The purpose of the category focuses on ensuring that the core features of the smart contract language promote secure, predictable, and maintainable code. By enforcing explicit declarations for mutability, visibility, and asset handling, and ensuring clear syntax and function management, this category helps prevent vulnerabilities caused by ambiguity or poor design choices. It also encourages the use of standardized mechanisms for logging and error handling, ensuring that contracts remain transparent and auditable throughout their lifecycle.
This section helps auditors evaluate the language's ability to facilitate secure development and provide a solid foundation for both developers and reviewers.
| Ref Number | Name | Objective | Potential Issues |
|---|---|---|---|
| LI-001 | Explicit State Mutability and Visibility Declarations | Ensure the language requires explicit declaration of state mutability and visibility of functions and variables to prevent unexpected behaviors and potential vulnerabilities. |
|
| LI-002 | Function Selector Management | Ensure that selectors are uniquely and predictably generated, preventing collisions. Arbitrary selectors should not be allowed, and overloaded functions must produce distinct selectors. |
|
| LI-003 | Event Emissions and Logging | Ensure the language provides efficient and standardized mechanisms for event emissions and logging to enhance transparency and facilitate off-chain monitoring. |
|
| LI-004 | Misleading or Undefined Keywords | Ensure the language does not allow misleading or undefined keywords that can deceive reviewers and introduce hard-to-detect vulnerabilities. |
|
| LI-005 | Compiler Error Clarity | Ensure the compilation process is clear, and the compiler provides sufficient, meaningful error information to aid in quick identification and resolution of issues. |
|
| LI-006 | Deterministic and Verifiable Builds | Ensure the build output is deterministic and verifiable, so the same code always produces the same bytecode, aiding in verification and preventing supply chain attacks. |
|
| LI-007 | Error Propagation and Handling | Ensure errors are properly propagated and handled within contracts and during external calls to maintain predictable execution and prevent vulnerabilities. |
|
| LI-008 | Syntax Readability and Clarity | Ensure the language syntax is designed for readability and clarity to help developers write secure code and reduce mistakes. |
|
| LI-009 | Explicit Native Asset Handling | Ensure contracts cannot receive native assets without explicit handling to prevent unintended behaviors and vulnerabilities. |
|
| LI-010 | Built-In Methods Functionality | Ensure the language provides reliable and predictable built-in methods for essential tasks (e.g., hashing, encoding/decoding, concat) to prevent errors and vulnerabilities. |
|
For more information, see also:
- Ethereum Smart Contract Best Practices - Visibility
- Introduction of
viewandpurekeywords in Solidity - On the parity wallet multisig hack
- Lack of selector collision check - Stylus SDK audit
- Custom selector issue - Stylus SDK audit
- Custom selector issue - ink! audit
- Trojan Source: Invisible Vulnerabilities
- CVE-2021-42574: Bidirectional Override Vulnerability
- Hiding in Plain Sight
- concat built-in can corrupt memory - Vyper contest
- Audit Finding: Non-determinism in ink! contract builds