Development Workflow
Last updated
Last updated
Check for known security issues:
Review your contracts with . It has more than 70 built-in detectors for common vulnerabilities. Run it on every check-in with new code and ensure it gets a clean report (or use triage mode to silence certain issues).
Consider special features of your contract:
Are your contracts upgradeable? Review your upgradeability code for flaws with or . We've documented 17 ways upgrades can go sideways.
Do your contracts purport to conform to ERCs? Check them with . This tool instantly identifies deviations from six common specs.
Do you have unit tests in Truffle? Enrich them with . It automatically generates a robust suite of security properties for features of ERC20 based on your specific code.
Do you integrate with 3rd party tokens? Review our before relying on external contracts.
Visually inspect critical security features of your code:
Review Slither's printer. Avoid inadvertent shadowing and C3 linearization issues.
Review Slither's printer. It reports function visibility and access controls.
Review Slither's printer. It reports access controls on state variables.
Document critical security properties and use automated test generators to evaluate them:
Learn to . It's tough as first, but it's the single most important activity for achieving a good outcome. It's also a prerequisite for using any of the advanced techniques in this tutorial.
Define security properties in Solidity, for use with and . Focus on your state machine, access controls, arithmetic operations, external interactions, and standards conformance.
Define security properties with . Focus on inheritance, variable dependencies, access controls, and other structural issues.
Finally, be mindful of issues that automated tools cannot easily find:
Lack of privacy: everyone else can see your transactions while they're queued in the pool
Front running transactions
Cryptographic operations
Risky interactions with external DeFi components