Below are notes pertaining to best practices for developing smart contract on Ethereum and other EVM blockchains.
- CEI - Checks, Effects, Interactions
- Pull over Push
msg.sender
overtx.origin
call{value: <amount>}("")
with CEI or ReentrancyGuard overtransfer()
orsend()
- Chainlink VRF over
block.timestamp
- Developer writes smart contract code
- Developer write tests for smart contracts
- Static analysis tools are used to detect vulnerabilities in an automated fashion
- Contracts are deployed and tested on a test network
- A professional audit is conducted
- Audit report is provided detailing vulnerabilities and how to patch
- Vulnerabilities are patched prior to deploying to mainnet
The auditing-contracts repo details 5 common pitfalls when coding in solidity.
- Missing input or precondition check
- Phishing vulnerability with tx.origin
- Incorrect calculation of output token amount
- Timestamp manipulation
- Block gas limit vulnerabilities