Web3Sec Community Checklist

Smart Contract Checks

Reentrant Calls

Fee on Transfer

Balance Modifications Outside of Transfers (rebasing/airdrops)

Upgradable Tokens

Flash Mintable Tokens

Tokens with Blocklists

Pausable Tokens

Approval Race Protections

Revert on Approval To Zero Address

Revert on Zero Value Transfers

Multiple Token Addresses

Low Decimals

High Decimals

transferFrom with src == msg.sender

Non-string metadata

Revert on Transfer to the Zero Address

No Revert on Failure

Revert on Large Approvals & Transfers

Code Injection Via Token Name

Unusual Permit Function

Using very small amounts as inputs (e.g., 1 wei)

Passing zero as an input

Using contracts that cannot accept ether

Gas griefing with external calls

Weird ERC20 tokens (fees, 777, return values, etc...)

Price manipulation

Blacklisted ERC20 addresses

Potential overflow/underflow

Block re-orgs

Reentrancy (721, inter-function, inter-contract, inter-system (read-only))

Sybil attacks on incentives/tokenomics

Flash loans (even flash mints e.g. Dai)

Accepting any data from an arbitrary address (Malicious bytes)

Inflating internal accounting by sending tokens to the system

Forced precision loss when precision really matters (min balance checks etc...)

Addresses that might be empty at one point, yet house contract code at another

Reverting (external calls I can make revert, inputs I can use to cause a revert)

Unexpected addresses (provide a 'receiver' address pointing to another contract in the system)

Selector clashing

Signatures (replay, malleability, recover to 0 address etc...)

Hash collision (encodePacked)

Checking external calls

Function visibility

Overflow and underflow preventions

Time manipulation within a few minutes only

Utilizing reliable and audited dependencies

Fix warnings to avoid tricky features

Validate external or public functions

Checking rounding errors and unexpected behaviors

Unbounded loops preventions

Lowering down pseudo-randomness

Using the latest solidity versions performing change verification

Push payments and their correct usage

Old solidity constructs and their frequent updates

More References:

https://infosecwriteups.com/smart-contract-vulnerabilities-audit-checklist-2023-2c90c635153e

https://www.beirao.xyz/blog/Security-checklist

https://github.com/0xNazgul/Blockchain-Security-Audit-List

https://www.beirao.xyz/blog/automatedBrainProcess

https://defihacklabs.substack.com/p/solidity-security-lesson-7-automated

https://github.com/ComposableSecurity/SCSVS

https://github.com/Quillhash/Solidity-Attack-Vectors

https://github.com/kadenzipfel/smart-contract-vulnerabilities

https://github.com/Quillhash/DeFi-Attack-Vectors

https://github.com/Quillhash/NFT-Attack-Vectors

https://www.rareskills.io/post/smart-contract-security

https://github.com/transmissions11/solcurity

https://github.com/tamjid0x01/SmartContracts-audit-checklist

https://swcregistry.io/

https://securing.github.io/SCSVS/

https://secureum.substack.com/p/audit-findings-201

https://secureum.substack.com/p/audit-findings-101

https://web3sec.notion.site/web3sec/b201fe69f84e4050bf3915c6030f0fdf?v=2149cfc2302342ebb6124022c1b1950c

https://lab.guardianaudits.com/encyclopedia-of-solidity-attack-vectors/

https://lab.guardianaudits.com/the-auditors-handbook/the-auditing-process

https://github.com/aviggiano/theauditorbook/releases/tag/latest

https://github.com/0xprinc/checks-while-hacks

https://hackernoon.com/a-2023-survey-on-smart-contract-security-for-solidity

https://www.rareskills.io/post/gas-optimization

https://blog.pessimistic.io/auditors-advice-math-solidity-gas-optimizations-part-1-3-a99c478d2ebb

https://blog.pessimistic.io/auditors-advice-solidity-checklist-reentrancy-attack-part-2-3-706dbc1fbfbf

https://blog.pessimistic.io/auditors-advice-evm-limitations-assembly-auditing-tips-part-3-3-f28a985b2f6f

https://github.com/cryptofinlabs/audit-checklist

https://github.com/TechnoGeek01/solidity-gas-optimizations

discord