Convert Figma logo to code with AI

Consensys logosmart-contract-best-practices

A guide to smart contract security best practices

7,489
1,480
7,489
28

Top Related Projects

OpenZeppelin Contracts is a library for secure smart contract development.

5,296

Static Analyzer for Solidity and Vyper

3,860

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.

Comprehensive list of known attack vectors and common anti-patterns

Quick Overview

Consensys/smart-contract-best-practices is a comprehensive guide for writing secure Ethereum smart contracts. It provides a collection of security recommendations, known vulnerabilities, and best practices for developers working with Solidity and the Ethereum blockchain. The repository serves as an essential resource for both beginners and experienced smart contract developers.

Pros

  • Regularly updated with the latest security findings and best practices
  • Covers a wide range of topics, from basic security considerations to advanced techniques
  • Includes real-world examples and case studies of vulnerabilities and attacks
  • Maintained by ConsenSys, a reputable organization in the Ethereum ecosystem

Cons

  • May be overwhelming for complete beginners due to the depth of information
  • Some sections might become outdated as the Ethereum ecosystem evolves rapidly
  • Lacks interactive elements or tools for automated security checks
  • Primarily focuses on Solidity, with limited coverage of other smart contract languages

Code Examples

This repository is not a code library but a collection of best practices and guidelines. Therefore, there are no specific code examples to showcase. However, the repository does contain code snippets illustrating various security concepts and vulnerabilities.

Getting Started

As this is not a code library, there are no specific getting started instructions. However, to make the most of this resource:

  1. Clone the repository:

    git clone https://github.com/ConsenSys/smart-contract-best-practices.git
    
  2. Navigate to the docs folder to find the main content.

  3. Start with the "General Philosophy" section to understand the overarching principles of smart contract security.

  4. Explore specific topics of interest, such as "Known Attacks" or "Software Engineering Techniques."

  5. Regularly check for updates and new additions to stay informed about the latest security practices in smart contract development.

Competitor Comparisons

OpenZeppelin Contracts is a library for secure smart contract development.

Pros of openzeppelin-contracts

  • Provides a comprehensive library of reusable smart contracts
  • Regularly audited and maintained by security experts
  • Extensive documentation and usage examples

Cons of openzeppelin-contracts

  • May include unnecessary complexity for simple projects
  • Requires understanding of the library's architecture and patterns
  • Potential for over-reliance on third-party code

Code Comparison

smart-contract-best-practices (guidelines example):

// Bad
function transfer(address _to, uint256 _value) {
    balances[msg.sender] -= _value;
    balances[_to] += _value;
}

// Good
function transfer(address _to, uint256 _value) {
    require(balances[msg.sender] >= _value, "Insufficient balance");
    balances[msg.sender] -= _value;
    balances[_to] += _value;
}

openzeppelin-contracts (implementation example):

function transfer(address recipient, uint256 amount) public virtual override returns (bool) {
    _transfer(_msgSender(), recipient, amount);
    return true;
}

function _transfer(address sender, address recipient, uint256 amount) internal virtual {
    require(sender != address(0), "ERC20: transfer from the zero address");
    require(recipient != address(0), "ERC20: transfer to the zero address");
    _beforeTokenTransfer(sender, recipient, amount);
    _balances[sender] = _balances[sender].sub(amount, "ERC20: transfer amount exceeds balance");
    _balances[recipient] = _balances[recipient].add(amount);
    emit Transfer(sender, recipient, amount);
}
5,296

Static Analyzer for Solidity and Vyper

Pros of Slither

  • Automated static analysis tool for detecting vulnerabilities and code smells
  • Provides a wide range of built-in detectors and custom analysis capabilities
  • Integrates well with CI/CD pipelines for continuous security checks

Cons of Slither

  • Requires technical knowledge to interpret and act on results effectively
  • May produce false positives that need manual verification
  • Limited to static analysis, missing runtime or dynamic vulnerabilities

Code Comparison

Smart-contract-best-practices (documentation example):

function transfer(address recipient, uint256 amount) public returns (bool) {
    require(balanceOf[msg.sender] >= amount, "Insufficient balance");
    balanceOf[msg.sender] -= amount;
    balanceOf[recipient] += amount;
    emit Transfer(msg.sender, recipient, amount);
    return true;
}

Slither (detection example):

from slither.detectors.abstract_detector import AbstractDetector

class CustomDetector(AbstractDetector):
    def detect(self):
        results = []
        for contract in self.contracts:
            # Custom detection logic here
        return results

Summary

While Smart-contract-best-practices provides comprehensive guidelines and best practices for writing secure smart contracts, Slither offers automated tools for detecting vulnerabilities. Smart-contract-best-practices is more educational and manual, while Slither provides automated checks that can be integrated into development workflows. Both serve complementary roles in enhancing smart contract security.

3,860

Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.

Pros of Mythril

  • Automated security analysis tool for Ethereum smart contracts
  • Detects a wide range of vulnerabilities using symbolic execution and SMT solving
  • Provides detailed reports with vulnerability descriptions and potential fixes

Cons of Mythril

  • Requires technical expertise to interpret results and implement fixes
  • May produce false positives or miss certain complex vulnerabilities
  • Focuses on security analysis rather than providing general best practices

Code Comparison

smart-contract-best-practices (documentation):

// Example of a reentrancy guard
uint256 private constant _NOT_ENTERED = 1;
uint256 private constant _ENTERED = 2;
uint256 private _status;

modifier nonReentrant() {
    require(_status != _ENTERED, "ReentrancyGuard: reentrant call");

Mythril (analysis output):

==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: Victim
Function name: withdraw(uint256)
PC address: 649
Estimated Gas Usage: 7406 - 62899

The smart-contract-best-practices repository provides code examples and explanations for best practices, while Mythril generates analysis reports identifying potential vulnerabilities in existing smart contracts.

Comprehensive list of known attack vectors and common anti-patterns

Pros of solidity-security-blog

  • More focused on specific security vulnerabilities and attack vectors
  • Provides detailed explanations with real-world examples
  • Regularly updated with new security findings and best practices

Cons of solidity-security-blog

  • Less comprehensive coverage of general smart contract development best practices
  • Smaller community and fewer contributors compared to smart-contract-best-practices
  • May be more challenging for beginners to navigate and understand

Code Comparison

smart-contract-best-practices:

function transfer(address to, uint256 amount) public {
    require(balances[msg.sender] >= amount, "Insufficient balance");
    balances[msg.sender] -= amount;
    balances[to] += amount;
}

solidity-security-blog:

function transfer(address to, uint256 amount) public {
    require(balances[msg.sender] >= amount, "Insufficient balance");
    balances[msg.sender] = balances[msg.sender].sub(amount);
    balances[to] = balances[to].add(amount);
}

The solidity-security-blog example uses SafeMath to prevent integer overflow/underflow, demonstrating a more security-focused approach.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

get in touch with Consensys Diligence
[ 🌐 📩 🔥 ]

Smart Contract Security Best Practices

Visit the documentation site: https://consensys.github.io/smart-contract-best-practices/

Read the docs in Chinese: https://github.com/ConsenSys/smart-contract-best-practices/blob/master/README-zh.md Read the docs in Vietnamese: https://github.com/ConsenSys/smart-contract-best-practices/blob/master/README-vi.md

Contributions are welcome!

Feel free to submit a pull request, with anything from small fixes, to full new sections. If you are writing new content, please reference the contributing page for guidance on style.

See the issues for topics that need to be covered or updated. If you have an idea you'd like to discuss, please chat with us in Gitter.

Building the documentation site

git clone git@github.com:ConsenSys/smart-contract-best-practices.git
cd smart-contract-best-practices
pip install -r requirements.txt
mkdocs build 

To run the server (and restart on failure):

until mkdocs serve; do :; done

You can also use the mkdocs serve command to view the site on localhost, and live reload whenever you save changes.

Redeploying the documentation site

mkdocs gh-deploy