solidity-security

SKILL.md

| External ETH/token transfer | Use ReentrancyGuard + Checks-Effects-Interactions (CEI) pattern | | ERC20 token interaction | Use SafeERC20 — call safeTransfer / safeTransferFrom, never raw transfer / transferFrom | | Owner-only function | Inherit Ownable2Step (preferred) or Ownable from OZ 4.9.x — Ownable2Step prevents accidental owner loss |

| Multi-role access | Use AccessControl from @openzeppelin/contracts/access/AccessControl.sol | | Token approval | Use safeIncreaseAllowance / safeDecreaseAllowance from SafeERC20 — never raw approve | | Price data needed | Use Chainlink AggregatorV3Interface if feed exists; otherwise TWAP with min-liquidity check — never use spot pool price directly |

| Upgradeable contract | Prefer UUPS (UUPSUpgradeable) over TransparentProxy; always use Initializable | | Solidity version < 0.8.0 | Must use SafeMath — but strongly prefer upgrading to 0.8.20+ | | Emergency scenario | Inherit Pausable, add whenNotPaused to user-facing functions; keep admin/emergency functions unpaused |

查看原文