SO
Solidity Security
Security patterns and vulnerability prevention for Solidity smart contracts
Details
Language / Topic
SolidityCategory
Security
Rules
balanced
- Follow the Checks-Effects-Interactions pattern on every function that calls external contracts to prevent reentrancy attacks.
- Use `ReentrancyGuard` from OpenZeppelin and the `nonReentrant` modifier on all functions that transfer ETH or call untrusted external contracts.
- Never use `tx.origin` for authorization — use `msg.sender` to prevent phishing attacks where a malicious contract forwards calls on behalf of a victim.
- Use `address(this).balance` checks before ETH transfers and validate that contract balances cannot be manipulated via `selfdestruct` sends.
- Apply the pull-payment pattern (let recipients withdraw ETH) instead of pushing ETH to avoid reentrancy and DoS via gas limit attacks.
- Use `block.timestamp` only for time windows measured in minutes or more — miners can manipulate it by up to ~15 seconds.
- Run `slither .` and `mythril analyze` as part of the CI pipeline to automatically detect known vulnerability patterns before deployment.