Solidity Security Standards

Language Rule

• Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Private Key Protection

• Store private keys in .env, load via source .env — never pass keys as CLI arguments
• Never expose private keys in logs, screenshots, conversations, or commits
• Provide .env.example with placeholder values for team reference
• Add .env to .gitignore — verify with git status before every commit

Security Decision Rules

When writing or reviewing Solidity code, apply these rules:

Situation	Required Action
External ETH/token transfer	Use ReentrancyGuard + Checks-Effects-Interactions (CEI) pattern
ERC20 token interaction	Use SafeERC20 — call safeTransfer / safeTransferFrom, never raw transfer / transferFrom
Owner-only function	Inherit Ownable2Step (preferred) or Ownable from OZ 4.9.x — Ownable2Step prevents accidental owner loss
Multi-role access	Use AccessControl from @openzeppelin/contracts/access/AccessControl.sol
Token approval	Use safeIncreaseAllowance / safeDecreaseAllowance from SafeERC20 — never raw approve
Price data needed	Use Chainlink AggregatorV3Interface if feed exists; otherwise TWAP with min-liquidity check — never use spot pool price directly
Upgradeable contract	Prefer UUPS (UUPSUpgradeable) over TransparentProxy; always use Initializable
Solidity version < 0.8.0	Must use SafeMath — but strongly prefer upgrading to 0.8.20+
Emergency scenario	Inherit Pausable, add whenNotPaused to user-facing functions; keep admin/emergency functions unpaused
Whitelist / airdrop	Use MerkleProof for gas-efficient verification — never store full address lists on-chain
Signature-based auth	Use ECDSA + EIP712 — never roll custom signature verification
Signature content	Signature must bind chainId + nonce + msg.sender + deadline — prevent replay and cross-chain reuse
Cross-chain bridge / third-party dependency	Audit all inherited third-party contract code — never assume dependencies are safe
Deprecated / legacy contracts	Permanently pause or selfdestruct deprecated contracts — never leave unused contracts callable on-chain
UUPS upgrade pattern	_authorizeUpgrade must have onlyOwner; implementation constructor calls _disableInitializers(); retain onlyProxy on upgradeTo — EVMbench/basin H-01
Multi-contract trust boundary	Router/Registry relay calls must verify source contract authorization; never trust caller identity inside flash loan callbacks — EVMbench/noya H-08
Counter/ID + external call	All counter increments and ID assignments must complete before external calls; ETH refunds must be last — EVMbench/phi H-06

Reentrancy Protection

• All contracts with external calls: inherit ReentrancyGuard, add nonReentrant modifier
  • Import: @openzeppelin/contracts/security/ReentrancyGuard.sol (OZ 4.9.x)
• Always apply CEI pattern even with ReentrancyGuard:
  1. Checks — validate all conditions (require)
  2. Effects — update state variables
  3. Interactions — external calls last

Input Validation

• Reject address(0) for all address parameters
• Reject zero amounts for fund transfers
• Validate array lengths match when processing paired arrays
• Bound numeric inputs to reasonable ranges (prevent dust attacks, gas griefing)

Gas Control

• Deployment commands must include --gas-limit (recommended >= 3,000,000)
• Monitor gas with forge test --gas-report — review before every PR
• Configure optimizer in foundry.toml: optimizer = true, optimizer_runs = 200
• Avoid unbounded loops over dynamic arrays — use pagination or pull patterns

Pre-Audit Checklist

Before submitting code for review or audit, verify:

Access & Control:

• All external/public functions have nonReentrant where applicable
• No tx.origin used for authentication (use msg.sender)
• No delegatecall to untrusted addresses
• Owner transfer uses Ownable2Step (not Ownable) to prevent accidental loss
• Contracts with user-facing functions inherit Pausable with pause() / unpause()
• UUPS _authorizeUpgrade has onlyOwner modifier — EVMbench/basin H-01
• Implementation constructor calls _disableInitializers() — EVMbench/basin H-01
• Router/Registry relay operations verify source contract authorization — EVMbench/noya H-08

Token & Fund Safety:

• All ERC20 interactions use SafeERC20 (safeTransfer / safeTransferFrom)
• No raw token.transfer() or require(token.transfer()) patterns
• Token approvals use safeIncreaseAllowance, not raw approve
• All external call return values checked

Code Quality:

• Events emitted for every state change
• No hardcoded addresses — use config or constructor params
• .env is in .gitignore

Oracle & Price (if applicable):

• Price data sourced from Chainlink feed or TWAP — never raw spot price
• Oracle has minimum liquidity check — revert if pool reserves too low
• Price deviation circuit breaker in place

Testing:

• forge test passes with zero failures
• forge coverage shows adequate coverage on security-critical paths
• Fuzz tests cover arithmetic edge cases (zero, max uint, boundary values)

Security Verification Commands

# Run all tests with gas report
forge test --gas-report

# Fuzz testing with higher runs for critical functions
forge test --fuzz-runs 10000

# Check test coverage
forge coverage

# Dry-run deployment to verify no runtime errors
forge script script/Deploy.s.sol --fork-url $RPC_URL -vvvv

# Static analysis (if slither installed locally)
slither src/

Slither MCP Integration (if available)

When slither MCP is configured, prefer it over the CLI for structured analysis:

Approach	When to Use
slither src/ (CLI)	Quick local scan, raw terminal output
slither MCP get_detector_results	Structured results with impact/confidence filtering, AI can parse and reason about findings
slither MCP get_contract_metadata	Understanding contract structure before reviewing code
slither MCP get_function_source	Locating exact function implementations faster than grep

Recommended: Use slither MCP when working with AI agents (results are structured and actionable). Use CLI for quick local checks during development.

Graceful degradation: If neither slither MCP nor slither CLI is available, rely on the Pre-Audit Checklist above and forge test --fuzz-runs 10000 for coverage.