mev-toolkit/security.md at d44082f5cd6633cdfd465ec448255b9c727a04cc

mirror of https://github.com/autistic-symposium/mev-toolkit.git synced 2025-04-28 11:46:13 -04:00

bt3gl 2ad3f8a5a7

2022-03-10 18:56:23 +00:00

Basic security

tx.origin is used: you want to replace it by “msg.sender” because otherwise any contract you call can act on your behalf.
Avoid potential reetrancy bugs:

msg.sender.transfer(amount);
balances[msg.sender] -= amount;

Inline assembly should be used only in rare cases.
Unclear semantics: now is alias for block.timestamp not current time; use of low level call, callcode, delegatecall should be avoided whenever possible; use transfer whenever failure of ether transfer should rollnack the whole transaction.
Beware of caller contracts: selfdestruct can block calling contracts unexpectedly.
Invocation of local functions via this: never use this to call functions in the same contract, it only consumes more gas than normal call.
Transferring Ether in a for/while/do-while loop should be avoid due to the block gas limit.
ERC20 decimals should have uint8 as return type.