewed by at least two independent developers with expertise in smart contract security before merging to the main branch. | | ✓ | ✓ | | 23 | | S2.1.B2 | Ensure that code reviews of smart contracts involve automated static analysis tools specifically designed for smart contracts, and that all flagged issues are addressed or documented prior to merging. | | ✓ | ✓ | | 24 | | S2.1.B3 | Check that the code review process for smart contracts includes a thorough analysis for vulnerabilities such as reentrancy attacks, integer overflows, and improper access control. | | ✓ | ✓ | | 25 | | S2.1.B4 | Verify that code reviews include adherence to smart contract development standards, such as the use of safe math libraries and secure design patterns. | | ✓ | ✓ | | 26 | | S2.1.B5 | Ensure that code reviews incorporate a checklist of common smart contract vulnerabilities, and that each item on the list is addressed before code is approved. | | ✓ | ✓ | | 27 | 28 | ## S2.2 Code Clarity 29 | 30 | ### Control Objective 31 | Promote code clarity and maintainability through thorough documentation, logical structure, and adherence to consistent coding standards, enabling easier understanding and modification by developers. 32 | 33 | ### S2.2.A Readability and Documentation 34 | 35 | | Ref | Requirement | L1 | L2 | L3 | SWE | 36 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 37 | | S2.2.A1 | Ensure that all smart contract functions and critical code blocks are documented with clear comments that explain their purpose and logic. | | ✓ | ✓ | | 38 | | S2.2.A2 | Verify that the structure of the smart contract is logical and organized to facilitate understanding and modification by other developers. | | ✓ | ✓ | | 39 | | S2.2.A3 | Check that the smart contract documentation includes a high-level overview of its functionality, usage instructions, and any dependencies on other contracts or systems. | | ✓ | ✓ | | 40 | | S2.2.A4 | Ensure that smart contract code follows consistent naming conventions for variables, functions, and contract names to improve readability and maintainability. | | ✓ | ✓ | | 41 | 42 | ### S2.2.B Code Linting and Formatting Tools 43 | 44 | | Ref | Requirement | L1 | L2 | L3 | SWE | 45 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 46 | | S2.2.B1 | Ensure that a code linting tool specific to smart contracts is integrated into the development workflow to enforce coding standards and style guidelines. | | ✓ | ✓ | | 47 | | S2.2.B2 | Verify that all smart contract code passes linting checks without errors or warnings before being committed to the repository. | | ✓ | ✓ | | 48 | | S2.2.B3 | Check that code formatting tools are applied to maintain consistent indentation, spacing, and line breaks in smart contract code. | | ✓ | ✓ | | 49 | | S2.2.B4 | Ensure that the linting and formatting configurations are reviewed and updated regularly to reflect new best practices and emerging issues in smart contract development. | | ✓ | ✓ | | 50 | | S2.2.B5 | Verify that the linting and formatting tools are compatible with the development environment and do not introduce unintended changes to the smart contract code. | | ✓ | ✓ | | 51 | 52 | 53 | ## S2.3 Test Coverage 54 | 55 | ### Control Objective 56 | Ensure comprehensive test coverage for smart contracts, encompassing unit tests, integration tests, and security-specific tests, to identify vulnerabilities and maintain code quality throughout development. 57 | 58 | ### S2.3.A Unit Tests, Integration Tests, Automated Testing 59 | 60 | | Ref | Requirement | L1 | L2 | L3 | SWE | 61 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 62 | | S2.3.A1 | Verify that all critical functions in the smart contract have comprehensive unit tests that cover both typical and edge cases. | | ✓ | ✓ | | 63 | | S2.3.A2 | Ensure that integration tests are implemented to validate the interactions between the smart contract and other contracts or external systems. | | ✓ | ✓ | | 64 | | S2.3.A3 | Check that automated tests are set up to run on each code commit to detect regressions and maintain continuous quality of the smart contract. | | ✓ | ✓ | | 65 | | S2.3.A4 | Verify that test coverage tools are used to monitor and achieve a high percentage of coverage for the smart contract code. | | ✓ | ✓ | | 66 | | S2.3.A5 | Ensure that the testing framework supports mocking and simulating external dependencies to effectively isolate and test specific functionalities of the smart contract. | | ✓ | ✓ | | 67 | 68 | ### S2.3.B Security-Specific Tests 69 | 70 | | Ref | Requirement | L1 | L2 | L3 | SWE | 71 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 72 | | S2.3.B1 | Verify that the test suite for the smart contract includes security-specific tests designed to identify vulnerabilities such as reentrancy, integer overflows, and improper access controls. | | ✓ | ✓ | | 73 | | S2.3.B2 | Ensure that the security tests validate proper implementation of access controls and permissions within the smart contract. | | ✓ | ✓ | | 74 | | S2.3.B3 | Check that fuzz testing is conducted to uncover unexpected behaviors and potential security issues under various input scenarios. | | ✓ | ✓ | | 75 | | S2.3.B4 | Verify that the smart contract's response to invalid inputs and edge cases is thoroughly tested to ensure robust security measures are in place. | | ✓ | ✓ | | 76 | -------------------------------------------------------------------------------- /0.1/en/0x12-S3-Business_Logic_and_Economic_Security.md: -------------------------------------------------------------------------------- 1 | # S3. Business Logic and Economic Security 2 | 3 | ## Control Objective 4 | Ensure that the smart contract's business logic and economic security are resilient against threats related to incentive structures, tokenomics, and logic vulnerabilities. Contracts should prevent abuse, misbehavior, or unexpected behaviors by implementing secure economic models, token handling, and transaction integrity. 5 | 6 | 7 | ## S3.1 Economic Models 8 | 9 | ### Control Objective 10 | Ensure that economic models, including incentive structures and tokenomics, are designed and implemented in a way that secures value and incentivizes proper behavior within the ecosystem. Contracts should handle fluctuating token values and avoid creating opportunities for exploitation. 11 | 12 | ### S3.1.A Incentive Structures 13 | 14 | | Ref | Requirement | L1 | L2 | L3 | SWE | 15 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 16 | | S3.1.A1 | Ensure that the withdrawal process implements a pull-based approach rather than a push-based one to track accounting and allow users to pull payments. | ✓ | ✓ | ✓ | | 17 | | S3.1.A2 | The rate of cbETH to ETH can decrease, impacting users who hold or interact with cbETH. Ensure mechanisms are in place to handle fluctuations in conversion rates. | | ✓ | ✓ | | 18 | | S3.1.A3 | Validators on the Ethereum 2.0 Beacon Chain can be penalized or slashed for misbehavior, which can affect the value of rETH. Ensure that these dynamics are considered in value assessments and interactions. | | ✓ | ✓ | | 19 | | S3.1.A4 | The conversion rate between ETH and rETH might change over time based on the rewards accrued from staking. Ensure that these fluctuations are properly managed and captured. | | ✓ | ✓ | | 20 | 21 | 22 | ## S3.2 Tokenomics 23 | 24 | ### Control Objective 25 | Ensure that tokens used within the smart contract ecosystem are securely implemented, including aspects such as value management, rebasing mechanisms, and reward systems. Contracts should prevent token vulnerabilities like double-spending, incorrect rewards, and improper fee handling. 26 | 27 | ### S3.2.A Economic Security of Tokens and Their Use Cases 28 | 29 | | Ref | Requirement | L1 | L2 | L3 | SWE | 30 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 31 | | S3.2.A1 | Ensure that Merkle trees do not contain duplicate proofs, as this can lead to vulnerabilities like double-spending. | | ✓ | ✓ | | 32 | | S3.2.A2 | Verify that DeFi protocols account for tokens with negative rebase mechanisms, ensuring that value changes and potential miscalculations are properly handled and mitigated. | | ✓ | ✓ | | 33 | | S3.2.A3 | Verify that reward claims are correctly implemented to ensure users receive their correct rewards. | | ✓ | ✓ | | 34 | | S3.2.A4 | Verify that tokens do not have vulnerabilities such as incorrect fee application or unexpected behavior due to token transfer issues. | | ✓ | ✓ | | 35 | | S3.2.A5 | Verify that all claimable addresses are included in the hashing process for Merkle tree leaves to prevent attackers from claiming funds they should not. | | ✓ | ✓ | | 36 | 37 | 38 | ## S3.3 Preventing Reentrancy and Logic Flaws 39 | 40 | ### Control Objective 41 | Ensure the smart contract's transaction flow and logic integrity are protected from reentrancy attacks and logic flaws. Contracts should implement robust control structures and security patterns to prevent reentrancy, handle complex flows, and ensure that state transitions are secure and symmetrical. 42 | 43 | ### S3.3.A Transaction Flow Security 44 | 45 | | Ref | Requirement | L1 | L2 | L3 | SWE | 46 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 47 | | S3.3.A1 | Check for edge cases in loop control structures to prevent unexpected behaviors due to break or continue statements. | | ✓ | ✓ | | 48 | | S3.3.A2 | Ensure that scenarios where sender and recipient are the same are considered to prevent unintended issues in smart contracts. | | ✓ | ✓ | | 49 | | S3.3.A3 | Ensure that the `NonReentrant` modifier is applied before other modifiers in functions to prevent reentrancy attacks. | | ✓ | ✓ | | 50 | | S3.3.A4 | Verify that the check-effect-interaction pattern is implemented to prevent reentrancy attacks. | | ✓ | ✓ | | 51 | | S3.3.A5 | Ensure that function calls with arbitrary user input and low-level calls are handled securely to avoid introducing risks. | | ✓ | ✓ | | 52 | 53 | ### S3.3.B Function Integrity 54 | 55 | | Ref | Requirement | L1 | L2 | L3 | SWE | 56 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 57 | | S3.3.B1 | Ensure that functions intended to be unique per parameter set are not callable multiple times to prevent potential issues. | | ✓ | ✓ | | 58 | | S3.3.B2 | Verify that state changes in functions, such as withdraw and deposit, are symmetrically handled to avoid undesired behavior due to inconsistencies. | | ✓ | ✓ | | 59 | -------------------------------------------------------------------------------- /0.1/en/0x13-S4-Access-Control_and_Authentication.md: -------------------------------------------------------------------------------- 1 | # S4. Access Control and Authentication 2 | 3 | ## Control Objective 4 | Establish robust access control and authentication mechanisms to ensure that only authorized entities can perform sensitive operations within the smart contract. This includes implementing role-based access control (RBAC), secure authorization mechanisms, and decentralized identity management. 5 | 6 | ## S4.1 Role-Based Access Control (RBAC) 7 | 8 | ### Control Objective 9 | Implement role-based access control to manage permissions and ensure that only authorized users can access specific functions. This includes validating identities, applying the least privilege principle, and ensuring appropriate access controls are in place. 10 | 11 | ### S4.1.A Multi-Signature Schemes 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S4.1.A1 | Ensure that the visibility modifier for all functions is appropriate, preventing unnecessary exposure of internal functions. | | ✓ | ✓ | | 16 | 17 | ### S4.1.B Identity Verification 18 | 19 | | Ref | Requirement | L1 | L2 | L3 | SWE | 20 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 21 | | S4.1.B1 | Validate that unexpected addresses do not result in unintended behaviors, particularly when these addresses refer to contracts within the same protocol. | | ✓ | ✓ | | 22 | | S4.1.B2 | Verify that functions like ecrecover handle all potential null addresses properly to avoid vulnerabilities arising from unexpected ecrecover outputs. | | ✓ | ✓ | | 23 | 24 | ### S4.1.C Least Privilege Principle 25 | 26 | | Ref | Requirement | L1 | L2 | L3 | SWE | 27 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 28 | | S4.1.C1 | Use msg.sender instead of tx.origin for authorization to avoid potential abuse from malicious contracts; include checks like require(tx.origin == msg.sender) to ensure the sender is an EOA. | | ✓ | ✓ | | 29 | | S4.1.C2 | Certain addresses might be blocked or restricted from receiving tokens (e.g., LUSD). Ensure that address restrictions are properly managed and verified. | | ✓ | ✓ | | 30 | | S4.1.C3 | Ensure that Guard’s hooks (e.g., checkTransaction(), checkAfterExecution()) are executed to enforce critical security checks. | | ✓ | ✓ | | 31 | | S4.1.C4 | Ensure that access controls are implemented correctly to determine who can use certain functions, and avoid unauthorized changes or withdrawals. | | ✓ | ✓ | | 32 | 33 | 34 | ## S4.2 Authorization Mechanisms 35 | 36 | ### Control Objective 37 | Implement secure authorization mechanisms to safeguard critical functions and sensitive operations, ensuring only authorized entities can perform these actions. 38 | 39 | ### S4.2.A Secure Access to Critical Functions 40 | 41 | | Ref | Requirement | L1 | L2 | L3 | SWE | 42 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 43 | | S4.2.A1 | Verify that the contract uses msg.sender for authorization instead of tx.origin to avoid vulnerabilities related to contracts that forward calls from legitimate users. | | ✓ | ✓ | | 44 | | S4.2.A2 | Implement and verify appropriate access controls for functions that modify contract state or perform sensitive operations to prevent unauthorized access. | | ✓ | ✓ | | 45 | 46 | ### S4.2.B Timed Permissions 47 | 48 | | Ref | Requirement | L1 | L2 | L3 | SWE | 49 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 50 | | S4.2.B1 | Ensure that msg.sender validation is properly implemented when using Merkle trees to maintain security and prevent unauthorized access. | | ✓ | ✓ | | 51 | | S4.2.B2 | Use whitelisting to restrict interactions to a specific set of addresses, providing additional security against malicious actors. | | ✓ | ✓ | | 52 | | S4.2.B3 | Ensure that functions modifying the contract state or accessing sensitive operations have proper access controls implemented. | | ✓ | ✓ | | 53 | 54 | 55 | ## S4.3 Decentralized Identity 56 | 57 | ### Control Objective 58 | Implement decentralized identity solutions to ensure secure and reliable identity verification and management while maintaining user privacy. 59 | 60 | ### S4.3.A Decentralized Identifiers (DIDs) 61 | 62 | | Ref | Requirement | L1 | L2 | L3 | SWE | 63 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 64 | | S4.3.A1 | Verify that the smart contract for handling DIDs adheres to the latest standards and best practices for decentralized identity management. | | ✓ | ✓ | | 65 | | S4.3.A2 | Ensure that the DID management contract includes mechanisms to prevent unauthorized modifications and ensure the integrity of DID records. | | ✓ | ✓ | | 66 | | S4.3.A3 | Check that DID documents managed by the smart contract are securely stored and can be retrieved in a decentralized manner. | | ✓ | ✓ | | 67 | | S4.3.A4 | Verify that the smart contract supports reliable DID resolution and includes mechanisms for handling conflicts and updates. | | ✓ | ✓ | | 68 | | S4.3.A5 | Ensure that the smart contract maintains the privacy and confidentiality of DID-related information throughout its lifecycle. | | ✓ | ✓ | | 69 | 70 | ### S4.3.B Verifiable Credentials 71 | 72 | | Ref | Requirement | L1 | L2 | L3 | SWE | 73 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 74 | | S4.3.B1 | Verify that the smart contract manages verifiable credentials in a way that ensures their authenticity and integrity through cryptographic proofs. | | ✓ | ✓ | | 75 | | S4.3.B2 | Ensure that the issuance process of verifiable credentials by the smart contract includes proper identity verification and validation procedures. | | ✓ | ✓ | | 76 | | S4.3.B3 | Check that the smart contract supports cryptographic proofs to verify the validity of credentials without disclosing sensitive information. | | ✓ | ✓ | | 77 | | S4.3.B4 | Verify that the smart contract includes a secure process for revoking verifiable credentials when necessary. | | ✓ | ✓ | | 78 | | S4.3.B5 | Ensure that the smart contract’s handling of verifiable credentials complies with relevant standards and best practices for secure credential management. | | ✓ | ✓ | | 79 | -------------------------------------------------------------------------------- /0.1/en/0x14-S5-Secure-Interactions_and_Communications.md: -------------------------------------------------------------------------------- 1 | # S5. Secure Interactions and Communications 2 | 3 | ## Control Objective 4 | Establish secure interaction protocols for smart contracts to ensure safe communication between contracts, external oracles, and cross-chain integrations. This includes managing contract interactions, securing oracle integrations, handling cross-chain interactions, and ensuring the security of bridges. 5 | 6 | 7 | ## S5.1 Contract Interactions 8 | 9 | ### Control Objective 10 | Ensure that all interactions between contracts are secure, minimizing risks associated with external calls, maintaining a minimal trusted surface, and handling errors appropriately. 11 | 12 | ### S5.1.A Secure Message Passing 13 | 14 | | Ref | Requirement | L1 | L2 | L3 | SWE | 15 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 16 | | S5.1.A1 | Ensure that calls to inherited functions from LzApp use recommended approaches (e.g., _lzSend) to avoid vulnerabilities associated with direct calls to lzEndpoint.send. | | ✓ | ✓ | | 17 | | S5.1.A2 | Ensure that when interacting with external contracts, the msg.sender remains consistent to avoid security issues related to unexpected changes in sender context. | | ✓ | ✓ | | 18 | | S5.1.A3 | Manage untrusted external contract calls to prevent unexpected results such as multiple withdrawals or out-of-order events. | | ✓ | ✓ | | 19 | | S5.1.A4 | Missing verification of interacting pools can introduce risks. Ensure that all pools are properly verified before interaction to prevent potential security issues. | | ✓ | ✓ | | 20 | | S5.1.A5 | Verify that the low-level .delegatecall() is properly managed, acknowledging that it converts the return value to a Boolean without providing the execution outcome. | | ✓ | ✓ | | 21 | 22 | ### S5.1.B Minimal Trusted Surface 23 | 24 | | Ref | Requirement | L1 | L2 | L3 | SWE | 25 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 26 | | S5.1.B1 | Verify that the smart contract minimizes its trusted surface by only interacting with other contracts and systems through well-defined and limited interfaces. | | ✓ | ✓ | | 27 | | S5.1.B2 | Ensure that the smart contract includes checks to validate the trustworthiness and authenticity of interacting parties before executing sensitive operations. | | ✓ | ✓ | | 28 | | S5.1.B3 | Check that the smart contract's interactions are designed to avoid dependencies on external data or contracts that could compromise security. | | ✓ | ✓ | | 29 | | S5.1.B4 | Verify that the contract handles failures or unexpected behaviors from external interactions gracefully to avoid cascading failures. | | ✓ | ✓ | | 30 | | S5.1.B5 | Ensure that interactions with other contracts are monitored and audited to detect and address any unusual or unauthorized activities. | | ✓ | ✓ | | 31 | 32 | 33 | ## S5.2 Oracle Integrations 34 | 35 | ### Control Objective 36 | Ensure that oracle integrations provide secure, reliable, and tamper-proof data feeds while maintaining data integrity and handling failures appropriately. 37 | 38 | ### S5.2.A Secure Data Feeds 39 | 40 | | Ref | Requirement | L1 | L2 | L3 | SWE | 41 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 42 | | S5.2.A1 | Verify that the smart contract uses oracles that provide secure and tamper-proof data feeds, including checks for data integrity and authenticity. | | ✓ | ✓ | | 43 | | S5.2.A2 | Ensure that the smart contract validates the data received from oracles to prevent malicious or incorrect data from affecting contract operations. | | ✓ | ✓ | | 44 | | S5.2.A3 | Check that the smart contract includes fallback mechanisms in case of oracle failure or unreliable data. | | ✓ | ✓ | | 45 | | S5.2.A4 | Verify that the integration with oracles follows best practices for data security, including encryption and secure communication channels. | | ✓ | ✓ | | 46 | | S5.2.A5 | Ensure that the smart contract's oracle integration is designed to handle any potential discrepancies or conflicts in data from multiple sources. | | ✓ | ✓ | | 47 | 48 | ### S5.2.B Decentralized Oracles 49 | 50 | | Ref | Requirement | L1 | L2 | L3 | SWE | 51 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 52 | | S5.2.B1 | Verify that the smart contract uses decentralized oracles to enhance data reliability and prevent single points of failure or manipulation. | | ✓ | ✓ | | 53 | | S5.2.B2 | Ensure that the smart contract includes mechanisms to validate the consensus or majority opinion of decentralized oracles before taking actions based on their data. | | ✓ | ✓ | | 54 | | S5.2.B3 | Check that the smart contract accounts for potential latency or delays in data from decentralized oracles to maintain operational reliability. | | ✓ | ✓ | | 55 | | S5.2.B4 | Verify that the smart contract includes checks to prevent manipulation or collusion among decentralized oracles. | | ✓ | ✓ | | 56 | | S5.2.B5 | Ensure that the decentralized oracle integration adheres to standards for security and reliability in multi-oracle environments. | | ✓ | ✓ | | 57 | 58 | 59 | ## S5.3 Cross-Chain Interactions 60 | 61 | ### Control Objective 62 | Ensure secure handling of external calls and atomic swaps during cross-chain interactions to maintain operational reliability and prevent fraud. 63 | 64 | ### S5.3.A Handling External Calls Securely 65 | 66 | | Ref | Requirement | L1 | L2 | L3 | SWE | 67 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 68 | | S5.3.A1 | Ensure that parameters for Chainlink VRF (Verifiable Random Function) are thoroughly validated to prevent the fulfillRandomWord function from returning incorrect values instead of reverting. | | ✓ | ✓ | | 69 | | S5.3.A2 | Implement robust security checks for cross-chain messaging to ensure correct permissions and intended functionality. | | ✓ | ✓ | | 70 | | S5.3.A3 | Verify that contracts created using the CREATE opcode handle block reorganizations securely to prevent unexpected eliminations. | | ✓ | ✓ | | 71 | | S5.3.A4 | Ensure robust cross-chain messaging security checks to prevent replay attacks where signatures valid on one chain might be exploited on another. | | ✓ | ✓ | | 72 | 73 | ### S5.3.B Atomic Swaps 74 | 75 | | Ref | Requirement | L1 | L2 | L3 | SWE | 76 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 77 | | S5.3.B1 | Verify that the smart contract supports atomic swaps with robust mechanisms to ensure that swaps are completed successfully or not executed at all. | | ✓ | ✓ | | 78 | | S5.3.B2 | Ensure that the smart contract includes checks to validate the atomic swap conditions and prevent partial or fraudulent swaps. | | ✓ | ✓ | | 79 | | S5.3.B3 | Check that the smart contract handles potential failures or disputes in atomic swaps securely and fairly. | | ✓ | ✓ | | 80 | | S5.3.B4 | Verify that the atomic swap functionality is tested thoroughly to cover various scenarios and edge cases. | | ✓ | ✓ | | 81 | 82 | ## S5.4 Bridges 83 | 84 | ### Control Objective 85 | Ensure the security of cross-chain transactions by implementing robust validation and verification mechanisms to prevent fraud and maintain data integrity. 86 | 87 | ### S5.4.A Cross-Chain Transaction Security 88 | 89 | | Ref | Requirement | L1 | L2 | L3 | SWE | 90 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 91 | | S5.4.A1 | Verify that the smart contract for cross-chain transactions includes robust mechanisms for verifying and validating transactions across different chains. | | ✓ | ✓ | | 92 | | S5.4.A2 | Ensure that the smart contract prevents double-spending and replay attacks in cross-chain transactions by implementing appropriate security checks. | | ✓ | ✓ | | 93 | | S5.4.A3 | Check that the cross-chain transaction contract handles communication and data integrity securely between different blockchain networks. | | ✓ | ✓ | | 94 | | S5.4.A4 | Verify that the smart contract includes fallback and recovery mechanisms for handling failures or inconsistencies in cross-chain transactions. | | ✓ | ✓ | | 95 | -------------------------------------------------------------------------------- /0.1/en/0x15-S6-Cryptographic-Practices.md: -------------------------------------------------------------------------------- 1 | # S6. Cryptographic Practices 2 | 3 | ## Control Objective 4 | Establish secure cryptographic practices for managing keys, verifying signatures, and generating random numbers to protect the integrity and authenticity of transactions and data within smart contracts. 5 | 6 | ## S6.1 Key Management 7 | 8 | ### Control Objective 9 | Ensure secure handling and storage of private keys and implement robust signature verification processes to prevent unauthorized access and actions. 10 | 11 | ### S6.1.A Secure Handling and Storage of Private Keys 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S6.1.A1 | Verify that the ecrecover() function handles malformed inputs correctly and does not return invalid data. | | ✓ | ✓ | | 16 | | S6.1.A2 | Ensure that signature verification mechanisms are robust against signature malleability and replay attacks, particularly by using nonces or hashed messages rather than relying solely on the signature itself. | | ✓ | ✓ | | 17 | | S6.1.A3 | Verify that SignatureChecker.isValidSignatureNow handles edge cases properly and does not revert unexpectedly, considering the ABI decoding issues introduced in Solidity 0.8. | | ✓ | ✓ | | 18 | | S6.1.A4 | Ensure that all signatures are checked thoroughly to prevent unauthorized transactions or actions due to weak or improperly managed signature validation. | | ✓ | ✓ | | 19 | | S6.1.A5 | Validate that signature protection mechanisms are up-to-date and resistant to signature malleability attacks by avoiding outdated libraries and practices. | | ✓ | ✓ | | 20 | 21 | ### S6.1.B Multi-Signature Wallets 22 | 23 | | Ref | Requirement | L1 | L2 | L3 | SWE | 24 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 25 | | S6.1.B1 | Verify that multi-signature wallets require a predefined number of signatures before executing any transaction. | | ✓ | ✓ | | 26 | | S6.1.B2 | Ensure that the multi-signature wallet logic is resistant to replay attacks. | | ✓ | ✓ | | 27 | | S6.1.B3 | Verify that the process of adding or removing signatories from the multi-signature wallet is secure and controlled. | | ✓ | ✓ | | 28 | 29 | 30 | ## S6.2 Signature Verification 31 | 32 | ### Control Objective 33 | Implement cryptographic techniques that ensure the secure verification of signatures and compliance with standards to maintain the integrity of authenticated transactions. 34 | 35 | ### S6.2.A Cryptographic Techniques for Authentication 36 | 37 | | Ref | Requirement | L1 | L2 | L3 | SWE | 38 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 39 | | S6.2.A1 | Ensure that cryptographic algorithms used for signature verification are secure and follow best practices. | | ✓ | ✓ | | 40 | 41 | ### S6.2.B Standard Compliance (e.g., EIP-712) 42 | 43 | | Ref | Requirement | L1 | L2 | L3 | SWE | 44 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 45 | | S6.2.B1 | Verify that ECDSA signature handling functions, such as ECDSA.recover and ECDSA.tryRecover, properly manage signature formats to prevent signature malleability, especially when handling both traditional 65-byte and EIP-2098 compact signatures. | | ✓ | ✓ | | 46 | 47 | ## S6.3 Secure Random Number Generation 48 | 49 | ### Control Objective 50 | Implement best practices for secure random number generation to ensure unpredictability and resistance against manipulation. 51 | 52 | ### S6.3.A Best Practices for Randomness 53 | 54 | | Ref | Requirement | L1 | L2 | L3 | SWE | 55 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 56 | | S6.3.A1 | Ensure that random number generation follows best practices and uses secure sources of entropy. | | ✓ | ✓ | | 57 | | S6.3.A2 | Verify that any random number generation is resistant to manipulation and prediction. | | ✓ | ✓ | | 58 | -------------------------------------------------------------------------------- /0.1/en/0x16-S7-Arithmetic_and_Logic-Security.md: -------------------------------------------------------------------------------- 1 | # S7. Arithmetic and Logic Security 2 | 3 | ## Control Objective 4 | Establish secure arithmetic and logic practices to prevent vulnerabilities such as overflow/underflow and ensure the integrity of calculations within smart contracts. 5 | 6 | 7 | ## S7.1 Preventing Overflow/Underflow 8 | 9 | ### Control Objective 10 | Implement safe arithmetic practices to prevent overflow and underflow vulnerabilities that can compromise contract functionality and security. 11 | 12 | ### S7.1.A Use of Safe Math Libraries 13 | 14 | | Ref | Requirement | L1 | L2 | L3 | SWE | 15 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 16 | | S7.1.A1 | Verify that explicit type casting does not lead to overflow or underflow issues. | | ✓ | ✓ | | 17 | | S7.1.A2 | Verify that integer arithmetic operations do not exceed their bounds to prevent integer overflow or underflow vulnerabilities. | | ✓ | ✓ | | 18 | | S7.1.A3 | Ensure that operations involving time units and other expressions handle potential overflows correctly. | | ✓ | ✓ | | 19 | | S7.1.A4 | Verify that division by zero is correctly handled and causes a transaction revert to prevent unexpected behavior. | | ✓ | ✓ | | 20 | | S7.1.A5 | Ensure that variables are managed within their bounds to prevent reverts due to exceeding limits. | | ✓ | ✓ | | 21 | | S7.1.A6 | Ensure that arithmetic operations within the unchecked{} block are carefully managed to prevent unintentional overflow or underflow. | | ✓ | ✓ | | 22 | | S7.1.A7 | Confirm that inline assembly operations handle division by zero and overflow/underflow according to desired behavior and revert appropriately. | | ✓ | ✓ | | 23 | | S7.1.A8 | Implement checks to handle cases where operations might introduce unintended precision issues or rounding errors. | | ✓ | ✓ | | 24 | 25 | ### S7.1.B Fixed-Point Arithmetic 26 | 27 | | Ref | Requirement | L1 | L2 | L3 | SWE | 28 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 29 | | S7.1.B1 | Verify that fixed-point arithmetic operations are performed safely to prevent overflow, underflow, and precision loss. | | ✓ | ✓ | | 30 | 31 | 32 | ## S7.2 Arithmetic Integrity 33 | 34 | ### Control Objective 35 | Ensure that all calculations and logical operations within the smart contract are performed correctly to maintain data integrity and prevent manipulation. 36 | 37 | ### S7.2.A Secure Calculations and Logic 38 | 39 | | Ref | Requirement | L1 | L2 | L3 | SWE | 40 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 41 | | S7.2.A1 | Ensure that price or rate calculations derived from asset balances are protected from manipulation, considering attack vectors like flash loans and donations. | | ✓ | ✓ | | 42 | | S7.2.A2 | Ensure that the use of structs and arrays does not lead to data corruption or incorrect values due to storage encoding issues. | | ✓ | ✓ | | 43 | | S7.2.A3 | Avoid operations that could lead to unintended data type conversions or precision loss by ensuring arithmetic operations are performed correctly. | | ✓ | ✓ | | 44 | | S7.2.A4 | Enforce a minimum transaction amount to prevent attackers from clogging the network with zero amount or dust transactions. | | ✓ | ✓ | | 45 | | S7.2.A5 | Validate that financial operations respect associative properties, ensuring consistent outcomes whether operations are performed in aggregate or iteratively. | | ✓ | ✓ | | 46 | | S7.2.A6 | Implement proper rounding direction for calculations where accounting relies on user shares to avoid inaccuracies. | | ✓ | ✓ | | 47 | | S7.2.A7 | Validate that inequalities and comparisons are correctly implemented to handle edge values appropriately. | | ✓ | ✓ | | 48 | | S7.2.A8 | Ensure that abi.decode adheres to the type limits to avoid reverts due to overflow of target types. | | ✓ | ✓ | | 49 | | S7.2.A9 | Ensure that logical operators such as `==`, `!=`, `&&`, `||`, and `!` are used correctly, especially when test coverage may be limited. | | ✓ | ✓ | | 50 | 51 | 52 | ### S7.2.B Precondition and Postcondition Checks 53 | 54 | | Ref | Requirement | L1 | L2 | L3 | SWE | 55 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 56 | | S7.2.B1 | Ensure that multiplication is performed before division to maintain precision in calculations. | | ✓ | ✓ | | 57 | | S7.2.B2 | Ensure that the request confirmation number is high enough to mitigate risks associated with chain re-orgs. | | ✓ | ✓ | | 58 | | S7.2.B3 | Verify that off-by-one errors are avoided in loops and iterations, ensuring correct handling of list lengths and indexing. | | ✓ | ✓ | | 59 | | S7.2.B4 | Verify that unsigned integers are not used to represent negative values, as this can lead to erroneous behavior. | | ✓ | ✓ | | 60 | | S7.2.B5 | Verify that calculations with multiple terms handle all possible edge cases for min/max values to avoid errors. | | ✓ | ✓ | | 61 | -------------------------------------------------------------------------------- /0.1/en/0x17-S8-Denial-of-Service-DoS.md: -------------------------------------------------------------------------------- 1 | # S8. Denial of Service (DoS) 2 | 3 | ## Control Objective 4 | Establish practices and mechanisms to prevent Denial of Service (DoS) attacks that can disrupt contract functionality and availability. 5 | 6 | 7 | ## S8.1 Gas Limits 8 | 9 | ### Control Objective 10 | Ensure that contract design and function implementations are efficient in gas usage to mitigate risks associated with out-of-gas errors and related vulnerabilities. 11 | 12 | ### S8.1.A Efficient Loop and Function Design 13 | 14 | | Ref | Requirement | L1 | L2 | L3 | SWE | 15 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 16 | | S8.1.A1 | Ensure that contracts are protected against insufficient gas griefing attacks by carefully managing gas consumption in critical functions. | | ✓ | ✓ | | 17 | | S8.1.A2 | Ensure that systems like the RocketDepositPool contract handle failures in functions like burn() gracefully. | | ✓ | ✓ | | 18 | | S8.1.A3 | Verify that gas usage in functions and loops is efficient to avoid out-of-gas errors. | | ✓ | ✓ | | 19 | | S8.1.A4 | Implement mechanisms to prevent denial of service attacks due to block gas limits, ensuring that transactions or operations do not exceed the gas limit constraints. | | ✓ | ✓ | | 20 | 21 | ### S8.1.B Fallback Mechanisms 22 | 23 | | Ref | Requirement | L1 | L2 | L3 | SWE | 24 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 25 | | S8.1.B1 | Ensure that try/catch blocks are provided with adequate gas to avoid failures and unexpected behavior in case of errors. | | ✓ | ✓ | | 26 | 27 | 28 | ## S8.2 Resilience Against Resource Exhaustion 29 | 30 | ### Control Objective 31 | Implement strategies to protect contracts from resource exhaustion attacks that can lead to DoS scenarios. 32 | 33 | ### S8.2.A Rate Limiting 34 | 35 | | Ref | Requirement | L1 | L2 | L3 | SWE | 36 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 37 | | S8.2.A1 | Avoid using blocking mechanisms that could lead to a Denial-of-Service (DoS) attack. | | ✓ | ✓ | | 38 | | S8.2.A2 | Protect against potential DoS in functions like supportsERC165InterfaceUnchecked() by handling excessive data queries efficiently. | | ✓ | ✓ | | 39 | | S8.2.A3 | Ensure that assertions do not lead to denial of service or unexpected contract reverts, especially in scenarios where conditions are not met. | | ✓ | ✓ | | 40 | | S8.2.A4 | Verify that return values from external function calls are checked to prevent issues related to unchecked return values, which could lead to unexpected behavior. | | ✓ | ✓ | | 41 | | S8.2.A5 | Ensure that contract functions are protected against denial of service due to unexpected reverts by handling all possible error conditions appropriately. | | ✓ | ✓ | | 42 | | S8.2.A6 | Ensure that functions such as supportsERC165InterfaceUnchecked() in ERC165Checker.sol handle large data queries efficiently to avoid excessive resource consumption. | | ✓ | ✓ | | 43 | -------------------------------------------------------------------------------- /0.1/en/0x18-S9-Blockchain-Data_and-State-Management.md: -------------------------------------------------------------------------------- 1 | # S9. Blockchain Data and State Management 2 | 3 | ## Control Objective 4 | Establish practices for effective management of blockchain data and state to ensure security, efficiency, and integrity of contract interactions. 5 | 6 | ## S9.1 State Management 7 | 8 | ### Control Objective 9 | Ensure efficient and secure handling of state within smart contracts to prevent data corruption and unexpected behavior. 10 | 11 | ### S9.1.A Efficient and Secure State Handling 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S9.1.A1 | Ensure that payable functions in contracts handle all ETH passed in msg.value and provide a mechanism for withdrawal to avoid ETH being locked in the contract. | | ✓ | ✓ | | 16 | | S9.1.A2 | Verify that deleting a variable of a nested structure correctly resets all nested level fields to default values to avoid unexpected behavior. | | ✓ | ✓ | | 17 | | S9.1.A3 | Verify that storage structs and arrays with types shorter than 32 bytes are handled correctly, avoiding data corruption when encoded directly from storage using the experimental ABIEncoderV2. | | ✓ | ✓ | | 18 | | S9.1.A4 | Verify that storage arrays containing structs or other statically-sized arrays are properly read and encoded in external function calls to prevent data corruption. | | ✓ | ✓ | | 19 | | S9.1.A5 | Ensure that copying bytes arrays from memory or calldata to storage handles empty arrays correctly, avoiding data corruption when the target array's length is increased subsequently without storing new data. | | ✓ | ✓ | | 20 | 21 | ### S9.1.B State Channels 22 | 23 | | Ref | Requirement | L1 | L2 | L3 | SWE | 24 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 25 | | S9.1.B1 | Verify that global state updates are correctly handled when working with memory copies to ensure accurate state management. | | ✓ | ✓ | | 26 | 27 | 28 | ## S9.2 Data Privacy 29 | 30 | ### Control Objective 31 | Ensure that sensitive data within contracts is secured and that privacy measures are effectively implemented. 32 | 33 | ### S9.2.A Ensuring Sensitive Data is Secure 34 | 35 | | Ref | Requirement | L1 | L2 | L3 | SWE | 36 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 37 | | S9.2.A1 | Ensure that private data marked in contracts is protected from unauthorized access through blockchain analysis. | | ✓ | ✓ | | 38 | 39 | ### S9.2.B Zero-Knowledge Proofs 40 | 41 | | Ref | Requirement | L1 | L2 | L3 | SWE | 42 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 43 | | S9.2.B1 | Verify that zero-knowledge proofs are implemented to ensure privacy without revealing any underlying data. | | ✓ | ✓ | | 44 | | S9.2.B2 | Validate the correctness of proof generation and verification processes to prevent any potential leaks or exploits. | | ✓ | ✓ | | 45 | | S9.2.B3 | Ensure that zero-knowledge proofs are integrated seamlessly with the blockchain to maintain performance and security. | | ✓ | ✓ | | 46 | 47 | ### S9.2.C Private Transactions 48 | 49 | | Ref | Requirement | L1 | L2 | L3 | SWE | 50 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 51 | | S9.2.C1 | Verify that private transaction mechanisms (e.g., zk-SNARKs, zk-STARKs) are correctly implemented to ensure confidentiality of transaction details. | | ✓ | ✓ | | 52 | | S9.2.C2 | Ensure that private transactions maintain the integrity and validity of the blockchain. | | ✓ | ✓ | | 53 | 54 | ### S9.2.D Confidential Contracts 55 | 56 | | Ref | Requirement | L1 | L2 | L3 | SWE | 57 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 58 | | S9.2.D1 | Verify that confidential contracts use cryptographic techniques to hide contract state and execution details from unauthorized parties. | | ✓ | ✓ | | 59 | | S9.2.D2 | Ensure that only parties with appropriate permissions can access data within confidential contracts. | | ✓ | ✓ | | 60 | 61 | ## S9.3 Event Logging 62 | 63 | ### Control Objective 64 | Implement transparent and secure logging practices to ensure traceability and detect unauthorized changes. 65 | 66 | ### S9.3.A Transparent and Secure Logging Practices 67 | 68 | | Ref | Requirement | L1 | L2 | L3 | SWE | 69 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 70 | | S9.3.A1 | Verify that events are emitted properly, especially for critical changes to ensure traceability and transparency. | | ✓ | ✓ | | 71 | | S9.3.A2 | Verify that the contract’s event logging correctly reflects critical changes to ensure transparency and traceability. | | ✓ | ✓ | | 72 | 73 | ### S9.3.B Log Analysis 74 | 75 | | Ref | Requirement | L1 | L2 | L3 | SWE | 76 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 77 | | S9.3.B1 | Implement tools and processes for analyzing event logs to detect anomalies or unauthorized changes. | | ✓ | ✓ | | 78 | | S9.3.B2 | Set up alerts for unusual patterns or discrepancies in logged events. | | ✓ | ✓ | | 79 | 80 | 81 | ## S9.4 Decentralized Storage 82 | 83 | ### Control Objective 84 | Ensure data integrity, security, and availability for data stored in decentralized storage solutions. 85 | 86 | ### S9.4.A IPFS, Arweave 87 | 88 | | Ref | Requirement | L1 | L2 | L3 | SWE | 89 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 90 | | S9.4.A1 | Ensure that data stored on decentralized platforms like IPFS or Arweave is encrypted and access-controlled. | | ✓ | ✓ | | 91 | | S9.4.A2 | Implement mechanisms for data redundancy and backup to ensure data availability. | | ✓ | ✓ | | 92 | -------------------------------------------------------------------------------- /0.1/en/0x19-S10-Gas-Usage-Efficiency_and-limitations.md: -------------------------------------------------------------------------------- 1 | # S10. Gas Usage, Efficiency, and Limitations 2 | 3 | ## Control Objective 4 | Establish practices for optimizing gas usage and efficiency in smart contracts to minimize costs and enhance performance. 5 | 6 | ## S10.1 Optimizing Gas Usage 7 | 8 | ### Control Objective 9 | Ensure gas consumption is minimized to promote cost-effective execution of smart contracts. 10 | 11 | ### S10.1.A Understanding Gas Costs and Limits 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S10.1.A1 | Implement best practices for optimizing gas consumption to ensure cost-effective and efficient contract execution. | | ✓ | ✓ | | 16 | 17 | ### S10.1.B Gas Estimation Tools 18 | 19 | | Ref | Requirement | L1 | L2 | L3 | SWE | 20 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 21 | | S10.1.B1 | Verify that transaction confirmation numbers are chosen appropriately to mitigate risks related to chain re-orgs and ensure reliable contract operation. | | ✓ | ✓ | | 22 | 23 | 24 | ## S10.2 Efficient Contract Design 25 | 26 | ### Control Objective 27 | Design contracts efficiently to enhance performance and reduce gas costs through optimal architecture. 28 | 29 | ### S10.2.A Layer 2 Solutions 30 | 31 | | Ref | Requirement | L1 | L2 | L3 | SWE | 32 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 33 | | S10.2.A1 | Explore and integrate Layer 2 scaling solutions (e.g., rollups, state channels) to improve transaction throughput and reduce gas costs. | | ✓ | ✓ | | 34 | | S10.2.A2 | Verify the security and reliability of Layer 2 solutions before integration. | | ✓ | ✓ | | 35 | -------------------------------------------------------------------------------- /0.1/en/0x20-S11-Component-Specific-Security.md: -------------------------------------------------------------------------------- 1 | # S11. Component-Specific Security 2 | 3 | ## Control Objective 4 | Establish security practices and standards for various blockchain components to mitigate specific vulnerabilities associated with tokens, NFTs, vaults, and liquidity pools. 5 | 6 | ## S11.1 Tokens (ERC20, ERC721, ERC1155) 7 | 8 | ### Control Objective 9 | Ensure secure implementation and management of token standards to prevent vulnerabilities. 10 | 11 | ### S11.1.A Secure Implementation and Management 12 | 13 | | Ref | Requirement | L1 | L2 | L3 | SWE | 14 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 15 | | S11.1.A1 | Verify that the totalSupply value is consistent during token minting operations, ensuring that callbacks do not result in incorrect values. | | ✓ | ✓ | | 16 | | S11.1.A2 | Some tokens have multiple addresses associated with them, which can introduce vulnerabilities. Ensure all token addresses are managed and verified securely to avoid related risks. | | ✓ | ✓ | | 17 | | S11.1.A3 | Verify that tokens handle zero amount transfers properly to prevent issues in integrations and operations. | | ✓ | ✓ | | 18 | | S11.1.A4 | Verify that tokens handle zero amount transfers properly to prevent issues in integrations and operations. | | ✓ | ✓ | | 19 | | S11.1.A5 | Some tokens revert on the transfer of a zero amount, which can cause issues in certain integrations and operations. Ensure compatibility with such tokens to avoid integration problems. | | ✓ | ✓ | | 20 | | S11.1.A6 | Not all ERC20 tokens comply with the EIP20 standard; some may not return a boolean flag or revert on failure. Verify compliance with the ERC20 standard to avoid compatibility issues. | | ✓ | ✓ | | 21 | 22 | 23 | ## S11.2 NFT Security 24 | 25 | ### Control Objective 26 | Implement best practices for non-fungible tokens to safeguard against vulnerabilities. 27 | 28 | ### S11.2.A Best Practices for Non-Fungible Tokens 29 | 30 | | Ref | Requirement | L1 | L2 | L3 | SWE | 31 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 32 | | S11.2.A1 | Implement standards and best practices for NFT creation, management, and transfer to prevent common vulnerabilities. | | ✓ | ✓ | | 33 | | S11.2.A2 | Ensure proper metadata integrity and prevent unauthorized minting or transfers. | | ✓ | ✓ | | 34 | | S11.2.A3 | Safeguard against potential exploits related to royalty payments or token burns. | | ✓ | ✓ | | 35 | 36 | 37 | ## S11.3 Vaults 38 | 39 | ### Control Objective 40 | Ensure secure asset storage and management within vault systems. 41 | 42 | ### S11.3.A Secure Asset Storage and Management 43 | 44 | | Ref | Requirement | L1 | L2 | L3 | SWE | 45 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 46 | | S11.3.A1 | Address potential overhead issues associated with withdrawing stETH or wstETH, including queue times and withdrawal limits, to ensure smooth operations. | | ✓ | ✓ | | 47 | | S11.3.A2 | Handle conversions between stETH and wstETH carefully to avoid potential issues due to the rebasing nature of stETH. | | ✓ | ✓ | | 48 | 49 | 50 | ## S11.4 Liquid Staking 51 | 52 | ### Control Objective 53 | Ensure secure staking mechanisms to protect users' assets. 54 | 55 | ### S11.4.A Secure Staking Mechanisms 56 | 57 | | Ref | Requirement | L1 | L2 | L3 | SWE | 58 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 59 | | S11.4.A1 | Verify that mechanisms for detaching sfrxETH from frxETH are robust to prevent discrepancies and ensure accurate reward transfers, particularly when controlled by centralized entities. | | ✓ | ✓ | | 60 | | S11.4.A2 | Monitor potential future changes in the sfrxETH/ETH rate and ensure users are adequately forewarned to mitigate risks associated with rate fluctuations. | | ✓ | ✓ | | 61 | 62 | 63 | ## S11.5 Liquidity Pools (AMMs) 64 | 65 | ### Control Objective 66 | Establish security measures in automated market makers. 67 | 68 | ### S11.5.A Security in Automated Market Makers 69 | 70 | | Ref | Requirement | L1 | L2 | L3 | SWE | 71 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 72 | | S11.5.A1 | [WIP/Will be removed] | | | | | 73 | 74 | 75 | 76 | ## S11.6 Uniswap V4 Hook 77 | 78 | ### Control Objective 79 | Ensure secure integration and customization of Uniswap components. 80 | 81 | ### S11.6.A Secure Integration and Customization 82 | 83 | | Ref | Requirement | L1 | L2 | L3 | SWE | 84 | | ------------ | --------------------------------------------------------------------------- | -- | -- | -- | --- | 85 | | S11.6.A1 | Verify the correct usage of Uniswap’s TickMath and FullMath libraries to ensure proper handling of unchecked arithmetic operations, adhering to version-specific Solidity considerations. | | ✓ | ✓ | | 86 | -------------------------------------------------------------------------------- /0.1/en/0x90-Appendix-A_Glossary.md: -------------------------------------------------------------------------------- 1 | # Appendix A: Glossary 2 | 3 | * **Access Control** – Mechanisms that restrict access to a system, application, or data to authorized users or entities. In smart contracts, access control is crucial for ensuring that only permitted users can perform sensitive actions. 4 | 5 | * **Arithmetic Operations** – Basic mathematical operations (addition, subtraction, multiplication, division) performed in smart contracts. Proper handling of these operations is vital to prevent overflow and underflow vulnerabilities. 6 | 7 | * **Audit** – A systematic examination of smart contracts to evaluate their security, functionality, and compliance with specified requirements. Audits help identify vulnerabilities and ensure adherence to best practices. 8 | 9 | * **Bytecode** – The low-level code generated from Solidity (or other high-level languages) that is executed on the Ethereum Virtual Machine (EVM). Understanding bytecode is essential for analyzing contract behavior. 10 | 11 | * **Denial of Service (DoS)** – An attack aimed at making a smart contract or service unavailable to its intended users, often by consuming excessive resources or exploiting vulnerabilities to cause failures in execution. 12 | 13 | * **Fallback Function** – A default function in a smart contract that is executed when a contract receives Ether without any accompanying data or when a function that doesn’t exist is called. Proper design of fallback functions is important to prevent security issues. 14 | 15 | * **Gas** – A unit that measures the computational work required to execute operations on the Ethereum blockchain. Gas fees incentivize miners and limit the complexity of transactions. 16 | 17 | * **Gas Limit** – The maximum amount of gas a user is willing to pay for a transaction, impacting the transaction's likelihood of being included in a block. 18 | 19 | * **Layer 2 Solutions** – Technologies built on top of existing blockchains to enhance scalability and reduce transaction costs. Examples include state channels and rollups, which alleviate congestion on the main chain. 20 | 21 | * **Minting** – The process of creating new tokens or assets and assigning them to a specified address. This operation must be carefully managed to ensure compliance with token standards. 22 | 23 | * **Non-Fungible Token (NFT)** – A unique digital asset that represents ownership of a specific item or piece of content, distinguished by its distinct characteristics, making it irreplaceable. 24 | 25 | * **Overflows and Underflows** – Vulnerabilities that occur when arithmetic operations exceed the maximum or minimum value of a data type, leading to unexpected behavior. Safe math libraries help prevent these issues. 26 | 27 | * **Reentrancy** – A vulnerability where a function makes an external call to another contract before completing its execution, potentially allowing the second contract to manipulate the state of the first contract before it finishes processing. 28 | 29 | * **Security Audit** – A comprehensive review and evaluation of a smart contract’s code to identify vulnerabilities, inefficiencies, and compliance with best practices. 30 | 31 | * **Smart Contract** – A self-executing contract with the terms of the agreement directly written into code and deployed on a blockchain. Smart contracts automate execution without the need for intermediaries. 32 | 33 | * **Token Standard** – Specifications that define how tokens should function on a blockchain. Common standards include ERC20 for fungible tokens, ERC721 for non-fungible tokens, and ERC1155 for multi-token standards. 34 | 35 | * **Transaction Confirmation** – The process by which a transaction is validated and recorded on the blockchain. A transaction must be confirmed by miners to be considered final and irreversible. 36 | 37 | * **Vulnerability** – A weakness in a smart contract that can be exploited by an attacker, leading to unauthorized access, data breaches, or financial loss. 38 | 39 | * **Whitelisting** – A security practice where specific addresses or entities are granted permission to interact with a contract, enhancing access control and mitigating potential attacks. 40 | 41 | * **Zero-Knowledge Proofs** – Cryptographic methods that allow one party to prove to another that they know a value without revealing the value itself. This is used to enhance privacy in blockchain transactions. 42 | 43 | * **Audit Trail** – A chronological record that tracks the sequence of activities and changes made to a smart contract, providing transparency and accountability. 44 | 45 | * **ERC Standards** – Ethereum Request for Comments; a series of technical documents that provide guidelines and specifications for the development of smart contracts and tokens on the Ethereum blockchain. 46 | 47 | * **Decentralized Finance (DeFi)** – A financial ecosystem that operates without central authorities, using smart contracts on blockchains to provide financial services like lending, borrowing, and trading. 48 | 49 | * **Oracle** – A third-party service that provides external data to smart contracts, enabling them to interact with real-world information such as prices, events, or weather data. 50 | 51 | * **Tokenomics** – The study of the economic model and incentive structures behind cryptocurrencies and tokens, including supply, demand, and the distribution of tokens. 52 | 53 | * **Gas Optimization** – Techniques and practices aimed at reducing the gas consumption of smart contracts, thereby lowering transaction costs and improving efficiency. 54 | 55 | * **Atomic Swap** – A smart contract technology that enables the exchange of one cryptocurrency for another without the need for a trusted third party, ensuring security and trustlessness. 56 | 57 | * **Cryptographic Hash Function** – A mathematical algorithm that transforms input data into a fixed-size string of characters, which is unique to each unique input. This function is crucial for ensuring data integrity in blockchain. 58 | 59 | * **State Machine** – A model that represents the state of a smart contract and its transitions, allowing for tracking of the current state and the possible changes based on events and actions. 60 | 61 | * **Gas Refund** – A mechanism that allows users to recover some of the gas fees spent on certain operations, particularly those that free up storage space on the blockchain. 62 | 63 | * **Contract Upgradeability** – The ability to modify or replace a smart contract after its deployment to fix bugs or add new features, often implemented through proxy patterns. 64 | 65 | * **Security Vulnerability Disclosure** – A responsible disclosure process where security researchers report vulnerabilities found in smart contracts to the developers, allowing them to address the issues before public knowledge. 66 | 67 | * **Interoperability** – The capability of different blockchain networks and smart contracts to communicate and interact with each other, enabling seamless integration of services and assets across platforms. 68 | -------------------------------------------------------------------------------- /0.1/en/0x91-Appendix-B_References.md: -------------------------------------------------------------------------------- 1 | # Appendix B: References 2 | 3 | The following OWASP projects are most likely to be useful to users/adopters of this standard: 4 | 5 | ## OWASP Core Projects 6 | 7 | 1. [OWASP Top 10 Project](https://owasp.org/www-project-top-ten/) 8 | 2. [OWASP Smart Contract Top 10 Project](https://owasp.org/www-project-smart-contract-top-10/) 9 | -------------------------------------------------------------------------------- /0.1/generate-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ALLOWED_LANGS='en' 4 | 5 | echo $@ 6 | 7 | if [[ -n $@ ]]; then 8 | LANGS=$@ 9 | else 10 | LANGS=${ALLOWED_LANGS} 11 | fi 12 | 13 | for lang in ${LANGS}; do 14 | if [[ " $ALLOWED_LANGS " =~ " $lang " ]]; then 15 | 16 | vers="5.0" 17 | verslong="./docs_$lang/OWASP Smart Contract Security Verification Standard $vers-$lang" 18 | 19 | python3 tools/export.py --format json --language $lang > "$verslong.json" 20 | python3 tools/export.py --format cdx_json --language $lang > "$verslong.cdx.json" 21 | python3 tools/export.py --format json --language $lang --verify-only true 22 | 23 | python3 tools/export.py --format json_flat --language $lang > "$verslong.flat.json" 24 | python3 tools/export.py --format json_flat --language $lang --verify-only true 25 | 26 | python3 tools/export.py --format xml --language $lang > "$verslong.xml" 27 | python3 tools/export.py --format xml --language $lang --verify-only true 28 | 29 | python3 tools/export.py --format csv --language $lang > "$verslong.csv" 30 | python3 tools/export.py --format csv --language $lang --verify-only true 31 | 32 | tools/generate_document.sh $lang $vers 33 | 34 | fi 35 | 36 | done -------------------------------------------------------------------------------- /0.1/images/credshields-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/credshields-logo.png -------------------------------------------------------------------------------- /0.1/images/license.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/license.png -------------------------------------------------------------------------------- /0.1/images/owaspLogo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/owaspLogo.png -------------------------------------------------------------------------------- /0.1/images/owasp_logo_1c_notext.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/owasp_logo_1c_notext.png -------------------------------------------------------------------------------- /0.1/images/owasp_logo_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/owasp_logo_header.png -------------------------------------------------------------------------------- /0.1/images/solidityscan-black-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/solidityscan-black-logo.png -------------------------------------------------------------------------------- /0.1/images/solidityscan-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/images/solidityscan-logo.png -------------------------------------------------------------------------------- /0.1/templates/eisvogel.tex: -------------------------------------------------------------------------------- 1 | %% 2 | % Copyright (c) 2017 - 2021, Pascal Wagler; 3 | % Copyright (c) 2014 - 2021, John MacFarlane 4 | % 5 | % All rights reserved. 6 | % 7 | % Redistribution and use in source and binary forms, with or without 8 | % modification, are permitted provided that the following conditions 9 | % are met: 10 | % 11 | % - Redistributions of source code must retain the above copyright 12 | % notice, this list of conditions and the following disclaimer. 13 | % 14 | % - Redistributions in binary form must reproduce the above copyright 15 | % notice, this list of conditions and the following disclaimer in the 16 | % documentation and/or other materials provided with the distribution. 17 | % 18 | % - Neither the name of John MacFarlane nor the names of other 19 | % contributors may be used to endorse or promote products derived 20 | % from this software without specific prior written permission. 21 | % 22 | % THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 | % "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 24 | % LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 25 | % FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 26 | % COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 27 | % INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 28 | % BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 29 | % LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 30 | % CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 | % LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 32 | % ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 | % POSSIBILITY OF SUCH DAMAGE. 34 | %% 35 | 36 | %% 37 | % This is the Eisvogel pandoc LaTeX template. 38 | % 39 | % For usage information and examples visit the official GitHub page: 40 | % https://github.com/Wandmalfarbe/pandoc-latex-template 41 | %% 42 | 43 | % Options for packages loaded elsewhere 44 | \PassOptionsToPackage{unicode$for(hyperrefoptions)$,$hyperrefoptions$$endfor$}{hyperref} 45 | \PassOptionsToPackage{hyphens}{url} 46 | \PassOptionsToPackage{dvipsnames,svgnames,x11names,table}{xcolor} 47 | $if(dir)$ 48 | $if(latex-dir-rtl)$ 49 | \PassOptionsToPackage{RTLdocument}{bidi} 50 | $endif$ 51 | $endif$ 52 | $if(CJKmainfont)$ 53 | \PassOptionsToPackage{space}{xeCJK} 54 | $endif$ 55 | % 56 | \documentclass[ 57 | $if(fontsize)$ 58 | $fontsize$, 59 | $endif$ 60 | $if(lang)$ 61 | $babel-lang$, 62 | $endif$ 63 | $if(papersize)$ 64 | $papersize$paper, 65 | $else$ 66 | paper=a4, 67 | $endif$ 68 | $if(beamer)$ 69 | ignorenonframetext, 70 | $if(handout)$ 71 | handout, 72 | $endif$ 73 | $if(aspectratio)$ 74 | aspectratio=$aspectratio$, 75 | $endif$ 76 | $endif$ 77 | $for(classoption)$ 78 | $classoption$$sep$, 79 | $endfor$ 80 | ,captions=tableheading 81 | ]{$if(beamer)$$documentclass$$else$$if(book)$scrbook$else$scrartcl$endif$$endif$} 82 | $if(beamer)$ 83 | $if(background-image)$ 84 | \usebackgroundtemplate{% 85 | \includegraphics[width=\paperwidth]{$background-image$}% 86 | } 87 | $endif$ 88 | \usepackage{pgfpages} 89 | \setbeamertemplate{caption}[numbered] 90 | \setbeamertemplate{caption label separator}{: } 91 | \setbeamercolor{caption name}{fg=normal text.fg} 92 | \beamertemplatenavigationsymbols$if(navigation)$$navigation$$else$empty$endif$ 93 | $for(beameroption)$ 94 | \setbeameroption{$beameroption$} 95 | $endfor$ 96 | % Prevent slide breaks in the middle of a paragraph 97 | \widowpenalties 1 10000 98 | \raggedbottom 99 | $if(section-titles)$ 100 | \setbeamertemplate{part page}{ 101 | \centering 102 | \begin{beamercolorbox}[sep=16pt,center]{part title} 103 | \usebeamerfont{part title}\insertpart\par 104 | \end{beamercolorbox} 105 | } 106 | \setbeamertemplate{section page}{ 107 | \centering 108 | \begin{beamercolorbox}[sep=12pt,center]{part title} 109 | \usebeamerfont{section title}\insertsection\par 110 | \end{beamercolorbox} 111 | } 112 | \setbeamertemplate{subsection page}{ 113 | \centering 114 | \begin{beamercolorbox}[sep=8pt,center]{part title} 115 | \usebeamerfont{subsection title}\insertsubsection\par 116 | \end{beamercolorbox} 117 | } 118 | \AtBeginPart{ 119 | \frame{\partpage} 120 | } 121 | \AtBeginSection{ 122 | \ifbibliography 123 | \else 124 | \frame{\sectionpage} 125 | \fi 126 | } 127 | \AtBeginSubsection{ 128 | \frame{\subsectionpage} 129 | } 130 | $endif$ 131 | $endif$ 132 | $if(beamerarticle)$ 133 | \usepackage{beamerarticle} % needs to be loaded first 134 | $endif$ 135 | \usepackage{amsmath,amssymb} 136 | $if(fontfamily)$ 137 | \usepackage[$for(fontfamilyoptions)$$fontfamilyoptions$$sep$,$endfor$]{$fontfamily$} 138 | $else$ 139 | \usepackage{lmodern} 140 | $endif$ 141 | $if(linestretch)$ 142 | \usepackage{setspace} 143 | $else$ 144 | \usepackage{setspace} 145 | \setstretch{1.2} 146 | $endif$ 147 | \usepackage{iftex} 148 | \ifPDFTeX 149 | \usepackage[$if(fontenc)$$fontenc$$else$T1$endif$]{fontenc} 150 | \usepackage[utf8]{inputenc} 151 | \usepackage{textcomp} % provide euro and other symbols 152 | \else % if luatex or xetex 153 | $if(mathspec)$ 154 | \ifXeTeX 155 | \usepackage{mathspec} 156 | \else 157 | \usepackage{unicode-math} 158 | \fi 159 | $else$ 160 | \usepackage{unicode-math} 161 | $endif$ 162 | \defaultfontfeatures{Scale=MatchLowercase} 163 | \defaultfontfeatures[\rmfamily]{Ligatures=TeX,Scale=1} 164 | $if(mainfont)$ 165 | \setmainfont[$for(mainfontoptions)$$mainfontoptions$$sep$,$endfor$]{$mainfont$} 166 | $endif$ 167 | $if(sansfont)$ 168 | \setsansfont[$for(sansfontoptions)$$sansfontoptions$$sep$,$endfor$]{$sansfont$} 169 | $endif$ 170 | $if(monofont)$ 171 | \setmonofont[$for(monofontoptions)$$monofontoptions$$sep$,$endfor$]{$monofont$} 172 | $endif$ 173 | $for(fontfamilies)$ 174 | \newfontfamily{$fontfamilies.name$}[$for(fontfamilies.options)$$fontfamilies.options$$sep$,$endfor$]{$fontfamilies.font$} 175 | $endfor$ 176 | $if(mathfont)$ 177 | $if(mathspec)$ 178 | \ifXeTeX 179 | \setmathfont(Digits,Latin,Greek)[$for(mathfontoptions)$$mathfontoptions$$sep$,$endfor$]{$mathfont$} 180 | \else 181 | \setmathfont[$for(mathfontoptions)$$mathfontoptions$$sep$,$endfor$]{$mathfont$} 182 | \fi 183 | $else$ 184 | \setmathfont[$for(mathfontoptions)$$mathfontoptions$$sep$,$endfor$]{$mathfont$} 185 | $endif$ 186 | $endif$ 187 | $if(CJKmainfont)$ 188 | \ifXeTeX 189 | \usepackage{xeCJK} 190 | \setCJKmainfont[$for(CJKoptions)$$CJKoptions$$sep$,$endfor$]{$CJKmainfont$} 191 | \fi 192 | $endif$ 193 | $if(luatexjapresetoptions)$ 194 | \ifLuaTeX 195 | \usepackage[$for(luatexjapresetoptions)$$luatexjapresetoptions$$sep$,$endfor$]{luatexja-preset} 196 | \fi 197 | $endif$ 198 | $if(CJKmainfont)$ 199 | \ifLuaTeX 200 | \usepackage[$for(luatexjafontspecoptions)$$luatexjafontspecoptions$$sep$,$endfor$]{luatexja-fontspec} 201 | \setmainjfont[$for(CJKoptions)$$CJKoptions$$sep$,$endfor$]{$CJKmainfont$} 202 | \fi 203 | $endif$ 204 | \fi 205 | $if(zero-width-non-joiner)$ 206 | %% Support for zero-width non-joiner characters. 207 | \makeatletter 208 | \def\zerowidthnonjoiner{% 209 | % Prevent ligatures and adjust kerning, but still support hyphenating. 210 | \texorpdfstring{% 211 | \textormath{\nobreak\discretionary{-}{}{\kern.03em}% 212 | \ifvmode\else\nobreak\hskip\z@skip\fi}{}% 213 | }{}% 214 | } 215 | \makeatother 216 | \ifPDFTeX 217 | \DeclareUnicodeCharacter{200C}{\zerowidthnonjoiner} 218 | \else 219 | \catcode`^^^^200c=\active 220 | \protected\def ^^^^200c{\zerowidthnonjoiner} 221 | \fi 222 | %% End of ZWNJ support 223 | $endif$ 224 | $if(beamer)$ 225 | $if(theme)$ 226 | \usetheme[$for(themeoptions)$$themeoptions$$sep$,$endfor$]{$theme$} 227 | $endif$ 228 | $if(colortheme)$ 229 | \usecolortheme{$colortheme$} 230 | $endif$ 231 | $if(fonttheme)$ 232 | \usefonttheme{$fonttheme$} 233 | $endif$ 234 | $if(mainfont)$ 235 | \usefonttheme{serif} % use mainfont rather than sansfont for slide text 236 | $endif$ 237 | $if(innertheme)$ 238 | \useinnertheme{$innertheme$} 239 | $endif$ 240 | $if(outertheme)$ 241 | \useoutertheme{$outertheme$} 242 | $endif$ 243 | $endif$ 244 | % Use upquote if available, for straight quotes in verbatim environments 245 | \IfFileExists{upquote.sty}{\usepackage{upquote}}{} 246 | \IfFileExists{microtype.sty}{% use microtype if available 247 | \usepackage[$for(microtypeoptions)$$microtypeoptions$$sep$,$endfor$]{microtype} 248 | \UseMicrotypeSet[protrusion]{basicmath} % disable protrusion for tt fonts 249 | }{} 250 | $if(indent)$ 251 | $else$ 252 | \makeatletter 253 | \@ifundefined{KOMAClassName}{% if non-KOMA class 254 | \IfFileExists{parskip.sty}{% 255 | \usepackage{parskip} 256 | }{% else 257 | \setlength{\parindent}{0pt} 258 | \setlength{\parskip}{6pt plus 2pt minus 1pt}} 259 | }{% if KOMA class 260 | \KOMAoptions{parskip=half}} 261 | \makeatother 262 | $endif$ 263 | $if(verbatim-in-note)$ 264 | \usepackage{fancyvrb} 265 | $endif$ 266 | \usepackage{xcolor} 267 | \definecolor{default-linkcolor}{HTML}{A50000} 268 | \definecolor{default-filecolor}{HTML}{A50000} 269 | \definecolor{default-citecolor}{HTML}{4077C0} 270 | \definecolor{default-urlcolor}{HTML}{4077C0} 271 | \IfFileExists{xurl.sty}{\usepackage{xurl}}{} % add URL line breaks if available 272 | $if(footnotes-pretty)$ 273 | % load footmisc in order to customize footnotes (footmisc has to be loaded before hyperref, cf. https://tex.stackexchange.com/a/169124/144087) 274 | \usepackage[hang,flushmargin,bottom,multiple]{footmisc} 275 | \setlength{\footnotemargin}{0.8em} % set space between footnote nr and text 276 | \setlength{\footnotesep}{\baselineskip} % set space between multiple footnotes 277 | \setlength{\skip\footins}{0.3cm} % set space between page content and footnote 278 | \setlength{\footskip}{0.9cm} % set space between footnote and page bottom 279 | $endif$ 280 | \IfFileExists{bookmark.sty}{\usepackage{bookmark}}{\usepackage{hyperref}} 281 | \hypersetup{ 282 | $if(title-meta)$ 283 | pdftitle={$title-meta$}, 284 | $endif$ 285 | $if(author-meta)$ 286 | pdfauthor={$author-meta$}, 287 | $endif$ 288 | $if(lang)$ 289 | pdflang={$lang$}, 290 | $endif$ 291 | $if(subject)$ 292 | pdfsubject={$subject$}, 293 | $endif$ 294 | $if(keywords)$ 295 | pdfkeywords={$for(keywords)$$keywords$$sep$, $endfor$}, 296 | $endif$ 297 | $if(colorlinks)$ 298 | colorlinks=true, 299 | linkcolor={$if(linkcolor)$$linkcolor$$else$default-linkcolor$endif$}, 300 | filecolor={$if(filecolor)$$filecolor$$else$default-filecolor$endif$}, 301 | citecolor={$if(citecolor)$$citecolor$$else$default-citecolor$endif$}, 302 | urlcolor={$if(urlcolor)$$urlcolor$$else$default-urlcolor$endif$}, 303 | $else$ 304 | hidelinks, 305 | $endif$ 306 | breaklinks=true, 307 | pdfcreator={LaTeX via pandoc with the Eisvogel template}} 308 | \urlstyle{same} % disable monospaced font for URLs 309 | $if(verbatim-in-note)$ 310 | \VerbatimFootnotes % allow verbatim text in footnotes 311 | $endif$ 312 | $if(geometry)$ 313 | $if(beamer)$ 314 | \geometry{$for(geometry)$$geometry$$sep$,$endfor$} 315 | $else$ 316 | \usepackage[$for(geometry)$$geometry$$sep$,$endfor$]{geometry} 317 | $endif$ 318 | $else$ 319 | $if(beamer)$ 320 | $else$ 321 | \usepackage[margin=2.5cm,includehead=true,includefoot=true,centering,$for(geometry)$$geometry$$sep$,$endfor$]{geometry} 322 | $endif$ 323 | $endif$ 324 | $if(titlepage-logo)$ 325 | \usepackage[export]{adjustbox} 326 | \usepackage{graphicx} 327 | $endif$ 328 | $if(beamer)$ 329 | \newif\ifbibliography 330 | $endif$ 331 | $if(listings)$ 332 | \usepackage{listings} 333 | \newcommand{\passthrough}[1]{#1} 334 | \lstset{defaultdialect=[5.3]Lua} 335 | \lstset{defaultdialect=[x86masm]Assembler} 336 | $endif$ 337 | $if(listings-no-page-break)$ 338 | \usepackage{etoolbox} 339 | \BeforeBeginEnvironment{lstlisting}{\par\noindent\begin{minipage}{\linewidth}} 340 | \AfterEndEnvironment{lstlisting}{\end{minipage}\par\addvspace{\topskip}} 341 | $endif$ 342 | $if(lhs)$ 343 | \lstnewenvironment{code}{\lstset{language=Haskell,basicstyle=\small\ttfamily}}{} 344 | $endif$ 345 | $if(highlighting-macros)$ 346 | $highlighting-macros$ 347 | 348 | % Workaround/bugfix from jannick0. 349 | % See https://github.com/jgm/pandoc/issues/4302#issuecomment-360669013) 350 | % or https://github.com/Wandmalfarbe/pandoc-latex-template/issues/2 351 | % 352 | % Redefine the verbatim environment 'Highlighting' to break long lines (with 353 | % the help of fvextra). Redefinition is necessary because it is unlikely that 354 | % pandoc includes fvextra in the default template. 355 | \usepackage{fvextra} 356 | \DefineVerbatimEnvironment{Highlighting}{Verbatim}{breaklines,fontsize=$if(code-block-font-size)$$code-block-font-size$$else$\small$endif$,commandchars=\\\{\}} 357 | 358 | $endif$ 359 | $if(tables)$ 360 | \usepackage{longtable,booktabs,array} 361 | $if(multirow)$ 362 | \usepackage{multirow} 363 | $endif$ 364 | \usepackage{calc} % for calculating minipage widths 365 | $if(beamer)$ 366 | \usepackage{caption} 367 | % Make caption package work with longtable 368 | \makeatletter 369 | \def\fnum@table{\tablename~\thetable} 370 | \makeatother 371 | $else$ 372 | % Correct order of tables after \paragraph or \subparagraph 373 | \usepackage{etoolbox} 374 | \makeatletter 375 | \patchcmd\longtable{\par}{\if@noskipsec\mbox{}\fi\par}{}{} 376 | \makeatother 377 | % Allow footnotes in longtable head/foot 378 | \IfFileExists{footnotehyper.sty}{\usepackage{footnotehyper}}{\usepackage{footnote}} 379 | \makesavenoteenv{longtable} 380 | $endif$ 381 | $endif$ 382 | % add backlinks to footnote references, cf. https://tex.stackexchange.com/questions/302266/make-footnote-clickable-both-ways 383 | $if(footnotes-disable-backlinks)$ 384 | $else$ 385 | \usepackage{footnotebackref} 386 | $endif$ 387 | $if(graphics)$ 388 | \usepackage{graphicx} 389 | \makeatletter 390 | \def\maxwidth{\ifdim\Gin@nat@width>\linewidth\linewidth\else\Gin@nat@width\fi} 391 | \def\maxheight{\ifdim\Gin@nat@height>\textheight\textheight\else\Gin@nat@height\fi} 392 | \makeatother 393 | % Scale images if necessary, so that they will not overflow the page 394 | % margins by default, and it is still possible to overwrite the defaults 395 | % using explicit options in \includegraphics[width, height, ...]{} 396 | \setkeys{Gin}{width=\maxwidth,height=\maxheight,keepaspectratio} 397 | % Set default figure placement to htbp 398 | \makeatletter 399 | \def\fps@figure{htbp} 400 | \makeatother 401 | $endif$ 402 | $if(links-as-notes)$ 403 | % Make links footnotes instead of hotlinks: 404 | \DeclareRobustCommand{\href}[2]{#2\footnote{\url{#1}}} 405 | $endif$ 406 | $if(strikeout)$ 407 | $-- also used for underline 408 | \usepackage[normalem]{ulem} 409 | % Avoid problems with \sout in headers with hyperref 410 | \pdfstringdefDisableCommands{\renewcommand{\sout}{}} 411 | $endif$ 412 | \setlength{\emergencystretch}{3em} % prevent overfull lines 413 | \providecommand{\tightlist}{% 414 | \setlength{\itemsep}{0pt}\setlength{\parskip}{0pt}} 415 | $if(numbersections)$ 416 | \setcounter{secnumdepth}{$if(secnumdepth)$$secnumdepth$$else$5$endif$} 417 | $else$ 418 | \setcounter{secnumdepth}{-\maxdimen} % remove section numbering 419 | $endif$ 420 | $if(beamer)$ 421 | $else$ 422 | $if(block-headings)$ 423 | % Make \paragraph and \subparagraph free-standing 424 | \ifx\paragraph\undefined\else 425 | \let\oldparagraph\paragraph 426 | \renewcommand{\paragraph}[1]{\oldparagraph{#1}\mbox{}} 427 | \fi 428 | \ifx\subparagraph\undefined\else 429 | \let\oldsubparagraph\subparagraph 430 | \renewcommand{\subparagraph}[1]{\oldsubparagraph{#1}\mbox{}} 431 | \fi 432 | $endif$ 433 | $endif$ 434 | $if(pagestyle)$ 435 | \pagestyle{$pagestyle$} 436 | $endif$ 437 | $if(csl-refs)$ 438 | \newlength{\cslhangindent} 439 | \setlength{\cslhangindent}{1.5em} 440 | \newlength{\csllabelwidth} 441 | \setlength{\csllabelwidth}{3em} 442 | \newlength{\cslentryspacingunit} % times entry-spacing 443 | \setlength{\cslentryspacingunit}{\parskip} 444 | \newenvironment{CSLReferences}[2] % #1 hanging-ident, #2 entry spacing 445 | {% don't indent paragraphs 446 | \setlength{\parindent}{0pt} 447 | % turn on hanging indent if param 1 is 1 448 | \ifodd #1 449 | \let\oldpar\par 450 | \def\par{\hangindent=\cslhangindent\oldpar} 451 | \fi 452 | % set entry spacing 453 | \setlength{\parskip}{#2\cslentryspacingunit} 454 | }% 455 | {} 456 | \usepackage{calc} 457 | \newcommand{\CSLBlock}[1]{#1\hfill\break} 458 | \newcommand{\CSLLeftMargin}[1]{\parbox[t]{\csllabelwidth}{#1}} 459 | \newcommand{\CSLRightInline}[1]{\parbox[t]{\linewidth - \csllabelwidth}{#1}\break} 460 | \newcommand{\CSLIndent}[1]{\hspace{\cslhangindent}#1} 461 | $endif$ 462 | $for(header-includes)$ 463 | $header-includes$ 464 | $endfor$ 465 | $if(lang)$ 466 | \usepackage[$for(babel-otherlangs)$$babel-otherlangs$,$endfor$main=$babel-lang$]{babel} 467 | % get rid of language-specific shorthands (see #6817): 468 | \let\LanguageShortHands\languageshorthands 469 | \def\languageshorthands#1{} 470 | $endif$ 471 | \ifLuaTeX 472 | \usepackage{selnolig} % disable illegal ligatures 473 | \fi 474 | $if(dir)$ 475 | \ifXeTeX 476 | % Load bidi as late as possible as it modifies e.g. graphicx 477 | \usepackage{bidi} 478 | \fi 479 | \ifPDFTeX 480 | \TeXXeTstate=1 481 | \newcommand{\RL}[1]{\beginR #1\endR} 482 | \newcommand{\LR}[1]{\beginL #1\endL} 483 | \newenvironment{RTL}{\beginR}{\endR} 484 | \newenvironment{LTR}{\beginL}{\endL} 485 | \fi 486 | $endif$ 487 | $if(natbib)$ 488 | \usepackage[$natbiboptions$]{natbib} 489 | \bibliographystyle{$if(biblio-style)$$biblio-style$$else$plainnat$endif$} 490 | $endif$ 491 | $if(biblatex)$ 492 | \usepackage[$if(biblio-style)$style=$biblio-style$,$endif$$for(biblatexoptions)$$biblatexoptions$$sep$,$endfor$]{biblatex} 493 | $for(bibliography)$ 494 | \addbibresource{$bibliography$} 495 | $endfor$ 496 | $endif$ 497 | $if(nocite-ids)$ 498 | \nocite{$for(nocite-ids)$$it$$sep$, $endfor$} 499 | $endif$ 500 | $if(csquotes)$ 501 | \usepackage{csquotes} 502 | $endif$ 503 | 504 | $if(title)$ 505 | \title{$title$$if(thanks)$\thanks{$thanks$}$endif$} 506 | $endif$ 507 | $if(subtitle)$ 508 | $if(beamer)$ 509 | $else$ 510 | \usepackage{etoolbox} 511 | \makeatletter 512 | \providecommand{\subtitle}[1]{% add subtitle to \maketitle 513 | \apptocmd{\@title}{\par {\large #1 \par}}{}{} 514 | } 515 | \makeatother 516 | $endif$ 517 | \subtitle{$subtitle$} 518 | $endif$ 519 | \author{$for(author)$$author$$sep$ \and $endfor$} 520 | \date{$date$} 521 | $if(beamer)$ 522 | $if(institute)$ 523 | \institute{$for(institute)$$institute$$sep$ \and $endfor$} 524 | $endif$ 525 | $if(titlegraphic)$ 526 | \titlegraphic{\includegraphics{$titlegraphic$}} 527 | $endif$ 528 | $if(logo)$ 529 | \logo{\includegraphics{$logo$}} 530 | $endif$ 531 | $endif$ 532 | 533 | 534 | 535 | %% 536 | %% added 537 | %% 538 | 539 | $if(page-background)$ 540 | \usepackage[pages=all]{background} 541 | $endif$ 542 | 543 | % 544 | % for the background color of the title page 545 | % 546 | $if(titlepage)$ 547 | \usepackage{pagecolor} 548 | \usepackage{afterpage} 549 | $if(titlepage-background)$ 550 | \usepackage{tikz} 551 | $endif$ 552 | $if(geometry)$ 553 | $else$ 554 | \usepackage[margin=2.5cm,includehead=true,includefoot=true,centering]{geometry} 555 | $endif$ 556 | $endif$ 557 | 558 | % 559 | % break urls 560 | % 561 | \PassOptionsToPackage{hyphens}{url} 562 | 563 | % 564 | % When using babel or polyglossia with biblatex, loading csquotes is recommended 565 | % to ensure that quoted texts are typeset according to the rules of your main language. 566 | % 567 | \usepackage{csquotes} 568 | 569 | % 570 | % captions 571 | % 572 | \definecolor{caption-color}{HTML}{777777} 573 | $if(beamer)$ 574 | $else$ 575 | \usepackage[font={stretch=1.2}, textfont={color=caption-color}, position=top, skip=4mm, labelfont=bf, singlelinecheck=false, justification=$if(caption-justification)$$caption-justification$$else$raggedright$endif$]{caption} 576 | \setcapindent{0em} 577 | $endif$ 578 | 579 | % 580 | % blockquote 581 | % 582 | \definecolor{blockquote-border}{RGB}{221,221,221} 583 | \definecolor{blockquote-text}{RGB}{119,119,119} 584 | \usepackage{mdframed} 585 | \newmdenv[rightline=false,bottomline=false,topline=false,linewidth=3pt,linecolor=blockquote-border,skipabove=\parskip]{customblockquote} 586 | \renewenvironment{quote}{\begin{customblockquote}\list{}{\rightmargin=0em\leftmargin=0em}% 587 | \item\relax\color{blockquote-text}\ignorespaces}{\unskip\unskip\endlist\end{customblockquote}} 588 | 589 | % 590 | % Source Sans Pro as the de­fault font fam­ily 591 | % Source Code Pro for monospace text 592 | % 593 | % 'default' option sets the default 594 | % font family to Source Sans Pro, not \sfdefault. 595 | % 596 | \ifnum 0\ifxetex 1\fi\ifluatex 1\fi=0 % if pdftex 597 | $if(fontfamily)$ 598 | $else$ 599 | \usepackage[default]{sourcesans} 600 | \usepackage{sourcecodepro} 601 | $endif$ 602 | \else % if not pdftex 603 | $if(mainfont)$ 604 | $else$ 605 | \usepackage[default]{sourcesans} 606 | \usepackage{sourcecodepro} 607 | 608 | % XeLaTeX specific adjustments for straight quotes: https://tex.stackexchange.com/a/354887 609 | % This issue is already fixed (see https://github.com/silkeh/latex-sourcecodepro/pull/5) but the 610 | % fix is still unreleased. 611 | % TODO: Remove this workaround when the new version of sourcecodepro is released on CTAN. 612 | \ifxetex 613 | \makeatletter 614 | \defaultfontfeatures[\ttfamily] 615 | { Numbers = \sourcecodepro@figurestyle, 616 | Scale = \SourceCodePro@scale, 617 | Extension = .otf } 618 | \setmonofont 619 | [ UprightFont = *-\sourcecodepro@regstyle, 620 | ItalicFont = *-\sourcecodepro@regstyle It, 621 | BoldFont = *-\sourcecodepro@boldstyle, 622 | BoldItalicFont = *-\sourcecodepro@boldstyle It ] 623 | {SourceCodePro} 624 | \makeatother 625 | \fi 626 | $endif$ 627 | \fi 628 | 629 | % 630 | % heading color 631 | % 632 | \definecolor{heading-color}{RGB}{40,40,40} 633 | $if(beamer)$ 634 | $else$ 635 | \addtokomafont{section}{\color{heading-color}} 636 | $endif$ 637 | % When using the classes report, scrreprt, book, 638 | % scrbook or memoir, uncomment the following line. 639 | %\addtokomafont{chapter}{\color{heading-color}} 640 | 641 | % 642 | % variables for title, author and date 643 | % 644 | $if(beamer)$ 645 | $else$ 646 | \usepackage{titling} 647 | \title{$title$} 648 | \author{$for(author)$$author$$sep$, $endfor$} 649 | \date{$date$} 650 | $endif$ 651 | 652 | % 653 | % tables 654 | % 655 | $if(tables)$ 656 | 657 | \definecolor{table-row-color}{HTML}{F5F5F5} 658 | \definecolor{table-rule-color}{HTML}{999999} 659 | 660 | %\arrayrulecolor{black!40} 661 | \arrayrulecolor{table-rule-color} % color of \toprule, \midrule, \bottomrule 662 | \setlength\heavyrulewidth{0.3ex} % thickness of \toprule, \bottomrule 663 | \renewcommand{\arraystretch}{1.3} % spacing (padding) 664 | 665 | $if(table-use-row-colors)$ 666 | % TODO: This doesn't work anymore. I don't know why. 667 | % Reset rownum counter so that each table 668 | % starts with the same row colors. 669 | % https://tex.stackexchange.com/questions/170637/restarting-rowcolors 670 | % 671 | % Unfortunately the colored cells extend beyond the edge of the 672 | % table because pandoc uses @-expressions (@{}) like so: 673 | % 674 | % \begin{longtable}[]{@{}ll@{}} 675 | % \end{longtable} 676 | % 677 | % https://en.wikibooks.org/wiki/LaTeX/Tables#.40-expressions 678 | \let\oldlongtable\longtable 679 | \let\endoldlongtable\endlongtable 680 | \renewenvironment{longtable}{ 681 | \rowcolors{3}{}{table-row-color!100} % row color 682 | \oldlongtable} { 683 | \endoldlongtable 684 | \global\rownum=0\relax} 685 | $endif$ 686 | $endif$ 687 | 688 | % 689 | % remove paragraph indention 690 | % 691 | \setlength{\parindent}{0pt} 692 | \setlength{\parskip}{6pt plus 2pt minus 1pt} 693 | \setlength{\emergencystretch}{3em} % prevent overfull lines 694 | 695 | % 696 | % 697 | % Listings 698 | % 699 | % 700 | 701 | $if(listings)$ 702 | 703 | % 704 | % general listing colors 705 | % 706 | \definecolor{listing-background}{HTML}{F7F7F7} 707 | \definecolor{listing-rule}{HTML}{B3B2B3} 708 | \definecolor{listing-numbers}{HTML}{B3B2B3} 709 | \definecolor{listing-text-color}{HTML}{000000} 710 | \definecolor{listing-keyword}{HTML}{435489} 711 | \definecolor{listing-keyword-2}{HTML}{1284CA} % additional keywords 712 | \definecolor{listing-keyword-3}{HTML}{9137CB} % additional keywords 713 | \definecolor{listing-identifier}{HTML}{435489} 714 | \definecolor{listing-string}{HTML}{00999A} 715 | \definecolor{listing-comment}{HTML}{8E8E8E} 716 | 717 | \lstdefinestyle{eisvogel_listing_style}{ 718 | language = java, 719 | $if(listings-disable-line-numbers)$ 720 | xleftmargin = 0.6em, 721 | framexleftmargin = 0.4em, 722 | $else$ 723 | numbers = left, 724 | xleftmargin = 2.7em, 725 | framexleftmargin = 2.5em, 726 | $endif$ 727 | backgroundcolor = \color{listing-background}, 728 | basicstyle = \color{listing-text-color}\linespread{1.0}% 729 | \lst@ifdisplaystyle% 730 | $if(code-block-font-size)$$code-block-font-size$$else$\small$endif$% 731 | \fi\ttfamily{}, 732 | breaklines = true, 733 | frame = single, 734 | framesep = 0.19em, 735 | rulecolor = \color{listing-rule}, 736 | frameround = ffff, 737 | tabsize = 4, 738 | numberstyle = \color{listing-numbers}, 739 | aboveskip = 1.0em, 740 | belowskip = 0.1em, 741 | abovecaptionskip = 0em, 742 | belowcaptionskip = 1.0em, 743 | keywordstyle = {\color{listing-keyword}\bfseries}, 744 | keywordstyle = {[2]\color{listing-keyword-2}\bfseries}, 745 | keywordstyle = {[3]\color{listing-keyword-3}\bfseries\itshape}, 746 | sensitive = true, 747 | identifierstyle = \color{listing-identifier}, 748 | commentstyle = \color{listing-comment}, 749 | stringstyle = \color{listing-string}, 750 | showstringspaces = false, 751 | escapeinside = {/*@}{@*/}, % Allow LaTeX inside these special comments 752 | literate = 753 | {á}{{\'a}}1 {é}{{\'e}}1 {í}{{\'i}}1 {ó}{{\'o}}1 {ú}{{\'u}}1 754 | {Á}{{\'A}}1 {É}{{\'E}}1 {Í}{{\'I}}1 {Ó}{{\'O}}1 {Ú}{{\'U}}1 755 | {à}{{\`a}}1 {è}{{\'e}}1 {ì}{{\`i}}1 {ò}{{\`o}}1 {ù}{{\`u}}1 756 | {À}{{\`A}}1 {È}{{\'E}}1 {Ì}{{\`I}}1 {Ò}{{\`O}}1 {Ù}{{\`U}}1 757 | {ä}{{\"a}}1 {ë}{{\"e}}1 {ï}{{\"i}}1 {ö}{{\"o}}1 {ü}{{\"u}}1 758 | {Ä}{{\"A}}1 {Ë}{{\"E}}1 {Ï}{{\"I}}1 {Ö}{{\"O}}1 {Ü}{{\"U}}1 759 | {â}{{\^a}}1 {ê}{{\^e}}1 {î}{{\^i}}1 {ô}{{\^o}}1 {û}{{\^u}}1 760 | {Â}{{\^A}}1 {Ê}{{\^E}}1 {Î}{{\^I}}1 {Ô}{{\^O}}1 {Û}{{\^U}}1 761 | {œ}{{\oe}}1 {Œ}{{\OE}}1 {æ}{{\ae}}1 {Æ}{{\AE}}1 {ß}{{\ss}}1 762 | {ç}{{\c c}}1 {Ç}{{\c C}}1 {ø}{{\o}}1 {å}{{\r a}}1 {Å}{{\r A}}1 763 | {€}{{\EUR}}1 {£}{{\pounds}}1 {«}{{\guillemotleft}}1 764 | {»}{{\guillemotright}}1 {ñ}{{\~n}}1 {Ñ}{{\~N}}1 {¿}{{?`}}1 765 | {…}{{\ldots}}1 {≥}{{>=}}1 {≤}{{<=}}1 {„}{{\glqq}}1 {“}{{\grqq}}1 766 | {”}{{''}}1 767 | } 768 | \lstset{style=eisvogel_listing_style} 769 | 770 | % 771 | % Java (Java SE 12, 2019-06-22) 772 | % 773 | \lstdefinelanguage{Java}{ 774 | morekeywords={ 775 | % normal keywords (without data types) 776 | abstract,assert,break,case,catch,class,continue,default, 777 | do,else,enum,exports,extends,final,finally,for,if,implements, 778 | import,instanceof,interface,module,native,new,package,private, 779 | protected,public,requires,return,static,strictfp,super,switch, 780 | synchronized,this,throw,throws,transient,try,volatile,while, 781 | % var is an identifier 782 | var 783 | }, 784 | morekeywords={[2] % data types 785 | % primitive data types 786 | boolean,byte,char,double,float,int,long,short, 787 | % String 788 | String, 789 | % primitive wrapper types 790 | Boolean,Byte,Character,Double,Float,Integer,Long,Short 791 | % number types 792 | Number,AtomicInteger,AtomicLong,BigDecimal,BigInteger,DoubleAccumulator,DoubleAdder,LongAccumulator,LongAdder,Short, 793 | % other 794 | Object,Void,void 795 | }, 796 | morekeywords={[3] % literals 797 | % reserved words for literal values 798 | null,true,false, 799 | }, 800 | sensitive, 801 | morecomment = [l]//, 802 | morecomment = [s]{/*}{*/}, 803 | morecomment = [s]{/**}{*/}, 804 | morestring = [b]", 805 | morestring = [b]', 806 | } 807 | 808 | \lstdefinelanguage{XML}{ 809 | morestring = [b]", 810 | moredelim = [s][\bfseries\color{listing-keyword}]{<}{\ }, 811 | moredelim = [s][\bfseries\color{listing-keyword}]{}, 812 | moredelim = [l][\bfseries\color{listing-keyword}]{/>}, 813 | moredelim = [l][\bfseries\color{listing-keyword}]{>}, 814 | morecomment = [s]{}, 815 | morecomment = [s]{}, 816 | commentstyle = \color{listing-comment}, 817 | stringstyle = \color{listing-string}, 818 | identifierstyle = \color{listing-identifier} 819 | } 820 | $endif$ 821 | 822 | % 823 | % header and footer 824 | % 825 | $if(beamer)$ 826 | $else$ 827 | $if(disable-header-and-footer)$ 828 | $else$ 829 | \usepackage[headsepline,footsepline]{scrlayer-scrpage} 830 | 831 | \newpairofpagestyles{eisvogel-header-footer}{ 832 | \clearpairofpagestyles 833 | \ihead*{$if(header-left)$$header-left$$else$$title$$endif$} 834 | \chead*{$if(header-center)$$header-center$$else$$endif$} 835 | \ohead*{$if(header-right)$$header-right$$else$$date$$endif$} 836 | \ifoot*{$if(footer-left)$$footer-left$$else$$for(author)$$author$$sep$, $endfor$$endif$} 837 | \cfoot*{$if(footer-center)$$footer-center$$else$$endif$} 838 | \ofoot*{$if(footer-right)$$footer-right$$else$\thepage$endif$} 839 | \addtokomafont{pageheadfoot}{\upshape} 840 | } 841 | \pagestyle{eisvogel-header-footer} 842 | 843 | $if(book)$ 844 | \deftripstyle{ChapterStyle}{}{}{}{}{\pagemark}{} 845 | \renewcommand*{\chapterpagestyle}{ChapterStyle} 846 | $endif$ 847 | 848 | $if(page-background)$ 849 | \backgroundsetup{ 850 | scale=1, 851 | color=black, 852 | opacity=$if(page-background-opacity)$$page-background-opacity$$else$0.2$endif$, 853 | angle=0, 854 | contents={% 855 | \includegraphics[width=\paperwidth,height=\paperheight]{$page-background$} 856 | }% 857 | } 858 | $endif$ 859 | $endif$ 860 | $endif$ 861 | 862 | %% 863 | %% end added 864 | %% 865 | 866 | \begin{document} 867 | 868 | %% 869 | %% begin titlepage 870 | %% 871 | $if(beamer)$ 872 | $else$ 873 | $if(titlepage)$ 874 | \begin{titlepage} 875 | $if(titlepage-background)$ 876 | \newgeometry{top=2cm, right=4cm, bottom=3cm, left=4cm} 877 | $else$ 878 | \newgeometry{left=6cm} 879 | $endif$ 880 | $if(titlepage-color)$ 881 | \definecolor{titlepage-color}{HTML}{$titlepage-color$} 882 | \newpagecolor{titlepage-color}\afterpage{\restorepagecolor} 883 | $endif$ 884 | $if(titlepage-background)$ 885 | \tikz[remember picture,overlay] \node[inner sep=0pt] at (current page.center){\includegraphics[width=\paperwidth,height=\paperheight]{$titlepage-background$}}; 886 | $endif$ 887 | \newcommand{\colorRule}[3][black]{\textcolor[HTML]{#1}{\rule{#2}{#3}}} 888 | \begin{flushleft} 889 | \noindent 890 | \\[-1em] 891 | \color[HTML]{$if(titlepage-text-color)$$titlepage-text-color$$else$5F5F5F$endif$} 892 | \makebox[0pt][l]{\colorRule[$if(titlepage-rule-color)$$titlepage-rule-color$$else$435488$endif$]{1.3\textwidth}{$if(titlepage-rule-height)$$titlepage-rule-height$$else$4$endif$pt}} 893 | \par 894 | \noindent 895 | 896 | $if(titlepage-background)$ 897 | % The titlepage with a background image has other text spacing and text size 898 | { 899 | \setstretch{2} 900 | \vfill 901 | \vskip -8em 902 | \noindent {\huge \textbf{\textsf{$title$}}} 903 | $if(subtitle)$ 904 | \vskip 1em 905 | {\Large \textsf{$subtitle$}} 906 | $endif$ 907 | \vskip 2em 908 | \noindent {\Large \textsf{$for(author)$$author$$sep$, $endfor$} \vskip 0.6em \textsf{$date$}} 909 | \vfill 910 | } 911 | $else$ 912 | { 913 | \setstretch{1.4} 914 | \vfill 915 | \noindent {\huge \textbf{\textsf{$title$}}} 916 | $if(subtitle)$ 917 | \vskip 1em 918 | {\Large \textsf{$subtitle$}} 919 | $endif$ 920 | \vskip 2em 921 | \noindent {\Large \textsf{$for(author)$$author$$sep$, $endfor$}} 922 | \vfill 923 | } 924 | $endif$ 925 | 926 | $if(titlepage-logo)$ 927 | \noindent 928 | \includegraphics[width=$if(logo-width)$$logo-width$$else$35mm$endif$, left]{$titlepage-logo$} 929 | $endif$ 930 | 931 | $if(titlepage-background)$ 932 | $else$ 933 | \textsf{$date$} 934 | $endif$ 935 | \end{flushleft} 936 | \end{titlepage} 937 | \restoregeometry 938 | \pagenumbering{arabic} 939 | $endif$ 940 | $endif$ 941 | 942 | %% 943 | %% end titlepage 944 | %% 945 | 946 | $if(has-frontmatter)$ 947 | \frontmatter 948 | $endif$ 949 | $if(title)$ 950 | $if(beamer)$ 951 | \frame{\titlepage} 952 | $endif$ 953 | $if(abstract)$ 954 | \begin{abstract} 955 | $abstract$ 956 | \end{abstract} 957 | $endif$ 958 | $endif$ 959 | 960 | $if(first-chapter)$ 961 | \setcounter{chapter}{$first-chapter$} 962 | \addtocounter{chapter}{-1} 963 | $endif$ 964 | 965 | $for(include-before)$ 966 | $include-before$ 967 | 968 | $endfor$ 969 | $if(toc)$ 970 | $if(toc-title)$ 971 | \renewcommand*\contentsname{$toc-title$} 972 | $endif$ 973 | $if(beamer)$ 974 | \begin{frame}[allowframebreaks] 975 | $if(toc-title)$ 976 | \frametitle{$toc-title$} 977 | $endif$ 978 | \tableofcontents[hideallsubsections] 979 | \end{frame} 980 | $if(toc-own-page)$ 981 | \newpage 982 | $endif$ 983 | $else$ 984 | { 985 | $if(colorlinks)$ 986 | \hypersetup{linkcolor=$if(toccolor)$$toccolor$$else$$endif$} 987 | $endif$ 988 | \setcounter{tocdepth}{$toc-depth$} 989 | \tableofcontents 990 | $if(toc-own-page)$ 991 | \newpage 992 | $endif$ 993 | } 994 | $endif$ 995 | $endif$ 996 | $if(lof)$ 997 | \listoffigures 998 | $endif$ 999 | $if(lot)$ 1000 | \listoftables 1001 | $endif$ 1002 | $if(linestretch)$ 1003 | \setstretch{$linestretch$} 1004 | $endif$ 1005 | $if(has-frontmatter)$ 1006 | \mainmatter 1007 | $endif$ 1008 | $body$ 1009 | 1010 | $if(has-frontmatter)$ 1011 | \backmatter 1012 | $endif$ 1013 | $if(natbib)$ 1014 | $if(bibliography)$ 1015 | $if(biblio-title)$ 1016 | $if(has-chapters)$ 1017 | \renewcommand\bibname{$biblio-title$} 1018 | $else$ 1019 | \renewcommand\refname{$biblio-title$} 1020 | $endif$ 1021 | $endif$ 1022 | $if(beamer)$ 1023 | \begin{frame}[allowframebreaks]{$biblio-title$} 1024 | \bibliographytrue 1025 | $endif$ 1026 | \bibliography{$for(bibliography)$$bibliography$$sep$,$endfor$} 1027 | $if(beamer)$ 1028 | \end{frame} 1029 | $endif$ 1030 | 1031 | $endif$ 1032 | $endif$ 1033 | $if(biblatex)$ 1034 | $if(beamer)$ 1035 | \begin{frame}[allowframebreaks]{$biblio-title$} 1036 | \bibliographytrue 1037 | \printbibliography[heading=none] 1038 | \end{frame} 1039 | $else$ 1040 | \printbibliography$if(biblio-title)$[title=$biblio-title$]$endif$ 1041 | $endif$ 1042 | 1043 | $endif$ 1044 | $for(include-after)$ 1045 | $include-after$ 1046 | 1047 | $endfor$ 1048 | \end{document} 1049 | -------------------------------------------------------------------------------- /0.1/templates/header-eisvogel.tex: -------------------------------------------------------------------------------- 1 | 2 | \hypersetup{colorlinks=false, 3 | allbordercolors={0 0 0}, 4 | pdfborderstyle={/S/U/W 1}} 5 | 6 | \newcommand*{\escape}[1]{\texttt{\textbackslash#1}} 7 | -------------------------------------------------------------------------------- /0.1/templates/reference.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/0.1/templates/reference.docx -------------------------------------------------------------------------------- /0.1/tools/cyclonedx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' CycloneDX converter class 4 | 5 | Converts the SCSVS JSON into CycloneDX Standards format 6 | Copyright (c) 2023 OWASP Foundation 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in all 16 | copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | 26 | ''' 27 | 28 | import json 29 | from dicttoxml2 import dicttoxml 30 | import datetime 31 | import uuid 32 | try: 33 | from StringIO import StringIO 34 | except ImportError: 35 | from io import StringIO 36 | 37 | 38 | class CycloneDX: 39 | bom = {} 40 | bom['bomFormat'] = "CycloneDX" 41 | bom['specVersion'] = "1.6" 42 | bom['serialNumber'] = "urn:uuid:" + str(uuid.uuid4()) 43 | bom['version'] = 1 44 | bom['metadata'] = {} 45 | bom['metadata']['timestamp'] = datetime.datetime.now().astimezone().replace(microsecond=0).isoformat() 46 | bom['metadata']['licenses'] = [] 47 | bom['metadata']['licenses'].append({}) 48 | bom['metadata']['licenses'][0]['license'] = {} 49 | bom['metadata']['licenses'][0]['license']['id'] = "CC-BY-SA-4.0" 50 | bom['metadata']['licenses'][0]['license']['url'] = "https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt" 51 | bom['metadata']['supplier'] = {} 52 | bom['metadata']['supplier']['name'] = "OWASP Foundation" 53 | bom['metadata']['supplier']['url'] = ["https://owasp.org"] 54 | bom['declarations'] = {} 55 | bom['declarations']['standards'] = [] 56 | bom['declarations']['standards'].append({}) 57 | 58 | def __init__(self, scsvs_json_in): # Updated to use SCSVS 59 | self.scsvs = scsvs_json_in 60 | scsvs = json.loads(scsvs_json_in) 61 | bom_ref = scsvs["ShortName"] + "-" + scsvs["Version"] 62 | self.bom['declarations']['standards'][0]['bom-ref'] = bom_ref 63 | self.bom['declarations']['standards'][0]['name'] = \ 64 | scsvs["Name"].replace('Project', '') + "(" + scsvs["ShortName"] + ")" 65 | self.bom['declarations']['standards'][0]['version'] = scsvs["Version"] 66 | self.bom['declarations']['standards'][0]['description'] = scsvs["Description"] 67 | self.bom['declarations']['standards'][0]['owner'] = scsvs["Name"] 68 | 69 | requirements = [] 70 | l1_requirements = [] 71 | l2_requirements = [] 72 | l3_requirements = [] 73 | for scsvs_chapter in scsvs['Requirements']: 74 | chapter_req = self.convert_requirement(scsvs_chapter, None) 75 | requirements.append(chapter_req) 76 | if 'Items' in scsvs_chapter: 77 | for scsvs_section in scsvs_chapter['Items']: 78 | section_req = self.convert_requirement(scsvs_section, chapter_req['bom-ref']) 79 | requirements.append(section_req) 80 | for scsvs_requirement in scsvs_section['Items']: 81 | requirement = self.convert_requirement(scsvs_requirement, section_req['bom-ref']) 82 | requirements.append(requirement) 83 | if 'L1' in scsvs_requirement and 'Required' in scsvs_requirement['L1'] and scsvs_requirement['L1']['Required'] is True: 84 | l1_requirements.append(requirement['bom-ref']) 85 | if 'L2' in scsvs_requirement and 'Required' in scsvs_requirement['L2'] and scsvs_requirement['L2']['Required'] is True: 86 | l2_requirements.append(requirement['bom-ref']) 87 | if 'L3' in scsvs_requirement and 'Required' in scsvs_requirement['L3'] and scsvs_requirement['L3']['Required'] is True: 88 | l3_requirements.append(requirement['bom-ref']) 89 | 90 | self.bom['declarations']['standards'][0]['requirements'] = requirements 91 | 92 | self.bom['declarations']['standards'][0]['levels'] = [] 93 | self.bom['declarations']['standards'][0]['levels'].append({}) 94 | self.bom['declarations']['standards'][0]['levels'][0] = {} 95 | self.bom['declarations']['standards'][0]['levels'][0]['bom-ref'] = "level-1" 96 | self.bom['declarations']['standards'][0]['levels'][0]['identifier'] = "Level 1" 97 | self.bom['declarations']['standards'][0]['levels'][0]['description'] = "SCSVS Level 1 is for low assurance levels and is completely auditable." 98 | self.bom['declarations']['standards'][0]['levels'][0]['requirements'] = l1_requirements 99 | self.bom['declarations']['standards'][0]['levels'].append({}) 100 | self.bom['declarations']['standards'][0]['levels'][1] = {} 101 | self.bom['declarations']['standards'][0]['levels'][1]['bom-ref'] = "level-2" 102 | self.bom['declarations']['standards'][0]['levels'][1]['identifier'] = "Level 2" 103 | self.bom['declarations']['standards'][0]['levels'][1]['description'] = "SCSVS Level 2 is for applications that handle sensitive financial data and high-value contracts." 104 | self.bom['declarations']['standards'][0]['levels'][1]['requirements'] = l2_requirements 105 | self.bom['declarations']['standards'][0]['levels'].append({}) 106 | self.bom['declarations']['standards'][0]['levels'][2] = {} 107 | self.bom['declarations']['standards'][0]['levels'][2]['bom-ref'] = "level-3" 108 | self.bom['declarations']['standards'][0]['levels'][2]['identifier'] = "Level 3" 109 | self.bom['declarations']['standards'][0]['levels'][2]['description'] = "SCSVS Level 3 is for the most critical smart contracts - contracts that control large amounts of value, manage governance, or handle sensitive or mission-critical data." 110 | self.bom['declarations']['standards'][0]['levels'][2]['requirements'] = l3_requirements 111 | 112 | self.bom['declarations']['standards'][0]['externalReferences'] = [] 113 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 114 | self.bom['declarations']['standards'][0]['externalReferences'][0]['type'] = 'website' 115 | self.bom['declarations']['standards'][0]['externalReferences'][0]['url'] = 'https://owasp.org/www-project-smart-contract-security-verification-standard/' # Updated URL 116 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 117 | self.bom['declarations']['standards'][0]['externalReferences'][1]['type'] = 'vcs' 118 | self.bom['declarations']['standards'][0]['externalReferences'][1]['url'] = 'https://github.com/OWASP/www-project-smart-contract-security-verification-standard' # Updated URL 119 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 120 | self.bom['declarations']['standards'][0]['externalReferences'][2]['type'] = 'issue-tracker' 121 | self.bom['declarations']['standards'][0]['externalReferences'][2]['url'] = 'https://github.com/OWASP/www-project-smart-contract-security-verification-standard/issues' # Updated URL 122 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 123 | self.bom['declarations']['standards'][0]['externalReferences'][3]['type'] = 'social' 124 | self.bom['declarations']['standards'][0]['externalReferences'][3]['url'] = 'https://twitter.com/OWASP-SCSVS' # Updated URL 125 | 126 | def convert_requirement(self, scsvs_requirement, parent): 127 | requirement = {} 128 | requirement['bom-ref'] = scsvs_requirement['Shortcode'] 129 | requirement['identifier'] = scsvs_requirement['Shortcode'] 130 | if 'ShortName' in scsvs_requirement and scsvs_requirement['ShortName'] != '': 131 | requirement['title'] = scsvs_requirement['ShortName'] 132 | if 'Name' in scsvs_requirement and scsvs_requirement['Name'] != '': 133 | requirement['title'] = scsvs_requirement['Name'] 134 | if 'Description' in scsvs_requirement and scsvs_requirement['Description'] != '': 135 | requirement['text'] = scsvs_requirement['Description'] 136 | if parent: 137 | requirement['parent'] = parent 138 | return requirement 139 | 140 | def to_json(self): 141 | ''' Returns a JSON-formatted string ''' 142 | return json.dumps(self.bom, indent=2, sort_keys=False, ensure_ascii=False).strip() 143 | -------------------------------------------------------------------------------- /0.1/tools/export.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | ''' Tool for converting the ASVS requirements to various formats. 4 | 5 | Usage: ./export.py [--format ] 6 | 7 | By Bernhard Mueller 8 | 9 | Copyright (c) 2017 OWASP Foundation 10 | 11 | Permission is hereby granted, free of charge, to any person obtaining a copy 12 | of this software and associated documentation files (the "Software"), to deal 13 | in the Software without restriction, including without limitation the rights 14 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 15 | copies of the Software, and to permit persons to whom the Software is 16 | furnished to do so, subject to the following conditions: 17 | 18 | The above copyright notice and this permission notice shall be included in all 19 | copies or substantial portions of the Software. 20 | 21 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 22 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 23 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 24 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 25 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 26 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 27 | SOFTWARE. 28 | 29 | ''' 30 | 31 | import argparse 32 | from scsvs import SCSVS # Changed to SCSVS 33 | from cyclonedx import CycloneDX 34 | 35 | parser = argparse.ArgumentParser(description='Export the SCSVS requirements.') 36 | parser.add_argument('--format', choices=['json', 'json_flat', 'xml', 'csv', 'cdx_json'], default='json') 37 | parser.add_argument('--language', default='en') 38 | parser.add_argument('--verify-only', action='store_true', default=False) 39 | 40 | args = parser.parse_args() 41 | 42 | m = SCSVS(args.language) # Updated to use SCSVS 43 | 44 | if args.verify_only: 45 | if args.format == "csv": 46 | print(m.verify_csv(m.to_csv())) 47 | elif args.format == "xml": 48 | print(m.verify_xml(m.to_xml())) 49 | elif args.format == "json_flat": 50 | print(m.verify_json_flat(m.to_json_flat())) 51 | else: 52 | print(m.verify_json(m.to_json())) 53 | else: 54 | if args.format == "csv": 55 | print(m.to_csv()) 56 | elif args.format == "xml": 57 | print(m.to_xml()) 58 | elif args.format == "json_flat": 59 | print(m.to_json_flat()) 60 | elif args.format == "cdx_json": 61 | cdx = CycloneDX(m.to_json()) # Use SCSVS JSON for CycloneDX 62 | print(cdx.to_json()) 63 | else: 64 | print(m.to_json()) 65 | -------------------------------------------------------------------------------- /0.1/tools/generate_document.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "OWASP Markdown Conversion Tool" 4 | echo "" 5 | 6 | function command_exists () { 7 | command -v $1 >/dev/null 2>&1; 8 | } 9 | 10 | if ! command_exists pandoc; then 11 | echo "Error: Please install pandoc. Cannot continue" 12 | exit; 13 | fi 14 | 15 | generate_docx() { 16 | pandoc -s -f gfm --reference-doc=../templates/reference.docx --columns 10000 --toc -t docx -o "../docs_$1/OWASP Application Security Verification Standard $2-$1.docx" *.md 17 | echo " done." 18 | echo -e "" 19 | echo -e "Note: If you got an error 'Invalid UTF-8 stream', make sure you are on the newest version of pandoc from the project website (not just the OS package repo)" 20 | echo -e "" 21 | echo -e "DOCX GENERATION MANUAL STEPS" 22 | echo -e "----------------------------" 23 | echo -e "After the docx file has been generated, do the following:" 24 | echo -e " - Select 'No' in the first prompt that appears" 25 | echo -e " - Move the 'Table of Contents' section to be just before the 'Frontispiece' section." 26 | echo -e " - Select the document heading (one of the first lines in the documrnt) which should say: 'OWASP Application" 27 | echo -e " Security Verification Standard $2', go to 'Paragraph' > 'Line and Page Breaks' and" 28 | echo -e " deselect 'Page break before'" 29 | echo -e " - Go to 'File' > 'Info' and set the 'Title' field to be 'OWASP Application Security Verification Standard $2'" 30 | echo -e " - Run the following VBA macro to fix Table settings:" 31 | echo -e " " 32 | echo -e " Dim tbl As Table" 33 | echo -e " For Each tbl In ActiveDocument.Tables" 34 | echo -e " tbl.Rows(1).HeadingFormat = True" 35 | echo -e " tbl.Rows.AllowBreakAcrossPages = False" 36 | echo -e " Next tbl" 37 | echo -e " " 38 | echo -e " - Manually review the document and move any orphaned table headings or section headings to the" 39 | echo -e " following page" 40 | echo -e " - Run 'Update table...' on the Table of Contents" 41 | echo -e " - Remove the lines above 'Frontispiece' from the Table of Contents" 42 | } 43 | 44 | # generate_html() { 45 | # pandoc -s -f markdown_github -t html5 -o "../OWASP Application Security Verification Standard 4.0-$1.html" *.md 46 | # } 47 | 48 | lang="en" 49 | vers="4.0" 50 | 51 | if [ -z "$1" ] 52 | then 53 | lang="en" 54 | else 55 | lang=$1 56 | fi 57 | 58 | if [ -z "$2" ] 59 | then 60 | vers="4.0" 61 | else 62 | vers=$2 63 | fi 64 | 65 | echo -n "Generating OWASP ASVS $vers ($lang)..." 66 | if [ -d "$lang" ]; 67 | then 68 | cd "$lang" 69 | generate_docx $lang $vers 70 | # generate_html $lang 71 | cd .. 72 | 73 | else 74 | echo " No OWASP ASVS found in directory $lang" 75 | fi 76 | 77 | 78 | echo 79 | echo "Generated OWASP Application Security Verification Standard $vers" 80 | -------------------------------------------------------------------------------- /0.1/tools/install_deps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sudo apt install pandoc -y 3 | sudo apt install python3 -y 4 | sudo apt install python3-pip -y 5 | pip install dicttoxml 6 | pip install dicttoxml2 -------------------------------------------------------------------------------- /0.1/tools/scsvs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' CycloneDX converter class 4 | 5 | Converts the SCSVS JSON into CycloneDX Standards format 6 | Copyright (c) 2023 OWASP Foundation 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in all 16 | copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 | SOFTWARE. 25 | 26 | ''' 27 | 28 | import json 29 | from dicttoxml2 import dicttoxml 30 | import datetime 31 | import uuid 32 | try: 33 | from StringIO import StringIO 34 | except ImportError: 35 | from io import StringIO 36 | 37 | 38 | class CycloneDX: 39 | bom = {} 40 | bom['bomFormat'] = "CycloneDX" 41 | bom['specVersion'] = "1.6" 42 | bom['serialNumber'] = "urn:uuid:" + str(uuid.uuid4()) 43 | bom['version'] = 1 44 | bom['metadata'] = {} 45 | bom['metadata']['timestamp'] = datetime.datetime.now().astimezone().replace(microsecond=0).isoformat() 46 | bom['metadata']['licenses'] = [] 47 | bom['metadata']['licenses'].append({}) 48 | bom['metadata']['licenses'][0]['license'] = {} 49 | bom['metadata']['licenses'][0]['license']['id'] = "CC-BY-SA-4.0" 50 | bom['metadata']['licenses'][0]['license']['url'] = "https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt" 51 | bom['metadata']['supplier'] = {} 52 | bom['metadata']['supplier']['name'] = "OWASP Foundation" 53 | bom['metadata']['supplier']['url'] = [ "https://owasp.org" ] 54 | bom['declarations'] = {} 55 | bom['declarations']['standards'] = [] 56 | bom['declarations']['standards'].append({}) 57 | 58 | def __init__(self, scsvs_json_in): 59 | self.scsvs = scsvs_json_in 60 | scsvs = json.loads(scsvs_json_in) 61 | bom_ref = scsvs["ShortName"] + "-" + scsvs["Version"] 62 | self.bom['declarations']['standards'][0]['bom-ref'] = bom_ref 63 | self.bom['declarations']['standards'][0]['name'] = \ 64 | scsvs["Name"].replace('Project', '') + "(" + scsvs["ShortName"] + ")" 65 | self.bom['declarations']['standards'][0]['version'] = scsvs["Version"] 66 | self.bom['declarations']['standards'][0]['description'] = scsvs["Description"] 67 | self.bom['declarations']['standards'][0]['owner'] = scsvs["Name"] 68 | 69 | requirements = [] 70 | l1_requirements = [] 71 | l2_requirements = [] 72 | l3_requirements = [] 73 | for scsvs_chapter in scsvs['Requirements']: 74 | chapter_req = self.convert_requirement(scsvs_chapter, None) 75 | requirements.append(chapter_req) 76 | if 'Items' in scsvs_chapter: 77 | for scsvs_section in scsvs_chapter['Items']: 78 | section_req = self.convert_requirement(scsvs_section, chapter_req['bom-ref']) 79 | requirements.append(section_req) 80 | for scsvs_requirement in scsvs_section['Items']: 81 | requirement = self.convert_requirement(scsvs_requirement, section_req['bom-ref']) 82 | requirements.append(requirement) 83 | if 'L1' in scsvs_requirement and 'Required' in scsvs_requirement['L1'] and scsvs_requirement['L1']['Required'] is True: 84 | l1_requirements.append(requirement['bom-ref']) 85 | if 'L2' in scsvs_requirement and 'Required' in scsvs_requirement['L2'] and scsvs_requirement['L2']['Required'] is True: 86 | l2_requirements.append(requirement['bom-ref']) 87 | if 'L3' in scsvs_requirement and 'Required' in scsvs_requirement['L3'] and scsvs_requirement['L3']['Required'] is True: 88 | l3_requirements.append(requirement['bom-ref']) 89 | 90 | self.bom['declarations']['standards'][0]['requirements'] = requirements 91 | 92 | self.bom['declarations']['standards'][0]['levels'] = [] 93 | self.bom['declarations']['standards'][0]['levels'].append({}) 94 | self.bom['declarations']['standards'][0]['levels'][0] = {} 95 | self.bom['declarations']['standards'][0]['levels'][0]['bom-ref'] = "level-1" 96 | self.bom['declarations']['standards'][0]['levels'][0]['identifier'] = "Level 1" 97 | self.bom['declarations']['standards'][0]['levels'][0]['description'] = "SCSVS Level 1 is for low assurance levels, and is completely auditable." 98 | self.bom['declarations']['standards'][0]['levels'][0]['requirements'] = l1_requirements 99 | self.bom['declarations']['standards'][0]['levels'].append({}) 100 | self.bom['declarations']['standards'][0]['levels'][1] = {} 101 | self.bom['declarations']['standards'][0]['levels'][1]['bom-ref'] = "level-2" 102 | self.bom['declarations']['standards'][0]['levels'][1]['identifier'] = "Level 2" 103 | self.bom['declarations']['standards'][0]['levels'][1]['description'] = "SCSVS Level 2 is for applications that handle sensitive financial data and high-value contracts." 104 | self.bom['declarations']['standards'][0]['levels'][1]['requirements'] = l2_requirements 105 | self.bom['declarations']['standards'][0]['levels'].append({}) 106 | self.bom['declarations']['standards'][0]['levels'][2] = {} 107 | self.bom['declarations']['standards'][0]['levels'][2]['bom-ref'] = "level-3" 108 | self.bom['declarations']['standards'][0]['levels'][2]['identifier'] = "Level 3" 109 | self.bom['declarations']['standards'][0]['levels'][2]['description'] = "SCSVS Level 3 is for the most critical smart contracts - contracts that control large amounts of value, manage governance, or handle sensitive or mission-critical data." 110 | self.bom['declarations']['standards'][0]['levels'][2]['requirements'] = l3_requirements 111 | 112 | self.bom['declarations']['standards'][0]['externalReferences'] = [] 113 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 114 | self.bom['declarations']['standards'][0]['externalReferences'][0]['type'] = 'website' 115 | self.bom['declarations']['standards'][0]['externalReferences'][0]['url'] = 'https://owasp.org/www-project-smart-contract-security-verification-standard/' 116 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 117 | self.bom['declarations']['standards'][0]['externalReferences'][1]['type'] = 'vcs' 118 | self.bom['declarations']['standards'][0]['externalReferences'][1]['url'] = 'https://github.com/OWASP/www-project-smart-contract-security-verification-standard' 119 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 120 | self.bom['declarations']['standards'][0]['externalReferences'][2]['type'] = 'issue-tracker' 121 | self.bom['declarations']['standards'][0]['externalReferences'][2]['url'] = 'https://github.com/OWASP/www-project-smart-contract-security-verification-standard/issues' 122 | self.bom['declarations']['standards'][0]['externalReferences'].append({}) 123 | self.bom['declarations']['standards'][0]['externalReferences'][3]['type'] = 'social' 124 | self.bom['declarations']['standards'][0]['externalReferences'][3]['url'] = 'https://twitter.com/OWASP-SCSVS' 125 | 126 | def convert_requirement(self, scsvs_requirement, parent): 127 | requirement = {} 128 | requirement['bom-ref'] = scsvs_requirement['Shortcode'] 129 | requirement['identifier'] = scsvs_requirement['Shortcode'] 130 | if 'ShortName' in scsvs_requirement and scsvs_requirement['ShortName'] != '': 131 | requirement['title'] = scsvs_requirement['ShortName'] 132 | if 'Name' in scsvs_requirement and scsvs_requirement['Name'] != '': 133 | requirement['title'] = scsvs_requirement['Name'] 134 | if 'Description' in scsvs_requirement and 135 | -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |
9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

12 | 13 |
14 |

If all else fails you can search our historical site.

15 |
16 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to an OWASP project. We welcome all contributions and appreciate your efforts to improve our projects. 4 | 5 | ## Getting Started 6 | 7 | To get started with contributing to any OWASP project, please follow these steps: 8 | 9 | 1. [Join](http://owasp.org/slack/invite) the [OWASP Slack workspace](https://owasp.slack.com) to connect with the OWASP community and get help with any questions you may have. 10 | 11 | 2. Review the [OWASP Projects](https://owasp.org/projects/) page to browse the list of OWASP projects and find a project that aligns with your interests and skills. 12 | 13 | 3. Visit the project's individual page and repository to familiarize yourself with the project goals and objectives. 14 | 15 | 4. Fork the repository and clone it to your local machine. 16 | 17 | 5. Install any necessary dependencies and set up your development environment. 18 | 19 | 6. Make your changes and test them locally to ensure they work as expected. 20 | 21 | 7. Submit a pull request with your changes. 22 | 23 | ## Pull Request Guidelines 24 | 25 | Before submitting a pull request, please make sure: 26 | 27 | 1. Your changes are consistent with the project's goals and objectives. 28 | 29 | 2. Your changes are well-documented and follow the project's coding standards. 30 | 31 | 3. Your changes do not introduce new bugs or break existing functionality. 32 | 33 | 4. Your changes are accompanied by tests, if applicable. 34 | 35 | 5. Your pull request includes a clear and concise description of the changes you have made. 36 | 37 | ## Code of Conduct 38 | 39 | We ask that all contributors to OWASP projects abide by our [Code of Conduct](https://owasp.org/www-policy/operational/code-of-conduct). This code outlines our expectations for behavior within the project community and helps us maintain a welcoming and inclusive environment for all contributors. 40 | 41 | Thank you for your interest in contributing to an OWASP project. We appreciate your efforts to help us improve and grow our projects. 42 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Attribution-ShareAlike 4.0 International 2 | 3 | // SPDX-License-Identifier: CC-BY-SA-4.0 4 | 5 | Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. 6 | 7 | ## Using Creative Commons Public Licenses 8 | 9 | Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. 10 | 11 | - **Considerations for licensors:** Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors). 12 | 13 | - **Considerations for the public:** By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees). 14 | 15 | ## Creative Commons Attribution-ShareAlike 4.0 International Public License 16 | 17 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 18 | 19 | ### Section 1 – Definitions 20 | 21 | a. **Adapted Material** means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 22 | 23 | b. **Adapter's License** means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 24 | 25 | c. **BY-SA Compatible License** means a license listed at [creativecommons.org/compatiblelicenses](http://creativecommons.org/compatiblelicenses), approved by Creative Commons as essentially the equivalent of this Public License. 26 | 27 | d. **Copyright and Similar Rights** means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 28 | 29 | e. **Effective Technological Measures** means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 30 | 31 | f. **Exceptions and Limitations** means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 32 | 33 | g. **License Elements** means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike. 34 | 35 | h. **Licensed Material** means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 36 | 37 | i. **Licensed Rights** means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 38 | 39 | j. **Licensor** means the individual(s) or entity(ies) granting rights under this Public License. 40 | 41 | k. **Share** means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 42 | 43 | l. **Sui Generis Database Rights** means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 44 | 45 | m. **You** means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning. 46 | 47 | ### Section 2 – Scope 48 | 49 | a. _**License grant.**_ 50 | 51 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 52 | 53 | A. reproduce and Share the Licensed Material, in whole or in part; and 54 | 55 | B. produce, reproduce, and Share Adapted Material. 56 | 57 | 2. **Exceptions and Limitations.** For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 58 | 59 | 3. **Term.** The term of this Public License is specified in Section 6(a). 60 | 61 | 4. **Media and formats; technical modifications allowed.** The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 62 | 63 | 5. **Downstream recipients.** 64 | 65 | A. **Offer from the Licensor – Licensed Material.** Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 66 | 67 | B. **Additional offer from the Licensor – Adapted Material.** Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply. 68 | 69 | C. **No downstream restrictions.** You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 70 | 71 | 6. **No endorsement.** Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 72 | 73 | b. _**Other rights.**_ 74 | 75 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 76 | 77 | 2. Patent and trademark rights are not licensed under this Public License. 78 | 79 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 80 | 81 | ### Section 3 – License Conditions 82 | 83 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 84 | 85 | a. _**Attribution.**_ 86 | 87 | 1. If You Share the Licensed Material (including in modified form), You must: 88 | 89 | A. retain the following if it is supplied by the Licensor with the Licensed Material: 90 | 91 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 92 | 93 | ii. a copyright notice; 94 | 95 | iii. a notice that refers to this Public License; 96 | 97 | iv. a notice that refers to the disclaimer of warranties; 98 | 99 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 100 | 101 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 102 | 103 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 104 | 105 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 106 | 107 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 108 | 109 | b. _**ShareAlike.**_ 110 | 111 | In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply. 112 | 113 | 1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License. 114 | 115 | 2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material. 116 | 117 | 3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply. 118 | 119 | ### Section 4 – Sui Generis Database Rights 120 | 121 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 122 | 123 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 124 | 125 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and 126 | 127 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 128 | 129 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 130 | 131 | ### Section 5 – Disclaimer of Warranties and Limitation of Liability 132 | 133 | a. **Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.** 134 | 135 | b. **To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.** 136 | 137 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 138 | 139 | ### Section 6 – Term and Termination 140 | 141 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 142 | 143 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 144 | 145 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 146 | 147 | 2. upon express reinstatement by the Licensor. 148 | 149 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 150 | 151 | c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 152 | 153 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 154 | 155 | ### Section 7 – Other Terms and Conditions 156 | 157 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 158 | 159 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 160 | 161 | ### Section 8 – Interpretation 162 | 163 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 164 | 165 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 166 | 167 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 168 | 169 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 170 | 171 | > Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” The text of the Creative Commons public licenses is dedicated to the public domain under the [CC0 Public Domain Dedication](https://creativecommons.org/publicdomain/zero/1.0/legalcode). Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. 172 | > 173 | > Creative Commons may be contacted at creativecommons.org. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP Smart Contract Security Verification Standard 2 | 3 | 4 | 5 | [![OWASP Incubator](https://img.shields.io/badge/owasp-incubator-blue.svg)](https://owasp.org/owasp-scsvs) 6 | [![Creative Commons License](https://img.shields.io/badge/License-CC%20BY--SA%204.0-orange.svg)](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0") 7 | 8 | ## Introduction 9 | 10 | The primary aim of the OWASP Smart Contract Security Verification Standard (SCSVS) Project is to provide an open security standard for designing, building, and testing secure smart contracts. 11 | 12 | The standard offers guidelines that address the specific security risks and concerns related to smart contracts, decentralized applications (dApps), and EVM-based blockchain systems, focusing on the core principles of security in smart contract development. 13 | 14 | We gratefully recognize the organization that have supported the project either through significant time provision or financially on our "[Supporter](https://github.com/OWASP/owasp-scsvs/blob/main/SUPPORTERS.md)" page! 15 | 16 | **Please [log issues](https://github.com/OWASP/owasp-scsvs/issues) if you find any bugs or if you have ideas. We may subsequently ask you to [open a pull request](https://github.com/OWASP/owasp-scsvs/pulls) based on the discussion in the issue.** 17 | 18 | ## Initial Draft Version - 0.0.1 19 | 20 | The latest stable version is version 0.0.1 (dated September 2024), which can be found: 21 | 22 | * [OWASP Smart Contract Security Verification Standard 0.0.1 English (PDF)](https://github.com/OWASP/owasp-scsvs/releases/download/v0.0.1/OWASP_Smart_Contract_Security_Verification_Standard-0.0.1_en.pdf) 23 | 24 | The master branch of this repository will always be the "bleeding edge version," which may have in-progress changes or other edits open. 25 | 26 | ## Standard Objectives 27 | 28 | The requirements were developed with the following objectives in mind: 29 | 30 | 1. **Develop and Refine Security Guidelines**: Consolidate general security practices into a comprehensive set of guidelines for smart contract developers and security professionals. 31 | 2. **Address Unique Security Challenges of Smart Contracts**: Focus specifically on vulnerabilities, such as reentrancy, overflows/underflows, gas optimization, and economic attacks. 32 | 3. **Guide Development Teams in Secure Practices**: Provide detailed guidance to developers for implementing secure coding practices in smart contract development. 33 | 4. **Assist Security Teams in Audits and Penetration Testing**: Offer methodologies for effective smart contract audits and penetration testing, including blockchain data integrity, access control, and business logic. 34 | 5. **Establish and Update Security Benchmarks**: Create and regularly update security benchmarks to reflect the evolving nature of blockchain ecosystems and smart contract security. 35 | 6. **Promote Best Practices in Smart Contract Security**: Encourage the adoption of best practices, such as defensive coding, formal verification, and test-driven development, to secure smart contract environments. 36 | 7. **Align Security Expectations Among Stakeholders**: Establish a common understanding of security expectations for developers, auditors, blockchain platforms, and decentralized finance (DeFi) users. 37 | 38 | ## License 39 | 40 | The entire project content is under the **[Creative Commons Attribution-Share Alike v4.0](LICENSE.md)** license. 41 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting Issues 2 | Contact the project leaders listed on the project webpage to report security issues -------------------------------------------------------------------------------- /SUPPORTERS.md: -------------------------------------------------------------------------------- 1 | # Supporters 2 | 3 | ## Major Supporters and Sponsors 4 | 5 | This initiative would not have been possible without the support of our sponsors and the resources they have provided. We would like to express our gratitude to the following for their support. 6 | 7 | ### CredShields 8 | 9 |
10 | CredShields Logo 11 | CredShields Logo 12 | SolidityScan Logo 13 | CredShields Logo 14 |
15 | 16 | The OWASP SCSVS project was initiated to share the knowledge gained from the CredShields Security Team's research into Smart Contract security while developing [**SolidityScan.com**](https://solidityscan.com), an AI-powered vulnerability scanner for Smart Contracts. We extend our gratitude to [**CredShields**](https://credshields.com) for their efforts in defining the initial requirements and founding this project. 17 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 -------------------------------------------------------------------------------- /assets/images/Credshields_logo_w.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/assets/images/Credshields_logo_w.png -------------------------------------------------------------------------------- /assets/images/README.md: -------------------------------------------------------------------------------- 1 | # placeholder 2 | 3 | Put images you wish to link to in this folder 4 | 5 | link would be in form /assets/images/ 6 | -------------------------------------------------------------------------------- /assets/images/credshields-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/assets/images/credshields-logo.png -------------------------------------------------------------------------------- /assets/images/scsvs-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/assets/images/scsvs-banner.png -------------------------------------------------------------------------------- /assets/images/solidityscan-black-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/assets/images/solidityscan-black-logo.png -------------------------------------------------------------------------------- /assets/images/solidityscan-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-smart-contract-security-verification-standard/685dc80fda380ff11cc8f473e9472f24e4b6d043/assets/images/solidityscan-logo.png -------------------------------------------------------------------------------- /compiling.md: -------------------------------------------------------------------------------- 1 | # Document Builder 2 | 3 | **Note - this method is still in testing!** 4 | 5 | ## Document Compilation Instructions 6 | 7 | 1. Install Docker on your computer (see instructions for different architectures [in the Docker docs](https://docs.docker.com/engine/install/)). 8 | 2. Build the Docker image: `docker build ./docker -t scsvs-builder`. 9 | 3. Change directory to the target version. E.g., `cd 0.1`. 10 | 4. Optionally perform a clean with `docker run -it --rm -v "$(pwd):/data" scsvs-builder clean`. 11 | 5. Build the PDF with `docker run -it --rm -v "$(pwd):/data" scsvs-builder pdf`. 12 | 6. The PDF will be located within the `TARGET_VERSION/dist` directory. -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG CERT_FILE=none 2 | ARG WITH_CERT=no 3 | #First stage, start from alpine 4 | FROM alpine:3 AS base 5 | ENV DEBIAN_FRONTEND noninteractive 6 | 7 | RUN apk add --update \ 8 | alpine-sdk \ 9 | fontconfig \ 10 | font-noto-cjk \ 11 | freetype \ 12 | lua5.3 \ 13 | perl \ 14 | bash \ 15 | python3 \ 16 | libressl-dev \ 17 | pipx \ 18 | curl \ 19 | gnupg \ 20 | unzip \ 21 | py3-certifi && \ 22 | rm -rf /var/cache/apk/* 23 | 24 | # Dockerfiles have no "if", then we need to create intermediate stages to match a variable 25 | # These stages will setup necessary environment variables and copy custom CA authorities to 26 | # your container. Helpful if within a corporate environment with an intercepting proxy, like e.g. Zscaler 27 | 28 | FROM base AS base_yes 29 | # use the CERT_FILE parameter passed as a build-arg 30 | #ARG CERT_FILE 31 | #ENV SSL_CERT_DIR=/usr/local/share/ca-certificates 32 | #COPY ${CERT_FILE} $SSL_CERT_DIR/ 33 | RUN update-ca-certificates 34 | # define environment variables 35 | ENV HTTPS_CA_DIR=$SSL_CERT_DIR 36 | ENV REQUESTS_CA_BUNDLE=$SSL_CERT_DIR/$CERT_FILE 37 | ENV GIT_SSL_CAPATH=$REQUESTS_CA_BUNDLE 38 | ENV GIT_SSL_CAINFO=$GIT_SSL_CAPATH 39 | ENV CURL_CA_BUNDLE=$REQUESTS_CA_BUNDLE 40 | 41 | FROM base AS base_no 42 | 43 | #Install opentype fonts 44 | FROM base_${WITH_CERT} as font_base 45 | 46 | WORKDIR /fonts 47 | ENV DEBIAN_FRONTEND noninteractive 48 | 49 | #download fonts 50 | RUN for font in source-sans source-serif source-code-pro; do \ 51 | git_tarball_url="https://www.github.com/adobe-fonts/${font}"$(curl -L "https://github.com/adobe-fonts/${font}/tags" | \ 52 | grep -o "/archive/refs/tags/.*\.zip" | grep -v 'variable' | sort -r | head -1 |tr -d '\n'); \ 53 | echo "DOWNLOADING FROM: ${git_tarball_url}"; \ 54 | curl -L --retry 5 "${git_tarball_url}" --output "$font.zip"; \ 55 | unzip "${font}.zip" ; \ 56 | done 57 | RUN mkdir adobe-fonts 58 | RUN find $PWD/ -name "*.ttf" -exec install -m644 {} adobe-fonts/ \; || return 1 59 | RUN rm -rf $PWD/source* 60 | 61 | FROM base_${WITH_CERT} as pandoc_base 62 | 63 | ENV PATH /root/.py-env:$PATH 64 | RUN python3 -m venv /root/.py-env --system-site-packages 65 | RUN /root/.py-env/bin/pip install --upgrade pip 66 | RUN /root/.py-env/bin/pip install dicttoxml2 setuptools==69.0.3 67 | 68 | #install Pandoc 69 | RUN adduser -s /bin/bash -g "pandoc" -D pandoc 70 | 71 | RUN curl --output /tmp/pandoc.tar.gz -L https://github.com/jgm/pandoc/releases/download/2.19.2/pandoc-2.19.2-linux-amd64.tar.gz \ 72 | && tar xvzf /tmp/pandoc.tar.gz --strip-components 1 -C /usr/local/ \ 73 | && rm /tmp/pandoc.tar.gz 74 | 75 | # verify pandoc installed correctly 76 | RUN pandoc --version 77 | 78 | # install as pandoc 79 | USER pandoc 80 | 81 | # setup workdir 82 | WORKDIR /home/pandoc 83 | 84 | # Install Lua Filters for pandoc 85 | RUN curl --output /tmp/lua-filters.tar.gz -L https://github.com/pandoc/lua-filters/releases/latest/download/lua-filters.tar.gz \ 86 | && mkdir /home/pandoc/.pandoc \ 87 | && tar xzf /tmp/lua-filters.tar.gz --strip-components=1 --one-top-level=/home/pandoc/.pandoc/ \ 88 | && rm /tmp/lua-filters.tar.gz 89 | 90 | FROM pandoc_base as tinytex_base 91 | 92 | #Install tinyTex 93 | # setup path 94 | ENV PATH=/home/pandoc/.TinyTeX/bin/x86_64-linuxmusl/:$PATH 95 | ENV TINY_TEX_VERSION=v0.45 96 | RUN curl -L "https://raw.githubusercontent.com/rstudio/tinytex/${TINY_TEX_VERSION}/tools/install-bin-unix.sh" | sed -e 's/wget -qO-/curl -sL/' -e "s#\(sh -s\)#sed 's/wget/curl -LO/' | \1#" -e 's/retry-connrefused/tries 20/' > "install-unx.sh" \ 97 | && chmod +x install-unx.sh 98 | RUN for i in 1 2 3 4 5; do bash -c "./install-unx.sh" && break || sleep 15; done && rm install-unx.sh 99 | 100 | FROM tinytex_base as latex_base 101 | 102 | # add tlmgr to path 103 | RUN /home/pandoc/.TinyTeX/bin/*/tlmgr path add 104 | 105 | # verify tlmgr version and add packages needed to build the documents 106 | RUN tlmgr --version 107 | RUN for i in 1 2 3 4 5; do tlmgr update --self && break || sleep 15; done 108 | RUN for i in 1 2 3 4 5; do tlmgr install \ 109 | xecjk \ 110 | ctex \ 111 | fancyhdr \ 112 | ragged2e \ 113 | koma-script \ 114 | setspace \ 115 | colortbl \ 116 | footnotebackref \ 117 | polyglossia \ 118 | pagecolor \ 119 | csquotes \ 120 | caption \ 121 | mdframed \ 122 | needspace \ 123 | titling \ 124 | bookmark \ 125 | newunicodechar \ 126 | adjustbox \ 127 | collectbox \ 128 | listings \ 129 | adjustbox \ 130 | background \ 131 | bidi \ 132 | everypage \ 133 | footmisc \ 134 | fvextra \ 135 | ly1 \ 136 | mweights \ 137 | pagecolor \ 138 | titling \ 139 | ucharcat \ 140 | ulem \ 141 | upquote \ 142 | xurl \ 143 | zref && break || sleep 15; done 144 | 145 | FROM latex_base as work_layer 146 | #copy fonts from font_base 147 | USER root 148 | COPY --from=font_base /fonts/adobe-fonts /usr/share/fonts/opentype/adobe-fonts 149 | RUN fc-cache -f -v "/usr/share/fonts/opentype/adobe-fonts" 150 | USER pandoc 151 | 152 | RUN tlmgr info --list 153 | 154 | #setup the working dir for running make and creating the files 155 | WORKDIR /data 156 | VOLUME /data 157 | 158 | #setup default action 159 | ENTRYPOINT ["make"] -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | layout: col-sidebar 4 | title: OWASP Smart Contract Security Verification Standard 5 | tags: smart-contract builders defenders 6 | level: 2 7 | type: documentation 8 | pitch: The standard provides a basis for designing, building, and testing robust Smart Contracts 9 | headerimage: ./assets/images/scsvs-banner.png 10 | --- 11 | 12 | [![OWASP Incubator](https://img.shields.io/badge/owasp-incubator-blue.svg)](https://owasp.org/www-project-smart-contract-security-verification-standard) 13 | [![Creative Commons License](https://img.shields.io/badge/License-CC%20BY--SA%204.0-orange.svg)](https://creativecommons.org/licenses/by-sa/4.0/ "CC BY-SA 4.0") 14 | 15 | ## Introduction 16 | 17 | The primary aim of the OWASP Smart Contract Security Verification Standard (SCSVS) Project is to provide an open security standard for designing, building, and testing secure smart contracts. 18 | 19 | The standard offers guidelines that address the specific security risks and concerns related to smart contracts, decentralized applications (dApps) and EVM-based blockchain systems, focusing on the core principles of security in smart contract development. 20 | 21 | Initial Draft Version - 0.0.1 22 | 23 | The latest stable version is version 0.0.1 (dated September 2024), which can be found: 24 | 25 | * [OWASP Smart Contract Security Verification Standard 0.0.1 English (PDF)](https://github.com/OWASP/www-project-smart-contract-security-verification-standard/releases/download/v0.0.1/OWASP_Smart_Contract_Security_Verification_Standard-0.0.1_en.pdf) 26 | 27 | The master branch of this repository will always be the "bleeding edge version," which may have in-progress changes or other edits open. 28 | 29 | We gratefully recognize the organizations that have supported the project either through significant time provision or financially on our "[Supporters](https://github.com/OWASP/www-project-smart-contract-security-verification-standard/blob/main/SUPPORTERS.md)" page! 30 | 31 | ## Standard Objectives 32 | 33 | The requirements were developed with the following objectives in mind: 34 | 35 | 1. **Develop and Refine Security Guidelines**: Consolidate general security practices into a comprehensive set of guidelines for smart contract developers and security professionals. 36 | 2. **Address Unique Security Challenges of Smart Contracts**: Focus specifically on vulnerabilities, such as reentrancy, overflows/underflows, gas optimization, and economic attacks. 37 | 3. **Guide Development Teams in Secure Practices**: Provide detailed guidance to developers for implementing secure coding practices in smart contract development. 38 | 4. **Assist Security Teams in Audits and Penetration Testing**: Offer methodologies for effective smart contract audits and penetration testing, including blockchain data integrity, access control, and business logic. 39 | 5. **Establish and Update Security Benchmarks**: Create and regularly update security benchmarks to reflect the evolving nature of blockchain ecosystems and smart contract security. 40 | 6. **Promote Best Practices in Smart Contract Security**: Encourage the adoption of best practices, such as defensive coding, formal verification, and test-driven development, to secure smart contract environments. 41 | 7. **Align Security Expectations Among Stakeholders**: Establish a common understanding of security expectations for developers, auditors, blockchain platforms, and decentralized finance (DeFi) users. 42 | 43 | --- 44 | -------------------------------------------------------------------------------- /info.md: -------------------------------------------------------------------------------- 1 | ### OWASP Smart Contract Security Verification Standard Information 2 | 3 | * Incubator Project 4 | 5 | ### Classification 6 | 7 | * Documentation 8 | 9 | ### Audience 10 | 11 | * Builder 12 | * Breaker 13 | * Defender 14 | 15 | ### Downloads or Social Links 16 | 17 | * [Download](https://github.com/OWASP/owasp-scsvs/releases/tag/v0.0.1) 18 | * [Join OWASP Group Slack](https://owasp.org/slack/invite) 19 | * [Join #owasp-scs](https://owasp.slack.com/archives/C07MNDE6TPZ) 20 | 21 | 22 | ### Code Repository 23 | 24 | * [Repo](https://github.com/OWASP/owasp-scsvs) 25 | 26 | ### Change Log 27 | 28 | * [Changes](https://github.com/OWASP/owasp-scsvs/releases/tag/v0.0.1) 29 | -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | * [Shashank](mailto:shashank@owasp.org) 3 | -------------------------------------------------------------------------------- /release.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: col-sidebar 3 | title: OWASP SCSVS Release 4 | tags: example-tag 5 | type: other 6 | level: 3 7 | tags: release-tag 8 | 9 | --- 10 | 11 | ## Smart Contract Security Verification Standard Release 12 | 13 | This is the first release of many. Please feel free to share your feedback 14 | -------------------------------------------------------------------------------- /tab_supporters.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: supporters 3 | displaytext: Supporters 4 | layout: null 5 | tab: true 6 | order: 1 7 | tags: supporters 8 | --- 9 | 10 | # Supporters 11 | 12 | ## Major Supporters and Sponsors 13 | 14 | This initiative would not have been possible without the support of our sponsors and the resources they have provided. We would like to express our gratitude to the following for their support. 15 | 16 | ### CredShields 17 | 18 |
19 | CredShields Logo 20 | CredShields Logo 21 | SolidityScan Logo 22 | CredShields Logo 23 |
24 | 25 | The OWASP SCSVS project was initiated to share the knowledge gained from the CredShields Security Team's research into Smart Contract security while developing [**SolidityScan.com**](https://solidityscan.com), an AI-powered vulnerability scanner for Smart Contracts. We extend our gratitude to [**CredShields**](https://credshields.com) for their efforts in defining the initial requirements and founding this project. 26 | 27 | --------------------------------------------------------------------------------