4. Pitfalls and Best Practices 101.md

1. Solidity versions
2. Unlocked pragma
3. Multiple Solidity pragma
4. Incorrect access control
5. Unprotected withdraw function
6. Unprotected call to selfdestruct
7. Modifier side-effects
8. Incorrect modifier
9. Constructor names
10. Void constructor
11. Implicit constructor callValue check
12. Controlled delegatecall
13. Reentrancy vulnerabilities
14. ERC777 callbacks and reentrancy
15. Avoid transfer(), send() as reentrancy mitigations
16. Private on-chain data
17. Weak PRNG
18. Block values as time proxies
19. Integer overflow, underflow
20. Divide before multiply
21. Transaction order dependence
22. ERC20 approve() race condition
23. Signature malleability
24. ERC20 transfer() does not return boolean
25. Incorrect return values for ERC721 ownerOf()
26. Unexpected Ether and this.balance
27. fallback vs receive()
28. Dangerous strict equalities
29. Locked Ether
30. Dangerous usage of tx.origin
31. Contract check
32. Deleting a mapping within a struct
33. Tautology or contradiction
34. Boolean constant
35. Boolean equality
36. State-modifying functions
37. Return values of low-level calls
38. Account existence check for low-level calls
39. Dangerous shadowing
40. Dangerous state variable shadowing
41. Pre-declaration usage of local variables
42. Costly operations inside a loop
43. Calls inside a loop
44. DoS with block gas limit
45. Missing events
46. Unindexed event parameters
47. Incorrect event signature in libraries
48. Dangerous unary expressions
49. Missing zero address validation
50. Critical address change
51. assert(), require() state change
52. require() vs assert()
53. Deprecated keywords
54. Function default visibility
55. Incorrect inheritance order
56. Missing inheritance
57. Insufficient gas griefing
58. Modifying reference type parameters
59. Arbitrary jump with function type variable
60. Hash collisions with multiple variable length arguments
61. Malleability risk from dirty high order bits
62. Incorrect shift in assembly
63. Assembly usage
64. Right-To-Left-Override control character (U+202E)
65. Constant state variables
66. Similar variable names
67. Uninitialized state, local variables
68. Uninitialized storage pointers
69. Uninitialized function pointers in constructors
70. Long number literals
71. Out-of-range enum
72. Uncalled public functions
73. Dead, Unreachable code
74. Unused return values
75. Unused variables
76. Redundant statements
77. Storage array with signed Integers with ABIEncoderV2
78. Dynamic constructor arguments clipped with ABIEncoderV2
79. Storage array with multiSlot element with ABIEncoderV2
80. Calldata structs with statically sized and dynamically encoded members with ABIEncoderV2
81. Packed storage with ABIEncoderV2
82. Incorrect loads with Yul optimizer and ABIEncoderV2
83. Array slice dynamically encoded base type with ABIEncoderV2
84. Missing escaping in formatting with ABIEncoderV2
85. Double shift size overflow
86. Incorrect byte instruction optimization
87. Essential assignments removed with Yul Optimizer
88. Private methods overridden
89. Tuple assignment multi stack slot components
90. Dynamic array cleanup
91. Empty byte array copy
92. Memory array creation overflow
93. Calldata using for
94. Free function redefinition
95. Unprotected initializers in proxy-based upgradeable contracts
96. Initializing state-variables in proxy-based upgradeable contracts
97. Import upgradeable contracts in proxy-based upgradeable contracts
98. Avoid selfdestruct or delegatecall in proxy-based upgradeable contracts
99. State variables in proxy-based upgradeable contracts
100. Function ID collision between proxy, implementation in proxy-based upgradeable contracts
101. Function shadowing between proxy, contract in proxy-based upgradeable contracts