Home

Awesome

Smart Contract Security Verification Standard 🚀

SCSVS_v2_example

Authors

Introduction

Smart Contract Security Verification Standard (v2) is a FREE checklist created to standardize the security of smart contracts for developers, architects, security reviewers, and vendors.

This list helps to avoid the majority of known security problems and vulnerabilities by guiding at every stage of the development cycle of smart contracts (from design to implementation).

Objectives

🔥 Updates in v2 🔥

Security, Composability, and Transparency are fundamentals of the SCSVS. These values are achieved thanks to the engagement and cooperation of the #BlockSec community. The standard structure distinguishes 3 chapters, each operating in a slightly different area.

How to use SCSVSv2

SCSVS_v2_example_checks

You can use the SCSVS checklist in multiple ways:

Depending on your role in the protocol, we recommend performing different actions summarized below. Treat it as an inspiration and not strict rules.

As Architect 👷‍♂️

If you are designing a protocol, you should schedule (and potentially delegate) the following actions:

As Developer 🧑‍💻

If you are developing a protocol, you should schedule (and potentially delegate) the following actions:

As Business Owner / Founder 🧙

If you are the owner of a protocol or represent the business side of the project, you should schedule and delegate the following actions:

As Auditor 🥷

If you are an internal or external auditor of a protocol, you should schedule (and potentially delegate) the following actions:

Table of contents

Severity of the risk

Threat modeling and risk analysis are important parts of the security assessment. Threat modeling allows the discovery of potential threats and their risk impact. Risk analysis aims to identify security risks and determine their severity, which allows the team to prioritize them in the mitigation process.

The SCSVS does not include the severity of the risks related to the requirements. Even though there are multiple methodologies to assess the severity, each application is unique and so are the threat actors, their goals, and the impact of a breach.

Moreover, the requirements cannot be uniquely linked to the security risks, as many risks can refer to one requirement and many requirements can refer to one risk.

We recommend determining the severity of the risks related to the requirements when performing the security assessment using the SCSVS standard.

We recommend Common Vulnerability Scoring System (CVSS), a free and open industry standard for assessing the severity of security vulnerabilities.

License

The SCSVS project was originally started by Damian Rusinek and Paweł Kuryłowicz in securing company in the following repository: https://github.com/securing/SCSVS.

This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

The entire checklist is in a form similar to OWASP APPLICATION SECURITY VERIFICATION STANDARD v4.0. Every category has a brief description of the control objectives and a list of security verification requirements.