Top Related Projects
OpenZeppelin Contracts is a library for secure smart contract development.
Static Analyzer for Solidity and Vyper
Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.
Comprehensive list of known attack vectors and common anti-patterns
Quick Overview
Consensys/smart-contract-best-practices is a comprehensive guide for writing secure Ethereum smart contracts. It provides a collection of security recommendations, known vulnerabilities, and best practices for developers working with Solidity and the Ethereum blockchain. The repository serves as an essential resource for both beginners and experienced smart contract developers.
Pros
- Regularly updated with the latest security findings and best practices
- Covers a wide range of topics, from basic security considerations to advanced techniques
- Includes real-world examples and case studies of vulnerabilities and attacks
- Maintained by ConsenSys, a reputable organization in the Ethereum ecosystem
Cons
- May be overwhelming for complete beginners due to the depth of information
- Some sections might become outdated as the Ethereum ecosystem evolves rapidly
- Lacks interactive elements or tools for automated security checks
- Primarily focuses on Solidity, with limited coverage of other smart contract languages
Code Examples
This repository is not a code library but a collection of best practices and guidelines. Therefore, there are no specific code examples to showcase. However, the repository does contain code snippets illustrating various security concepts and vulnerabilities.
Getting Started
As this is not a code library, there are no specific getting started instructions. However, to make the most of this resource:
-
Clone the repository:
git clone https://github.com/ConsenSys/smart-contract-best-practices.git -
Navigate to the
docsfolder to find the main content. -
Start with the "General Philosophy" section to understand the overarching principles of smart contract security.
-
Explore specific topics of interest, such as "Known Attacks" or "Software Engineering Techniques."
-
Regularly check for updates and new additions to stay informed about the latest security practices in smart contract development.
Competitor Comparisons
OpenZeppelin Contracts is a library for secure smart contract development.
Pros of openzeppelin-contracts
- Provides a comprehensive library of reusable smart contracts
- Regularly audited and maintained by security experts
- Extensive documentation and usage examples
Cons of openzeppelin-contracts
- May include unnecessary complexity for simple projects
- Requires understanding of the library's architecture and patterns
- Potential for over-reliance on third-party code
Code Comparison
smart-contract-best-practices (guidelines example):
// Bad
function transfer(address _to, uint256 _value) {
balances[msg.sender] -= _value;
balances[_to] += _value;
}
// Good
function transfer(address _to, uint256 _value) {
require(balances[msg.sender] >= _value, "Insufficient balance");
balances[msg.sender] -= _value;
balances[_to] += _value;
}
openzeppelin-contracts (implementation example):
function transfer(address recipient, uint256 amount) public virtual override returns (bool) {
_transfer(_msgSender(), recipient, amount);
return true;
}
function _transfer(address sender, address recipient, uint256 amount) internal virtual {
require(sender != address(0), "ERC20: transfer from the zero address");
require(recipient != address(0), "ERC20: transfer to the zero address");
_beforeTokenTransfer(sender, recipient, amount);
_balances[sender] = _balances[sender].sub(amount, "ERC20: transfer amount exceeds balance");
_balances[recipient] = _balances[recipient].add(amount);
emit Transfer(sender, recipient, amount);
}
Static Analyzer for Solidity and Vyper
Pros of Slither
- Automated static analysis tool for detecting vulnerabilities and code smells
- Provides a wide range of built-in detectors and custom analysis capabilities
- Integrates well with CI/CD pipelines for continuous security checks
Cons of Slither
- Requires technical knowledge to interpret and act on results effectively
- May produce false positives that need manual verification
- Limited to static analysis, missing runtime or dynamic vulnerabilities
Code Comparison
Smart-contract-best-practices (documentation example):
function transfer(address recipient, uint256 amount) public returns (bool) {
require(balanceOf[msg.sender] >= amount, "Insufficient balance");
balanceOf[msg.sender] -= amount;
balanceOf[recipient] += amount;
emit Transfer(msg.sender, recipient, amount);
return true;
}
Slither (detection example):
from slither.detectors.abstract_detector import AbstractDetector
class CustomDetector(AbstractDetector):
def detect(self):
results = []
for contract in self.contracts:
# Custom detection logic here
return results
Summary
While Smart-contract-best-practices provides comprehensive guidelines and best practices for writing secure smart contracts, Slither offers automated tools for detecting vulnerabilities. Smart-contract-best-practices is more educational and manual, while Slither provides automated checks that can be integrated into development workflows. Both serve complementary roles in enhancing smart contract security.
Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.
Pros of Mythril
- Automated security analysis tool for Ethereum smart contracts
- Detects a wide range of vulnerabilities using symbolic execution and SMT solving
- Provides detailed reports with vulnerability descriptions and potential fixes
Cons of Mythril
- Requires technical expertise to interpret results and implement fixes
- May produce false positives or miss certain complex vulnerabilities
- Focuses on security analysis rather than providing general best practices
Code Comparison
smart-contract-best-practices (documentation):
// Example of a reentrancy guard
uint256 private constant _NOT_ENTERED = 1;
uint256 private constant _ENTERED = 2;
uint256 private _status;
modifier nonReentrant() {
require(_status != _ENTERED, "ReentrancyGuard: reentrant call");
Mythril (analysis output):
==== External Call To User-Supplied Address ====
SWC ID: 107
Severity: Low
Contract: Victim
Function name: withdraw(uint256)
PC address: 649
Estimated Gas Usage: 7406 - 62899
The smart-contract-best-practices repository provides code examples and explanations for best practices, while Mythril generates analysis reports identifying potential vulnerabilities in existing smart contracts.
Comprehensive list of known attack vectors and common anti-patterns
Pros of solidity-security-blog
- More focused on specific security vulnerabilities and attack vectors
- Provides detailed explanations with real-world examples
- Regularly updated with new security findings and best practices
Cons of solidity-security-blog
- Less comprehensive coverage of general smart contract development best practices
- Smaller community and fewer contributors compared to smart-contract-best-practices
- May be more challenging for beginners to navigate and understand
Code Comparison
smart-contract-best-practices:
function transfer(address to, uint256 amount) public {
require(balances[msg.sender] >= amount, "Insufficient balance");
balances[msg.sender] -= amount;
balances[to] += amount;
}
solidity-security-blog:
function transfer(address to, uint256 amount) public {
require(balances[msg.sender] >= amount, "Insufficient balance");
balances[msg.sender] = balances[msg.sender].sub(amount);
balances[to] = balances[to].add(amount);
}
The solidity-security-blog example uses SafeMath to prevent integer overflow/underflow, demonstrating a more security-focused approach.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Smart Contract Security Best Practices
Visit the documentation site: https://consensys.github.io/smart-contract-best-practices/
Read the docs in Chinese: https://github.com/ConsenSys/smart-contract-best-practices/blob/master/README-zh.md Read the docs in Vietnamese: https://github.com/ConsenSys/smart-contract-best-practices/blob/master/README-vi.md
Contributions are welcome!
Feel free to submit a pull request, with anything from small fixes, to full new sections. If you are writing new content, please reference the contributing page for guidance on style.
See the issues for topics that need to be covered or updated. If you have an idea you'd like to discuss, please chat with us in Gitter.
Building the documentation site
git clone git@github.com:ConsenSys/smart-contract-best-practices.git
cd smart-contract-best-practices
pip install -r requirements.txt
mkdocs build
To run the server (and restart on failure):
until mkdocs serve; do :; done
You can also use the mkdocs serve command to view the site on localhost, and live reload whenever you save changes.
Redeploying the documentation site
mkdocs gh-deploy
Top Related Projects
OpenZeppelin Contracts is a library for secure smart contract development.
Static Analyzer for Solidity and Vyper
Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Rootstock, Tron and other EVM-compatible blockchains.
Comprehensive list of known attack vectors and common anti-patterns
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot