Starting with asset flow, assets are Ether or ERC20/ERC721/other tokens managed by smart contracts.
Given that exploits target assets of value, it makes sense to start evaluating the flow of assets into/outside/within/across smart contracts and their dependencies.
- Who: Assets should be withdrawn/deposited only by authorised/specified addresses as per application logic
- When: Assets should be withdrawn/deposited only in authorised/specified time windows or under authorised/specified conditions as per application logic (when)
- Which: Assets, only those authorised/specified types, should be withdrawn/deposited as per application logic
- Why: Assets should be withdrawn/deposited only for authorised/specified reasons as per application logic
- Where: Assets should be withdrawn/deposited only to authorised/specified addresses as per application logic
- What type: Assets, only of authorised/specified types, should be withdrawn/deposited as per application logic
- How much: Assets, only in authorised/specified amounts, should be withdrawn/deposited as per application logic
- Assets: ETH or ERC20/ERC721 tokens
- Who/When/Which
- Why/Where
- What Type/How Much