EEA EthTrust Security Levels Specification v1

4.1.1 Text and homoglyphs

[S] No Unicode Direction Control Characters
Tested code MUST NOT contain any of the Unicode Direction Control Characters U+2066, U+2067, U+2068, U+2029, U+202A, U+202B, U+202C, U+202D, or U+202E
unless it meets the Overriding Requirement [M] No Unnecessary Unicode Controls.

Changing the apparent order of characters through the use of invisible Unicode direction control characters can mask malicious code, even in viewing source code, to deceive human auditors.

More information on Unicode direction control characters is available in the W3C note How to use Unicode controls for bidi text [unicode-bdo].

4.1.2 External Calls

See also the Related Requirements: [M] Protect External Calls, [M] Handle External Call Returns, and [Q] Verify External Calls.

[S] Check External Calls Return
Tested Code that makes external calls using the Low-level Call Functions (i.e. call, delegatecall, staticcall, send, and transfer) MUST check the returned value from each usage to determine whether the call failed.

Normally, exceptions in subcalls "bubble up", unless they are handled in a try/catch. However Solidity defines a set of Low-level Call Functions:

• call(),
• delegatecall(),
• staticcall(),
• send(), and
• transfer().

Calls using these functions behave differently. They return a boolean indicating whether the call completed successfully. Not testing explicitly whether these calls fail may lead to unexpected behavior in the caller contract.

See also SWC-104 in [swcregistry], error handling documentation in [error-handling], unchecked return value as described in [CWE-252], and the Related Requirements: [S] Use Check-Effects-Interaction, [M] Handle External Call Returns, [Q] Verify External Calls

The Checks-Effects-Interactions pattern ensures that validation of the request, and changes to the state variables of the contract, are performed before any interactions take place with other contracts. When contracts are implemented this way, the scope for Re-entrancy Attacks is reduced significantly.

See also 3.3 External Calls and Re-entrancy, the explanation of "Checks-Effects-Interactions" [c-e-i] in "Solidity Security Considerations" [solidity-security], and "Checks Effects Interactions" in [solidity-patterns].

The delegatecall() instruction enables an external contract to manipulate the state of a contract that calls it, because the code is run with the caller's balance, storage, and address.

4.1.3 Improved Compilers

The requirements in this subsection can be met by using a sufficiently recent version of the Solidity compiler. Otherwise, there are Overriding Requirements to perform the same testing that the up-to-date compiler checks:

• From 0.8.0 the compiler checks for arithmetic causing overflows and underflows.
• From 0.5.0 storage has to be declared explicitly as storage or memory.
• From 0.4.22 code does not compile if it uses constructors that are not explicitly declared as constructor.

Like most programming languages, the EVM and Solidity represent numbers as a set of bytes that by default has a fixed length. This means arithmetic operations on large numbers can "overflow" the size by producing a result that does not fit in the space allocated. This results in corrupted data, and can be used as an attack on code. The [CWE] registry of generic code vulnerabilities contains many overflow attacks; it is a well-known vector that is exposed in many systems and has regularly been exploited.

There are many ways to check for overflows, or underflows (where a negative number is large enough in magnitude to trigger the same effect). Since version 0.8.0 Solidity includes built-in protection. Tested Code compiled with an earlier version needs to check explicitly to mitigate this potential vulnerability.

[S] Explicit Storage Tested code MUST NOT use a version of Solidity older than 0.5.0
unless it meets the Overriding Requirement: [M] Declare storage Explicitly.

Versions of Solidity older before 0.5.0 allowed contracts to create uninitialized storage, which could be attacked by malicious code.

See the section Uninitialised Storage Pointers in [sigp] for further discussion of the vulnerability, and how it has been exploited, and SWC-109 in [swcregistry] for some more exammple code.

[S] Explicit Constructors Tested code MUST NOT use a version of Solidity older than 0.4.22
unless it meets the Overriding Requirement: [M] Declare Constructors Explicitly.

Versions of Solidity older than 0.4.22 define constructors implicitly, as a function with the same name as a contract. If the source code is copied, and the contract's name changed, the function is no longer recognized as a constructor.

4.1.4 Compiler Bugs

There are a number of known security bugs in various versions of the Solidity compiler. The requirements in this subsection ensure that Tested Code does not trigger these bugs. The name of the requirement includes the uid first recorded for the bug in [solidity-bugs-json], as a key that can be used to find more information about the bug. [solidity-bugs] describes the conventions used for the JSON-formatted list of bugs.

The requirements in this subsection are ordered according to the latest compiler versions that are vulnerable, to slightly simplify assessment given the compiler version in use. Implementing the Good Practice of the Related Requirement [GP] Use Latest Compiler means that Tested Code passes all requirements in this subsection.

Some compiler-related bugs are in the 4.2.5 Security Level [M] Compiler Bugs and Overriding Requirements as Security Level [M] requirements, either because they are Overriding Requirements for requirements in this subsection, or because they are part of a Set of Overriding Requirements for Security Level [S] requirements that already ensure that the bug cannot be triggered.

Some bugs were introduced in known versions, while others are assumed to have existed in all versions before they were fixed.

[S] Compiler Bug SOL-2022-5 with .push()
Tested code that copies bytes arrays from calldata or memory whose size is not a multiple of 32 bytes, and has an empty .push() instruction that writes to the resulting array, MUST NOT use a version of Solidity older than 0.8.15.

Until 0.8.15 copying memory or calldata whose length is not a multiple of 32 bytes could expose data beyond the data copied, which could be observable using code through assembly().

See also the 15 June 2022 security alert and the related requirement [M] Compiler Bug SOL-2022-5 in assembly().

Compilers from 0.6.9 until it was fixed in 0.8.13 had a bug that incorrectly allowed internal or public calls to use a simpification only valid for external calls, treating memory and calldata as equivalent pointers.

See also the 17 May 2022 security alert.

Compilers from 0.5.8 until it was fixed in 0.8.13 had a bug that meant a single-pass encoding and decoding of a nested array could read data beyond the calldatasize().

See also the 17 May 2022 security alert.

Solidity defines a set of types for variables known collectively as bytesNN or Fixed-length Variable types, that specify the length of the variable as a fixed number of bytes, following the pattern

• bytes1
• bytes2
• ...
• bytes10
• ...
• bytes32

Compilers from 0.8.11 and 0.8.12 had a bug that meant literal parameters were incorrectly encoded by abi.encodeCall() in certain circumstances.

See also the 16 March 2022 security alert.

[S] Compiler Bug SOL-2021-4 Tested Code that uses custom value types shorter than 32 bytes SHOULD not use version 0.8.8 of Solidity.

Compiler version 0.8.8 had a bug that assigned a full 32 bytes of storage to custom types that did not need it. This can be misused to enable reading arbitrary storage, as well as causing errors if the Tested Code contains code compiled using different Compiler versions.

See also the 29 September 2021 security alert

[S] Compiler Bug SOL-2021-2
Tested code that uses abi.decode() on byte arrays as memory, MUST NOT use the ABIEncoderV2 with a version of Solidity between 0.4.16 and 0.8.3 (inclusive).

Version 0.4.16 introduced a bug, fixed in 0.8.4, that meant the ABIEncoderV2 incorrectly validated pointers when reading memory byte arrays, which could result in reading data beyond the array area due to an overflow error in calcuating pointers.

See also the 21 April 2021 security alert.

Compilers before 0.8.3 had an optimizer bug that meant keccak hashes, calculated for the same content but different lengths that were not multiples of 32 bytes incorrectly used the first value from cache instead of recalculating.

See also the 23 March 2021 security alert.

[S] Compiler Bug SOL-2020-11-push
Tested code that copies an empty byte array to storage, and subsequently increases the size of the array using push() MUST NOT a use version of Solidity older than 0.7.4.

Compilers before 0.7.4 had a bug that meant data would be packed after an empty array, and if the length of the array is subsequently extended by push(), that data would be readable from the array.

See also the 19 October 2020 security alert.

[S] Compiler Bug SOL-2020-10
Tested code that copies an array of types shorter than 16 bytes to a longer array MUST NOT a use version of Solidity older than 0.7.3.

Compilers before 0.7.3 had a bug that meant when array data for types shorter than 16 bytes are assigned to a longer array, the extra values in that longer array are not correctly reset to zero.

See also the 7 October 2020 security alert.

[S] Compiler Bug SOL-2020-9
Tested code that defines Free Functions MUST NOT use version 0.7.1 of Solidity.

Solidity version 0.7.1 introduced Free Functions [solidity-functions]: Functions that are defined in the source code of smart contract but outside the scope of the formal contract declaration. Free Functions have internal visibility, and the compiler "inlines" them to the contracts that call them. The solidity documentation explains that they are:

executed in the context of a contract. They still have access to the variable this, can call other contracts, send them Ether and destroy the contract that called them, among other things. The main difference to functions defined inside a contract is that free functions do not have direct access to storage variables and functions not in their scope.

https://docs.soliditylang.org/en/latest/contracts.html#functions

The 0.7.1 compiler did not correctly distinguish overlapping Free Function declarations, meaning that the wrong function could be called.

See examples of a passing contract and a failing contract for this requirement.

[S] Compiler Bug SOL-2020-8
Tested code that calls internal library functions with calldata parameters called via using for MUST NOT use version 0.6.9 of Solidity.

The 0.6.9 compiler incorrectly copied calldata parameters passed to internal library functions passed with using for as if they were calling to external library functions, leading to stack corruption and an incorrect jump destination.

See also a github issue with code example.

[S] Compiler Bug SOL-2020-6
Tested code that accesses an array slice using an expression for the starting index that can evaluate to a value other than zero MUST NOT use the ABIEncoderV2 with a version of Solidity between 0.6.0 and 0.6.7 (inclusive).

Compiler version 0.6.0 introduced a bug fixed in 0.6.8 that incorrectly calculated index offsets for the start of array slices, used in dynamic calldata types, when using the ABIEncoderV2.

[S] Compiler Bug SOL-2020-7
Tested code that passes a string literal containing two consecutive backslash ("\") characters to an encoding function or an external call MUST NOT use the ABIEncoderV2 with a version of Solidity between 0.5.14 and 0.6.7 (inclusive).

Compiler version 0.5.14 introduced a bug fixed in 0.6.8 that incorrectly encoded consecutive backslash characters in string literals when passing them to an external function, or an enncoding function, when using the ABIEncoderV2.

[S] Compiler Bug SOL-2020-5
Tested code that defines a contract that does not include a constructor but has a base contract that defines a constructor not defined as payable MUST NOT use a version of Solidity between 0.4.5 and 0.6.7 (inclusive), unless it meets the Overriding Requirement [M] Check Constructor Payment.

Solidity version 0.4.5 introduced a check intended to result in contract creation reverting if value is passed to a constructor that is not explicitly marked as payable. If the constructor was inherited from a base instead of explicitly defined in the contract, this check did not function properly until version 0.6.8, meaning the creation would not revert as expected.

Solidity version 0.1.6 introduced a bug fixed in 0.6.5 that meant tuple assignments involving nested tuples, pointers to external functions, or references to dynamically sized calldata arrays were corrupted due to incorrectly calculating the number of stack slots.

[S] Compiler Bug SOL-2020-3
Tested code that declares arrays of size larger than 2^256-1 MUST NOT use a version of Solidity older than 0.6.5.

Compiler version 0.2.0 introduced a bug, fixed in version 0.6.5, that meant no overflow check was performed for the creation of very large arrays, meaning in some cases an overflow error would occur that would use result in consuming all gas in a transaction due to the memory handling error introduced in compiling the contract.

[S] Compiler Bug SOL-2020-1
Tested code that declares variables inside a for loop that contains a break or continue statement MUST NOT use the Yul Optimizer with version 0.6.0 nor a version of Solidity between 0.5.8 and 0.5.15 (inclusive).

A bug in the Yul Optimiser in versions from 0.5.8 to 0.5.15 and in version 0.6.0 meant assignments for variables declared inside a for loop that contained a break or continue statement could be removed.

[S] Compiler Bug SOL-2020-11-length
Tested code that copies an empty byte array to storage, and subsequently increases the size of the array by assigning the length attribute MUST NOT use a version of Solidity older than 0.6.0.

Compilers before 0.6.0 had a bug that meant data would be packed after an empty array, and if the length of the array were then extended by assigning the length attribute that data would be readable from the array. From version 0.6.0 it was no longer possible to extend an array by assigning the length, which became read-only.

See also the 19 October 2020 security alert, and an example contract that fails this requirement

A bug in version 0.5.14 that required multiple compiler options to trigger could result in data corruption in storage.

[S] Compiler Bugs SOL-2019-3,6,7,9
Tested code that uses struct or arrays MUST NOT use the ABIEncoderV2 option with a version of Solidity between 0.4.16 and 0.5.10 (inclusive).

Compiler version 0.5.6 introduced bug SOL-2019-9 fixed in 0.5.11 that meant reading a struct through calldata which had dyamically encoded members that were statically sized resulted in corrupted data. Bugs SOL-2019-6 and SOL-2019-7 introduced in compiler 0.4.16 and fixed in compiler 0.5.9 and 0.5.10 respectively meant that data encoded in or read from a struct could be corrupted. Bug SOL-2019-3 from 0.4.19 to 0.4.25 and from 0.5.0 to 0.5.7 could corrupt data, both in the struct and other encoded data, when encoding a struct. All of these bugs were triggered by using the ABIEncoderV2.

See also the 26 March 2019 security alert, and the 25 June 2019 security alert.

[S] Compiler Bug SOL-2019-8
Tested code that assigns an array of signed integers to an array of a different type MUST NOT use a version of Solidity between 0.4.7 and 0.5.9 (inclusive).

Compiler version 0.4.7 introduced a bug fixed in 0.5.10 that meant assigning an array of signed integers to another array of different type corrupted negative values.

See also the 25 June 2019 security alert.

[S] Compiler Bug SOL-2019-5
Tested code that calls an uninitialized internal function pointer in the constructor MUST NOT use a version between 0.4.5 and 0.4.25 (inclusive) nor a version between 0.5.0 and 0.5.7 (inclusive) of Solidity.

A bug in compilers versions 0.4.5 to 0.4.25 and versions 0.5.0 until fixed in 0.5.8 meant calls to unitialized function pointers in constructors did not revert as expected and as they do in deployed code.

[S] Compiler Bug SOL-2019-4
Tested code that uses events containing contract types, in libraries, MUST NOT use a version of Solitidy between 0.5.0 and 0.5.7.

Compiler version 0.5.0 introduced a bug fixed in 0.5.8 that meant an incorrect hash is logged if library events contain contract types.

[S] Compiler Bug SOL-2019-2
Tested code that makes index access to bytesNN types with a second parameter (not the index) whose compile-time value evaluates to 31 MUST NOT use the Optimizer with versions 0.5.5 nor 0.5.6 of Solitidy.

Version 0.5.5 introduced an Optimizer bug fixed in 0.5.7 where a second parameter value of "31" for a byte opcode resulted in unexpected values.

See also the related requirement [M] Compiler Bug SOL-2019-2 in assembly().

[S] Compiler Bug SOL-2019-1
Tested code that nests bitwise shifts to produce a total shift of more than 256 bits and compiles for the Constantinople or later EVM version MUST NOT use the Optimizer option with version 0.5.5 of Solidity.

Compiler version 0.5.5 introduced a bug fixed in 0.5.6 that meant nested bitwise shifts could be incorrectly optimized.

See also the 26 March 2019 security alert.

[S] Compiler Bug SOL-2018-4
Tested code that has a match for the regexp [^/]\\*\\* *[^/0-9 ] MUST NOT use a version of Solidity older than 0.4.25.

Compilers before 0.4.25 had a bug that meant exponents calculated using ** with a type that is shorter than 256 bits, not shorter than the type of the base, and containing dirty higher order bits could produce an incorrect result.

See also the 13 September 2018 security alert.

[S] Compiler Bug SOL-2018-3
Tested code that uses a struct in events MUST NOT use a version of Solidity between 0.4.17 and 0.4.24 (inclusive).

Compilers from 0.4.17 until it was fixed in 0.4.25 had a bug that meant when events used structs, the address of the struct was logged instead of the data.

See also the 13 September 2018 security alert, and an example contract that fails this requirement

[S] Compiler Bug SOL-2018-2
Tested code that calls a function matching the regexp returns[^;{]*\\[\\s*[^\\] \\t\\r\\n\\v\\f][^\\]]*\\]\\s*\\[\\s*[^\\] \\t\\r\\n\\v\\f][^\\]]*\\][^{;]*[;{] MUST NOT use a version of Solidity older than 0.4.22.

Compilers between 0.1.4 and 0.4.21 incorrectly interpreted array values as memory pointers when a function that returns a fixed-size multidimensional array is called.

See also the 13 September 2018 security alert.

[S] Compiler Bug SOL-2018-1
Tested code that both a new-style constructor (using the constructor keyword) and an old-style constructor (a function with the same name as the contract), which are not exactly the same MUST NOT use version 0.4.22 of Solidity.

Compiler version 0.4.22 had a bug that means it is unclear which constructor function is used.

It is unnecessary to use the old-style constructor in this case, and not using it avoids triggering the bug.

See also the related requirements [S] Explicit Constructors and [M] Declare Constructors Explicitly.

[S] Compiler Bug SOL-2017-5
Tested code with a function that is payable whose name consists only of any number of zeros ("0"), and does not have a fallback function, MUST NOT use a version of Solidity older than 0.4.18.

Compilers before 0.4.18 had a bug that meant such a function would be called instead of a fallback function if Ether is sent without data.

[S] Compiler Bug SOL-2017-4
Tested code that uses the delegatecall() instruction MUST NOT use a version of Solidity older than 0.4.15.

Compilers from 0.3.0 to 0.4.14 had a bug that meant if delegateCall() returned a value that started with 32 bytes of zeros, it would be read as false instead of true.

[S] Compiler Bug SOL-2017-3
Tested code that uses the ecrecover() pre-compile MUST NOT use a version of Solidity older than 0.4.14
unless it meets the Overriding Requirement [M] Validate ecrecover() Input.

Before version 0.4.14 Solidity had a bug that meant malformed input to the ecrecover() instruction could cause an unauthorised read of data in memory, without raising an exception or other signal that something had gone wrong.

[S] Compiler Bug SOL-2017-2
Tested code with functions that accept 2 or more parameters, of which any but the last are of bytesNN type MUST NOT use a version of Solidity older than 0.4.12.

Compilers before 0.4.12 had a bug that meant when the empty string "" was passed as a parameter value for a function that expected a Fixed-length Variable, the encoder simply ignored it, thus assigning subsequent arguments to the wrong parameter and corrupting the function call.

See an example contractthat fails this requirement.

[S] Compiler Bug SOL-2017-1
Tested code that contains any number that either begins with 0xff and ends with 00, or begins with 0x00 and ends with ff, twice, OR uses such a number in the constructor, MUST NOT use the Optimizer with a version of Solidity older than 0.4.11.

The Optimizer for Compilers before 0.4.11 had a bug that meant certain numbers were corrupted by an attempt to optimise gas or constructor size.

See also the 3 May 2017 security alert.

[S] Compiler Bug SOL-2016-11
Tested code that uses a version older than 0.4.7 of Solidity MUST NOT call the Identity Contract UNLESS it meets the Overriding Requirement [M] Compiler Bug Check Identity Calls.

Compilers before 0.4.7 had a bug that caused data corruption at jump destinations.

[S] Compiler Bug SOL-2016-10
Tested code MUST NOT use the Optimizer option with version 0.4.5 of Solidity.

Compiler version 0.4.5 had an Optimizer bug that caused data corruption at jump destinations.

See also the Related Requirement [S] Compiler Bug SOL-2016-4.

[S] Compiler Bug SOL-2016-9
Tested code that use variables of a type shorter than 17 bytes MUST NOT use a version of Solidity older than 0.4.4.

Compilers between 0.1.6 and 0.4.4 packed shorter data types in a way that potentially allowed the overwriting of variables.

See also SWC-124 [swcregistry].

[S] Compiler Bug SOL-2016-8
Tested code that uses the sha3() instruction MUST NOT use the Optimizer option with a version of Solidity older than 0.4.3.

Compilers before 0.4.3 had a bug in the Optimizer that incorrectly cached some sha3() hashes. Note that the sha3() instruction is disallowed since version 0.5.0, replaced by the keccak256() instruction.

[S] Compiler Bug SOL-2016-7
Tested code that uses delegatecall() from a function that can receive Ether to call a Library Function MUST NOT use versions 0.4.0 or 0.4.1 of Solidity.

Compilers 0.4.0 and 0.4.1 had a bug that incorrectly rejected Library Function calls made with delegatecall() from a function that had received Ether, interpreting it as an attempt to send Ether to the Library Function.

See also the Related Requirement [S] Compiler Bug SOL-2017-4, and note that meetng that requirement means this requirement will automatically be met.

[S] Compiler Bug SOL-2016-6
Tested code that sends Ether MUST NOT use a version of Solidity older than 0.4.0 unless it meets the overriding requirement [M] Compiler Bug No Zero Ether Send.

Compilers before 0.4.0 had a bug that meant transactions that send Ether but with a zero value fail to provide gas, causing an exception.

[S] Compiler Bug SOL-2016-5
Tested code that creates a dynamically sized array with a length that can be zero MUST NOT use a version of Solidity older than 0.3.6.

Compilers before 0.3.6 had a bug that meant dynamically created arrays with a zero length created code that did not terminate, and consumed all gas.

[S] Compiler Bug SOL-2016-4
Tested code that creates a Jump Destination opcode MUST NOT use the Optimizer with versions of Solidity older than 0.3.6.

Compilers before 0.3.6 had an Optimizer bug that meant data corruption could occur due to incorrectly computing state at jump destinations.

[S] Compiler Bug SOL-2016-3
Tested code that compares the values of data of type bytesNN MUST NOT use a version of Solidity older than 0.3.3.

Compilers before 0.3.3 had a bug in the way they compared values of Fixed-Length Variables that meant the comparison would read higher-order bits beyond the size of the variable, and so could produce an incorrect result.

[S] Compiler Bug SOL-2016-2
Tested code that uses arrays, with data types whose size is less than 17 bytes MUST NOT use a version of Solidity older than 0.3.1.

Compilers before 0.3.1 incorrectly packed bytesNN shorter than 17 bytes in arrays, leading to data corruption.

[S] No Ancient Compilers
Tested code MUST NOT use a version of Solidity older than 0.3.

Compiler bugs are not tracked for compiler versions older than 0.3. There is therefore a risk that unknown bugs create unexpected problems.

See also "SOL-2016-1" in [solidity-bugs-json].

4.2.1 Text and homoglyph attacks

[M] No Unnecessary Unicode Controls
Tested code MUST NOT use Unicode direction control characters unless they are necessary to render text appropriately, and the resulting text does not mislead readers.
This is an Overriding Requirement for [S] No Unicode Direction Control Characterss.

Security Level [M] permits the use of Unicode direction control characters in text strings, subject to analysis of whether they are necessary.

[M] No Homoglyph-style Attack
Tested code MUST not use homoglyphs, Unicode control characters, combining characters, or characters from multiple Unicode blocks if the impact is misleading.

Techniques such as substituting characters from different alphabets (e.g. Latin "a" and Cyrillic "а" are not the same). This can be used to mask malicious code, for example by presenting variables or function names designed to mislead auditors. These attacks are known as Homoglyph Attacks. Several approaches to successfully exploiting this issue are described in [Ivanov].

In the rare case there is a valid use of characters from multiple Unicode blocks (see [unicode-blocks]) in a variable name or label (most likely to be mixing two languages in a name), requirements at this level allow them to pass EEA EthTrust certification so long as they do not mislead or confuse.

This level requires checking for homoglyph attacks including those within a single character set, such as the use of "í" in place of "i" or "ì", "ت" for "ث", or "1" for "l", and when a reviewer judges that the result is misleading or confusing, the relevant code does not meet the Security Level [M] requirements.

The requirements in this section are related to the security advisory [CVE-2021-42574] and [CWE-94], "Improper Control of Generation of Code", also called "Code Injection".

See also the Related Requirement: [S] No Unicode Direction Control Characters.

4.2.2 External Calls

EEA EthTrust Certification at Security Level [M] allows calling within a set of contracts that form part of the Tested Code. This ensures all contracts called are audited as a group at this Security Level. The same level of protection against Re-entrancy Attacks is provided to the Tested Code overall as for the Security Level [S] requirement.

[M] Handle External Call Returns
Tested Code that makes external calls MUST reasonably handle possible errors.

As well as checking that the calls return, it is important that Tested Code "works" - to the satisfaction of the auditor - if the return value is the result of an error.

See also the related requirements: [Q] Process All Inputs, [S] Check External Calls Return.

4.2.3 Documenting Defensive Coding

There are legitimate uses for all of these coding patterns, but they are also potential causes of security vulnerabilities. Requirements at Security Level M therefore require testing that ensures the use of these patterns is explained and justified, and that they are used in a manner that does not introduce known vulnerabilities.

The requirement to document the use of external calls applies to all external calls in the tested code, whether or not they meet the Related Requirement [S] Use Check-Effects-Interaction.

See also the Related requirements: [Q] Document Contract Logic, [Q] Document System Architecture, [Q] Implement as Documented, [Q] Verify External Calls, [M] Avoid Common assembly() Attack Vectors, [M] Compiler Bug SOL-2022-5 in assembly(), [M] Compiler Bug SOL-2022-4, [M] Compiler Bug SOL-2021-3, and [M] Compiler Bug SOL-2019-2 in assembly().

If the selfdestruct() instruction (or its deprecated alternative suicide()) is not carefully protected, malicious code can call it and destroy a contract, and steal any Ether held by the contract. In addition, this can disrupt other users of the contract since once the contract has been destroyed any Ether sent is simply lost, unlike when a contract is disabled which causes a transaction sending Ether to revert.

See also the Related Requirement [Q] Implement Access Control, and SWC-106 in [swcregistry].

This vulnerability led to the Parity MultiSig Wallet Failure that blocked around 1/2 Million Ether on mainnet in 2017.

The assembly() instruction provides a low-level method for developers to produce code in smart contracts. Using this approach provides great flexibility and control, for example to reduce gas cost. However it also exposes some possible attack surfaces where a malicious coder could introduce attacks that are hard to detect. This requirement ensures that two such attack surfaces that are well-known are not exposed.

See also SWC-124 and SWC-127 [swcregistry], and the Related Requirements [M] Document Special Code Use, [M] Compiler Bug SOL-2022-5 in assembly(), [M] Compiler Bug SOL-2022-4, [M] Compiler Bug SOL-2021-3, and [M] Compiler Bug SOL-2019-2 in assembly().

The CREATE2 opcode's ability to interact with addresses whose code does not exist yet on-chain mandates protections to prevent external calls to malicous or insecure contract code that is not yet known.

The Tested code needs to include any code that can be deployed using CREATE2 to verify protections are in place and the code behaves as the contract author claims. This includes ensuring opcodes that can change the immutability or forward calls in the contracts deployed with CREATE2, such as selfdestruct(), delegatecall() and callcode(), are not present.

If any of these opcodes are present, the additional protections and documentation required by the Overriding Requirements are necessary.

[M] Declare storage Explicitly
Tested code that uses a version of Solidity older than 0.5.0 MUST explicitly declare storage or memory for storage objects, and must justify the need for any storage item.
This is an Overriding Requirement for [S] Explicit Storage.

Solidity's default way of providing uninitialised storage can be and has been exploited [storage-honeypots], because it can enable access to an unnitiatilized pointer [CWE-824]. This was addressed by checking that storage is explicitly declared, from version 0.5.0, but for older compilers it is important to test for this exploit.

There are a few rare use cases where arithmetic overflow or underflow is intended, or expected behaviour. It is important such cases are protected appropriately. Note that these are harder to implement since version 0.8.0 which introduced overflow protection that causes transactions to revert.

[M] Declare Explicit Constructors
Tested code that uses a version of Solidity older than 0.4.22 MUST declare constructor methods explicitly.
This is an Overriding Requirement for [S] Explicit Constructors.

Versions of Solidity older than 0.4.22 allowed an "implicit" constructor: a function with the same name as the contract. Renaming a contract but not the function means that the function is no longer recognised as a constructor. This is an error that has been seen with copied source code.

For more information and examples of code that exploits this see the discussion in the Constructors with Care section of [sigp] or SWC-118 in [swcregistry].

[M] Document Name Conflicts
Tested code MUST clearly document the order of inheritance for each function or variable that shares a name with another function or variable.
This is an Overriding Requirement for [S] No Conflicting Inheritance.

As noted in [S] No Conflicting Inheritance. using the same name for different functions or variables can lead to reviewers misundersanding code, either inadvertently or deliberately as an attempt to hide malicious code. Explicitly documenting any occurrences of doing this helps security audits, and makes it clear to others using the code where they need to pay attention to the scope of variable or function declarations.

See also the related requirement [M] Compiler Bug SOL-2020-2, and the documentation of function inheritance in [solidity-functions]

[M] Sources of Randomness
Sources of randomness used in Tested Code MUST be sufficiently resistant to prediction that their purpose is met.

This requirement involves careful evaluation for each specific contract and case. Some uses of randomness rely on no prediction being more accurate than any other. For such cases, values that can be guessed at with some accuracy or controlled by miners or validators, like block difficulty, timestamps, and/or block numbers, introduces a vulnerability. Thus a "strong" source of randomness like an oracle service is necessary.

Other uses are resistant to "good guesses" because using something that is close but wrong provides no more likelihood of gaining an advantage than any other guess.

For example a competition to guess the block number of a chain at a specific time, that rewards the answer closest to the correct answer is using a source of "randomness" that is vulnerable to approximate guessing.

On the other hand, for a lottery that will only pay if a number is submitted that exactly matches a winning entry in an offchain lottery to be held in the future, there is no advantage in being able to approximate the answer.

See also the Related Requirements [S] No Exact Balance Check, [M] Don't misuse block data, and [Q] Protect against MEV Attacks.

[M] Don't misuse block data
Block numbers and timestamps used in Tested Code MUST not introduce vulnerabilities to MEV or similar attacks.

Block numbers are vulnerable to approximate prediction, although they are generally not reliably precise indicators of elapsed time. block.timestamp is subject to manipulation by malicious actors. It is therefore important that these data are not trusted by Tested Code to function as if they were highly reliable or random information.

The description of SWC-116 in [swcregistry] includes some code examples for techniques to avoid, for example using block.number / 14 as a proxy for elapsed seconds, or relying on block.timestamp to indicate a precise time has passed.

For low precision, such as "a few minutes", block.number / 14 > 1000 can be sufficient on main net, or a blockchain with a similar regular block period of around 14 seconds. But using it to determine that e.g. "exactly 36 seconds" have elapsed fails the requirement. A contract that relies on a specific block period can introduce serious risks if it is deployed on another blockchain with a very different block frequency.

Likewise, because block.timestamp depends on settings that can be manipulated by a malicious node operator, in cases likes Ethereum mainnet it is suitable for use as a coarse-grained approximation (on a scale of minutes) but the same code on a different blockchain can be vulnerable to MEV attacks.

Note that this is related to the use of Oracles, which can also provide inaccurate information.

4.2.4 Signature Management

See also the Related Requirements [S] No Exact Balance Check, [M] Sources of Randomness, and [Q] Protect against MEV Attacks.

[M] Proper Signature Verification
Tested Code MUST use proper signature verification to ensure authenticity of messages that were signed off-chain, e.g. by using ecrecover().

Some smart contracts process messages that were signed off-chain to increase flexibility, while maintaining authenticity. Smart contracts performing their own signature verification must ensure that they are correctly verifying message authenticity.

See also SWC-122 [swcregistry].

For code that does use ecrecover(), see the Related Requirements [S] Compiler Bug SOL-2017-3 and [M] Validate ecrecover() input

[M] No Improper Usage of Malleable Signatures for Replay Attack Protection
Tested Code using signatures to prevent replay attacks MUST NOT rely on Malleable Signatures.

In Replay Attacks, an attacker replays correctly signed messages to exploit a system. Malleable signatures allow an attacker to create a new signature for the same message. Smart contracts that check against hashes of signatures to ensure that a message has only been processed once may be vulnerable to replay attacks if malleable signatures are used.

4.2.5 Security Level [M] Compiler Bugs and Overriding Requirements

Some solidity compiler bugs have Overriding Requirements at Security Level [M].

[M] Compiler Bug SOL-2022-5 in assembly()
Tested code that copies bytes arrays from calldata or memory whose size is not a multiple of 32 bytes, and has an assembly() instruction that reads that data without explicitly matching the length that was copied, MUST NOT use a version of Solidity older than 0.8.15.
This is part of the Set of Overriding Requirements for [S] No assembly().

Until 0.8.15 copying memory or calldata whose length is not a multiple of 32 bytes could expose data beyond the data copied, which could be observable using assembly().

See also the 15 June 2022 security alert and related requirements [S] Compiler Bug SOL-2022-5 with .push(), [M] Avoid Common assembly() Attack Vectors, [M] Document Special Code Use, [M] Compiler Bug SOL-2022-4, [M] Compiler Bug SOL-2021-3, and [M] Compiler Bug SOL-2019-2 in assembly().

[M] Compiler Bug SOL-2022-4
Tested code that has at least two assembly() instructions, such that one writes to memory e.g. by storing a value in a variable, but does not access that memory again, and code in a another assembly() instruction refers to that memory, MUST NOT use the yulOptimizer with versions 0.8.13 or 0.8.14 of Solidity.
This is part of the Set of Overriding Requirements for [S] No assembly().

Version 0.8.13 introduced a yulOptimizer bug fixed 0.8.15 in where memory created in an assembly() instruction but only read in a different assembly() instruction was discarded.

See also the 17 June 2022 security alert and related requirements [M] Avoid Common assembly() Attack Vectors, [M] Document Special Code Use, [M] Compiler Bug SOL-2022-5 in assembly(), [M] Compiler Bug SOL-2021-3, and [M] Compiler Bug SOL-2019-2 in assembly().

[M] Compiler Bug SOL-2021-3
Tested code that reads an immutable signed integer of a type shorter than 256 bits within an assembly() instruction MUST NOT use a version of Solidity between 0.6.5 and 0.8.8 (inclusive).
This is part of the Set of Overriding Requirements for [S] No assembly().

Compiler 0.6.8 introduced a bug, fixed in 0.8.9, that meant immutable signed integer types shorter than 256 bits could be read incorrectly in inline assembly() instructions.

See also the 29 September 2021 security alert, and the related requirements [M] Safe Use of assembly(), [M] Document Special Code Use, [M] Compiler Bug SOL-2022-5 in assembly(), [M] Compiler Bug SOL-2022-4, and [M] Compiler Bug SOL-2019-2 in assembly().

Solidity versions from 0.4.5 set the expectation that payments to a constructor that was not expicitly denoted as payable would revert. But when the constructor is inherited from a base contract, this reversion does not happen in versions before 0.6.8.

[M] Compiler Bug SOL-2020-2
Tested code that declares multiple functions with the same name MUST NOT use a version of Solidity older than 0.5.17.

Compilers between 0.3.0 and 0.5.17 had a bug that allowed private method declarations to be overridden by declaring another function of the same name.

See also the Related Requirements [S] No Conflicting Inheritance and [M] Document Name Conflicts.

[M] Compiler Bug SOL-2019-2 in assembly()
Tested code that uses the Optimizer with a version 0.5.5 nor 0.5.6 of Solitidy MUST NOT contain inline assembly() that uses the byte instruction with a second parameter whose compile-time value evaluates to 31.
This is part of the Set of Overriding Requirements for [S] No assembly().

Version 0.5.5 introduced a bug fixed in 0.5.7 where a second parameter value of "31" for a byte opcode resulted in unexpected values.

See also the related requirements [S] Compiler Bug SOL-2019-2, [M] Avoid Common assembly() Attack Vectors, [M] Document Special Code Use, and [M] Compiler Bug SOL-2021-3.

[M] Compiler Bug Check Identity Calls
In Tested code that uses a version of Solidity older than 0.4.7, calls to the Identity Contract MUST explicitly check the return value.
This is an Overriding Requirement for [S] Compiler Bug SOL-2016-11.

Calls to the Identity Contract ignored the return value before version 0.4.7.

[M] Validate ecrecover() input
Tested code that uses the ecrecover() pre-compile in a version of Solidity older than 0.4.14 MUST ensure that input is well-formed before making the call.
This is an Overriding Requirement for [S] Compiler Bug SOL-2017-3.

Prior to Solidity 0.4.14, bad input to ecrecover() could cause it to fail and produce corrupted data, while appearing to succeed.

[M] Compiler Bug No Zero Ether Send
Tested code that uses a version of Solidity older than 0.4.0, MUST NOT make Ether transfers that can send a value of zero.
This is an Overriding Requirement for [S] Compiler Bug SOL-2016-6.

A bug fixed in Solidity version 0.4.0 meant that transactions that explicity send zero Ether would automatically cause an exception, due to insufficient gas being passed on.

4.3.1 Documentation requirements

Security Level [Q] conformance requires a detailed description of how the Tested Code is intended to behave. Alongside detailed testing requirements to check that it does behave as described wth regard to specific known vulnerabililies, it is important that the claims made for it are accurate. This requirement underpins a Good Practice, that it fulfils claims made for it outside audit-specific documentation.

The combination of these requirements helps ensure there is no malicious code, such as malicious "back doors" or "time bombs" hidden in the Tested Code. Since there are legitimate use cases for code that behaves as e.g. a time bomb, or "phones home", this combination helps ensure that testing focuses on real problems.

The requirements in this section extend the coverage required to meet the Security Level [M] requirement [M] Document Special Code Use. As with that requirement, there are multiple requirements that require the documentation to perform an audit at this level.

[Q] Document Contract Logic
A specification of the business logic that the Tested code functionality is intended to implement MUST be available to anyone who can call the Tested Code.

Contract Logic documented in a human-readable format and with enough detail that functional correctness and safety assumptions for special code use can be validated by auditors helps them assess complex code more efficiently and with higher confidence.

[Q] Document System Architecture
Documentation of the system architecture for the Tested code MUST be provided that conveys the overrall system design, privileged roles, security assumptions and intended usage.

System documentation provides auditor(s) information to understand security assumptions and ensure functional correctness. It is recommended that system documentation be included or referenced in the README file of the code repository alongside documentation for how the source code can be tested, built and deployed.

[Q] Annotate Code with NatSpec
All public interfaces contained in the Tested code MUST be annotated with inline comments according to the [NatSpec] format that explain the intent behind each function, parameter, event, and return variable, along with developer notes for safe usage.

Inline comments are important to ensure that developers and auditors understand the intent behind each function and other code components. Public interfaces should be interpreted as anything that would be contained in the ABI of the compiled Tested code. It is also recommended to use inline comments for private or internal functions that implement sensitive and/or complex logic.

Following the [NatSpec] format allows these inline comments to be understood by the Solidity compiler for extracting them into a machine-readable format that may be used by other third-party tools for security assessments and automatic documentation. This may also be used to generate specifications that fully or partially satisfy the Requirement to [Q] Document Contract Logic

[Q] Implement as Documented
The Tested code MUST behave as described in the documentation provided for [Q] Document Contract Logic, and [Q] Document System Architecture.

The requirements at Security Level [Q] to provide documentation are important. However, it is also crucial that the Tested Code actually behaves as documented. If it does not, it is possible that this reflects insufficient care and that the code is also vulnerable due to bugs that were missed in implementation. It is also possible that the difference is an attempt to hide malicious code in the Tested Code.

4.3.2 Access Control

[Q] Implement Access Control
The Tested code MUST implement appropriate access control mechanisms, based on the documentation provided for [Q] Document Contract Logic.

There are several common methods to implement access control, such as Role-Based Access Control [RBAC], and bespoke access control is often implemented for a given use case. Using industry-standard methods can help simplify the process of auditing, But is not sufficient to determine that there are no risks arising either from errors in implementation or due to a maliciously-crafted contract.

It is particularly important that appropriate access control applies to payments, as noted in SWC-105, but other actions such as overwriting data as described in SWC-124, or changing specific access controls, also need to be appropriately protected [swcregistry]. This requirement matches [CWE-284] Improper Access Control.

See also "Access Restriction" in [solidity-patterns].