From 1a2bdcca46072469b6ca39c1c275870e6cc684ea Mon Sep 17 00:00:00 2001
From: bt3gl <1130416+bt3gl@users.noreply.github.com>
Date: Thu, 10 Mar 2022 18:55:54 +0000
Subject: [PATCH] Create security.md

---
 solidity/security.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 solidity/security.md

diff --git a/solidity/security.md b/solidity/security.md
new file mode 100644
index 0000000..106a22e
--- /dev/null
+++ b/solidity/security.md
@@ -0,0 +1,15 @@
+## Basic security
+
+
+* `tx.origin` is used: you want to replace it by “msg.sender” because otherwise any contract you call can act on your behalf.
+* potential reetrancy bugs: 
+```
+msg.sender.transfer(amount);
+balances[msg.sender] -= amount;
+```
+* inline assembly used: should be used only in rare cases
+* unclear semantics: `now` is alias for `block.timestamp` not current time; use of low level `call`, `callcode`, `delegatecall` should be avoided whenever possible; use `transfer` whenever failure of ether transfer should rollnack the whole transaction.
+* Beware of caller contracts: `selfdestruct` can block calling contracts unexpectedly.
+* Invocation of local functions via `this`: never use `this` to call functions in the same contract, it only consumes more gas than normal call.
+* Transferring Ether in a for/while/do-while loop should be avoid due to the block gas limit.
+* ERC20 `decimals` should have `uint8` as return type.