mev-toolkit/solidity/security.md at 1a2bdcca46072469b6ca39c1c275870e6cc684ea

mirror of https://github.com/autistic-symposium/mev-toolkit.git synced 2025-05-01 22:36:16 -04:00

bt3gl 1a2bdcca46

2022-03-10 18:55:54 +00:00

Basic security

tx.origin is used: you want to replace it by “msg.sender” because otherwise any contract you call can act on your behalf.
potential reetrancy bugs:

msg.sender.transfer(amount);
balances[msg.sender] -= amount;

inline assembly used: should be used only in rare cases
unclear semantics: now is alias for block.timestamp not current time; use of low level call, callcode, delegatecall should be avoided whenever possible; use transfer whenever failure of ether transfer should rollnack the whole transaction.
Beware of caller contracts: selfdestruct can block calling contracts unexpectedly.
Invocation of local functions via this: never use this to call functions in the same contract, it only consumes more gas than normal call.
Transferring Ether in a for/while/do-while loop should be avoid due to the block gas limit.
ERC20 decimals should have uint8 as return type.