Smart Contract Security Checklist for Solidity Developers

Apply OpenZeppelin's ReentrancyGuard or implement checks-effects-interactions pattern on any function that makes external calls.

Always update state variables before making external calls. Never update state after external calls.

Check if an attacker can re-enter through a different function that shares state with the vulnerable function.

View functions called by other protocols can return stale data during reentrancy. Mark state-changing functions appropriately.

If your contract interacts with arbitrary ERC-20s, ensure you're protected against ERC-777 callbacks.

onERC721Received and onERC1155Received can be reentrancy vectors. Protect accordingly.

If your contract can be called within a flashloan, ensure all invariants hold within a single transaction.

Write invariant tests that attempt reentrancy during fuzzing to catch edge cases.

Add NatSpec comments explaining which functions are reentrancy-safe and why.

Where possible, let users withdraw funds rather than pushing to them automatically.

Use OpenZeppelin's AccessControl or Ownable2Step for managing admin permissions.

Implement Ownable2Step to prevent accidental ownership loss from typos in transfer.

Audit every function that should be restricted and ensure proper modifiers are applied.

For upgradeable contracts, ensure initializers can only be called once and by the deployer.

Validate that critical addresses (owner, admin, fee recipient) cannot be set to address(0).

Add time delays for critical admin functions to give users time to react.

Ensure internal/private functions aren't accidentally exposed as public/external.

Any delegatecall to user-controlled addresses can be used to hijack the contract.

Ensure ownership is properly assigned during deployment, not left as address(0).

Write tests that verify unauthorized users cannot access restricted functions.

Solidity 0.8+ has built-in overflow/underflow checks. For unchecked blocks, verify manually.

Check all division operations for potential zero denominators.

Order operations to minimize precision loss: multiply before divide.

Ensure array access uses valid indices, especially with user-supplied indices.

Verify fallback/receive functions don't accidentally catch intended function calls.

Always check return values from external calls, especially low-level calls.

Some tokens don't return booleans. Use SafeERC20 to handle all cases.

If using deadlines, ensure block.timestamp comparisons are correct (< vs <=).

Use OpenZeppelin's ECDSA library which handles signature malleability.

Include chainId in EIP-712 signatures to prevent cross-chain replay attacks.

Avoid iterating over arrays that can grow unboundedly. Use pagination or caps.

Use .call{gas: X}() to prevent called contracts from consuming all gas.

Ensure no operation can exceed block gas limit, making the contract unusable.

Check that oracle prices are recent and not stale. Implement heartbeat checks.

Allow users to specify minimum output amounts to prevent sandwich attacks.

Assume an attacker can borrow unlimited capital in a single transaction.

Use commit-reveal or private mempools for operations sensitive to ordering.

Ensure fee percentages don't overflow and are capped at reasonable values.

Fuzz test with type(uint256).max and 0 to catch edge cases.

Analyze if any actor has incentive to act maliciously. Design for adversarial conditions.

Execute 'slither .' and address all high/medium findings.

Create and run invariant tests to catch unexpected state violations.

Use 'forge coverage' to ensure all code paths are tested.

Deploy to Sepolia/Goerli and verify behavior matches expectations.

Publish source code on Etherscan for transparency.

Create runbooks for pausing, upgrading, and recovering from incidents.

Configure alerts for unusual activity using Tenderly, Forta, or OpenZeppelin Defender.

Have a colleague review the code or wait 24 hours before final deployment.

For contracts holding significant value, engage a professional auditor.

Set up an Immunefi bounty to incentivize responsible disclosure.