Перайсці да асноўнага зместу

Smart contract security guidelines

soliditysmart contractssecurity
Intermediate
Trailofbits
Building secure contracts(opens in a new tab)
6 верасня 2020 г.
4 minute read minute read

Follow these high-level recommendations to build more secure smart contracts.

Design guidelines

The design of the contract should be discussed ahead of time, prior to writing any line of code.

Documentation and specifications

Documentation can be written at different levels, and should be updated while implementing the contracts:

On-chain vs off-chain computation

  • Keep as much code as you can off-chain. Keep the on-chain layer small. Pre-process data with code off-chain in such a way that verification on-chain is simple. Do you need an ordered list? Sort the list offchain, then only check its order onchain.

Upgradeability

We discussed the different upgradeability solutions in our blogpost(opens in a new tab). Make a deliberate choice to support upgradeability or not prior to writing any code. The decision will influence how you structure your code. In general, we recommend:

Implementation guidelines

Strive for simplicity. Always use the simplest solution that fits your purpose. Any member of your team should be able to understand your solution.

Function composition

The architecture of your codebase should make your code easy to review. Avoid architectural choices that decrease the ability to reason about its correctness.

  • Split the logic of your system, either through multiple contracts or by grouping similar functions together (for example, authentication, arithmetic, ...).
  • Write small functions, with a clear purpose. This will facilitate easier review and allow the testing of individual components.

Inheritance

Events

  • Log all crucial operations. Events will help to debug the contract during the development, and monitor it after deployment.

Avoid known pitfalls

Dependencies

Testing and verification

Solidity

Deployment guidelines

Once the contract has been developed and deployed:

Ці было гэтае кіраўніцтва карысным?