Communications include the topic of the relations between smart contracts and their libraries.
Ensure that a verified contract satisfies the following high-level requirements:
- The external calls from and to other contracts have considered abuse cases and are authorized,
- Used libraries are safe and the state-of-the-art security libraries are used.
Category “G6” lists requirements related to the function calls between the verified contracts and other contracts out of the scope of the application.
| # | Description |
|---|---|
| G6.1 | Verify that libraries that are not part of the application (but the smart contract relies on to operate) are identified. |
| G6.2 | Verify that delegatecall is not used with untrusted contracts. |
| G6.3 | Verify that third-party contracts do not shadow special functions (e.g. revert). |
| G6.4 | Verify that the contract does not check whether the address is a contract using extcodesize opcode. |
| G6.5 | Verify that re-entrancy attack is mitigated by blocking recursive calls from other contracts (e.g., Checks-Effect-Interactions, ReentrancyGuard). |
| G6.6 | Verify that the result of low-level function calls (e.g. send, delegatecall, call) from another contracts is checked. |
| G6.7 | Verify that contract relies on the data provided by the right sender and the contract does not rely on tx.origin value. |
| G6.8 | Verify that contract does not enforce usage of "phantom functions". |
| G6.9 | Verify that contract does not accept Ether transfers (e.g. via fallback or receive) that cannot be withdrawn. |
For more information, see also:
- Security Considerations: Sending and Receiving Ether
- DASP 10: Unchecked Return Values For Low Level Calls
- SWC-107 Reentrancy
- SWC-112 Delegatecall to Untrusted Callee
- Phantom functions
Request an audit of your project by SCSVS authors. Contact a specialist.