The Standards for
Smart Contract
Security

Smart Contract Security

Introduction

The Smart Contract Security Alliance’s core mission is to support healthy growth and adoption of blockchain applications. As part of that, we are working with other members of the industry to develop accepted standards for creating and evaluating the security of smart contracts.

We’ve published our recommended standards here to help customers understand what they are buying when they purchase a security audit, and to increase the level of professionalism in the field. We believe the standardization of security evaluations will facilitate compatibility, accountability, interoperability, research, and credibility for all industry participants.

Members of the Alliance

Quantstamp logo
MythX logo
National University of Singapore logo
NRI Secure logo
LayerX logo
Blockgeeks logo
Fujitsu logo
Chainalysis logo
Smart Contract Vulnerability Severity Levels

Smart Contract Vulnerability Severity Levels

Smart contracts vulnerabilities are categorised according to a potential severity or business impact. Since it is not possible to define every possible condition or technical situation, these guidelines can only provide guidance.

Level
Explanation
High
High
The issue puts the vast majority of, or large numbers of, users’ sensitive information at risk, or is reasonably likely to lead to catastrophic impact for client’s reputation or serious financial implications for client and users.
Medium
Medium
The issue puts an subset of individual users’ sensitive information is at risk, exploitation would be detrimental for the client’s reputation, or is reasonably likely to lead to moderate financial impact.
Low
Low
The risk is relatively small and could not be exploited on a recurring basis or is a risk the client has indicated is not important or impactful in view of the client’s business circumstances.
Informational
Informational
The issue does not pose an immediate threat to continued operation or usage, but is relevant for security best practices, software engineering best practices, or defensive redundancy.
Undetermined
Undetermined
A condition noted during the audit where the impact of the condition is uncertain based upon the findings in the audit.
Preparing Your Smart Contract

Preparing Your Smart Contract

Before you start writing your smart contract, there are a few questions you should define:

First Step

Articulate in your words clearly what exactly your smart contract is intended to do and what features it has.

Second Step

Identify your target date of your audit completion and any reasons for such timing. As code complexity may increase the time associated with a complete audit, be cognizant of the pressure deadlines may hold.

Third Step

Provide the location of your source code, preferably GitHub with the commit hash to be audited, and access to auditors, including any associated credentials, requirements, orterms.

How to Deploy Your Smart Contract

How to Deploy Your Smart Contract

Before you start writing your smart contract, there are a few questions you should define:

First Step

For the token contract, provide the following parameter information: name, symbol, decimals, and supply.

Second Step

Will these tokens have an open mint? When is your target sale date? The smart contracts audit for token/crowdsale should be done at least 2 weeks prior to sale.

Third Step

Will these be burnable tokens? If so, under what circumstances do you anticipate tokens being burned?

Guide to Defending Your Smart Contract from Attacks

Guide to Defending Your Smart Contract from Attacks

Before you start writing your smart contract, there are a few questions you should define:

First Step

Secure list of people with access to company multisig wallet. Ethereum addresses assigned ownership to multisig wallet.

Second Step

List of mnemonic passwords (if any) stored, in a highly secure, offline location. Secure list of people with access to company website hosting server.

Third Step

Secure list of admin accounts for social networks such as Slack, Facebook, Twitter, etc. Two Factor Authentication (2FA) enabled on website hosting server.