$ A Pragmatic Smart Contract Security Checklist
Most exploits aren't novel cryptography. They're the same 12 mistakes, repeated. Here's the checklist I run before any audit.
Security in Solidity is mostly discipline, not cleverness. Run through this list before you ship.
Reentrancy
Use the checks-effects-interactions pattern. Update state before external calls. nonReentrant is a backstop, not a primary defense.
Integer math
Solidity 0.8+ panics on overflow, but unchecked blocks bring the danger back. Audit every unchecked.
Access control
Every external function should answer: who can call this? If you can't answer in one sentence, add a modifier.
Oracle manipulation
Spot prices from a single DEX are not oracles. Use Chainlink, or TWAPs over a meaningful window.
Upgradeability
Storage layout is sacred. Adding a variable in the middle of a UUPS contract is a multi-million-dollar mistake. Use storage gaps, or don't upgrade.
Front-running
Anything sensitive to ordering needs commit-reveal, batched auctions, or a private mempool. "Just trust the sequencer" is a vibe, not a security model.
The free wins
Run Slither, Mythril, and a fuzz suite (Foundry's forge test --fuzz-runs 10000) on every PR. They catch the boring 80%.