OWASP SCSTG
Introduction
The OWASP Smart Contract Security Testing Guide (SCSTG) aims to provide a comprehensive framework and methodology for testing the security of smart contracts, decentralized applications (dApps), and EVM-based blockchain systems.
SCSTG is designed to help developers, auditors, and security professionals effectively identify and mitigate vulnerabilities, ensuring the robustness and reliability of smart contracts in decentralized ecosystems.
We extend our gratitude to the organizations and individuals who have supported the project through time, resources, or funding. You can find the list of contributors and supporters on our “Supporter” page.
Pleaselog issues if you identify any bugs or have suggestions for improvement. Based on discussions in the issues, we may ask you toopen a pull request.
Initial Draft Version - 0.0.1
The latest stable version is version 0.0.1 (dated September 2024), available here:
The master branch of this repository contains the “bleeding edge version,” which may include in-progress changes or other updates.
Guide Objectives
The SCSTG was developed with the following goals in mind:
- Define Comprehensive Testing Methodologies: Establish a detailed methodology for identifying vulnerabilities specific to smart contracts and blockchain ecosystems.
- Standardize Security Testing Practices: Provide a standardized approach for testing common vulnerabilities such as reentrancy, integer overflows/underflows, access control flaws, and economic attacks.
- Enhance Testing Toolchains: Offer guidance on leveraging existing security tools, such as fuzzers, symbolic execution tools, and static/dynamic analyzers, for smart contract testing.
- Promote a Holistic Testing Approach: Emphasize end-to-end testing, including on-chain behavior, business logic, and interaction with decentralized systems.
- Educate Developers and Testers: Help developers and testers understand the nuances of blockchain security testing and implement secure testing practices.
- Keep Up with Evolving Threats: Continuously update the guide to address new threats, attack vectors, and blockchain innovations.
- Encourage Open Collaboration: Promote collaboration among developers, security experts, and researchers to improve the quality and applicability of the guide.
License
The entire project content is licensed under theCreative Commons Attribution-Share Alike v4.0 license.
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.
Project Lead
| Name | Affiliation | Personal Links |
|---|---|---|
| Shashank | CredShields | Twitter,LinkedIn |
Contributors
Individuals that provided a significant contribution to the project:
| Name | Affiliation | Personal Links |
|---|---|---|
| Pratik Lagaskar | CredShields | LinkedIn,Twitter |
| Nehal Pillai | CredShields | LinkedIn,Twitter |
Supporters
Major Supporters and Sponsors
This initiative would not have been possible without the support of our sponsors and the resources they have provided. We would like to express our gratitude to the following for their support.
CredShields
The OWASP SCSTG project was initiated to share the knowledge gained from the CredShields Security Team’s research into Smart Contract security while developingSolidityScan.com, an AI-powered vulnerability scanner for Smart Contracts. We extend our gratitude toCredShields for their efforts in defining the initial requirements and founding this project.
OWASP Smart Contract Security Testing Guide
- Incubator Project
Classification
- Documentation
Audience
- Builder
- Breaker
- Defender