Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Clarify scope #220

Merged
merged 1 commit into from
Dec 12, 2019
Merged

Clarify scope #220

merged 1 commit into from
Dec 12, 2019

Conversation

maurelian
Copy link
Contributor

@maurelian maurelian commented Dec 6, 2019

Adds the following to the README

Scope of Weaknesses

SWCs should be concerned with weaknesses that can be identified within the code of a smart contract, typically Solidity.

Weaknesses in 'smart contract adjacent' code should not be included. For example, the gas siphoning attack occurs in wallet code, and should be protected against in wallet code.

@maurelian
Copy link
Contributor Author

Maybe more discussion is required about the scope. ie. Looking at this comment, it appears the original intent was to support testing and benchmarking of security analysis tools.

I think that's overly restrictive, and creates an obstacle to adoption. Some things are too subjective to automatically identify, but are definitely weaknesses (ie. #209).

@thec00n
Copy link
Collaborator

thec00n commented Dec 10, 2019

I am ok with narrowing down the scope to 'smart contract adjacent' code.

Looking at this comment, it appears the original intent was to support testing and benchmarking of security analysis tools.

The intent as described in https://eips.ethereum.org/EIPS/eip-1470 is to define weaknesses that are specific to smart contracts and to develop a way to create test cases so that auditors and tools alike have a way to identify them in the code samples. Historically most contributions came from folks that are working on tools but that does not mean though that the SWC-registry is only for tool builders. At the top of my head there are several categories of weaknesses that tools will have a very hard time in identifying ... nobody has added them yet though.

@thec00n thec00n merged commit 0f1063f into master Dec 12, 2019
@maurelian
Copy link
Contributor Author

The intent as described in https://eips.ethereum.org/EIPS/eip-1470 is to define weaknesses that are specific to smart contracts and to develop a way to create test cases so that auditors and tools alike have a way to identify them in the code samples.

Agree.

Historically most contributions came from folks that are working on tools but that does not mean though that the SWC-registry is only for tool builders. At the top of my head there are several categories of weaknesses that tools will have a very hard time in identifying ... nobody has added them yet though.

Great, lots to do. :)

thec00n pushed a commit that referenced this pull request Dec 18, 2019
* Add details to requirement_simple bytecode locations

* Tweak location info for SWC-128

* misformatted bytecode offsets

* Update README.md

Updating links and some minor textual changes.

* Slightly more descriptive error

* Print full error

* Clarify scope (#220)

* Kaden zipfel feature/gas griefing (#222)

* Insufficient gas griefing

* Add newlines

* Fix improper newlines

* Make changes to relayer contracts

* Add CWE reference

* Fix link

* Rename to SWC-126

* No target redeploy

* Fix compiler warnings

* Update SWC definition [ci skip]
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants