Web3Exploit logoWeb3Exploit
← Back to Learn
Learn · Checklist

Solidity security checklist.

A bookmarkable reference. Every item has a stable ID you can cite in reviews, and links to the explainer and the case where it mattered.

14 items across 6 categories.
Reentrancy & External Calls
State integrity across external calls and callbacks.
W3X-REENT-01mediumrequires-context
State is finalized before any external call (checks-effects-interactions).

Every balance/accounting write happens before ETH transfers, token hooks, or callbacks.

W3X-REENT-02mediumrequires-context
Functions with external calls carry a reentrancy guard.

Apply a nonReentrant guard where control can leave the contract.

W3X-REENT-03mediumrequires-context
No split-brain accounting across contracts.

Values that must move together are updated on every path; one contract never reads a variable that another updates separately.

Oracles & Pricing
Manipulation-resistant price sources.
W3X-ORACLE-01mediumrequires-context
Prices are not read from raw spot AMM reserves.

Use TWAPs or vetted signed feeds that cannot move within one transaction.

W3X-ORACLE-02mediumrequires-context
Oracle staleness and sanity bounds are enforced.

Reject stale rounds and values outside a plausible band.

Flash Loans & Atomicity
Resilience to single-transaction capital amplification.
W3X-FLASH-01mediummanual-review
No reliance on tx.origin == msg.sender as an EOA guard.

EIP-7702 lets an EOA run code; this guard no longer implies 'not a contract'.

W3X-FLASH-02mediummanual-review
Invariants hold under flash-loan-scale, single-block moves.

Per-block change limits and manipulation-resistant inputs bound the blast radius.

Access Control
Correct authorization on privileged actions.
W3X-ACCESS-01highmanual-review
Every privileged function has an explicit, tested authorization check.

Minting, upgrading, withdrawing, and config changes are gated by role/owner checks.

W3X-ACCESS-02highmanual-review
Initializers are protected against re-initialization.

Guard against re-init and initializer front-running in upgradeable contracts.

Signing & Verification
Signed intent equals executed effect.
W3X-SIGN-01mediummanual-review
Signers can decode and verify calldata before approving.

No blind signing; the presented payload matches on-chain execution.

W3X-SIGN-02mediummanual-review
delegatecall targets are restricted or forbidden in multisig flows.

Prevent foreign code from rewriting the caller's storage context.

W3X-SIGN-03mediummanual-review
Replay protection and non-malleable signatures are enforced.

Bind to nonce and chainId; reject malleable signature forms.

Key Management & Operations
Operational security around signing.
W3X-KEY-01highmanual-review
High-value funds use multisig or MPC, not a single hot key.

Independent, hardware-isolated signers with least privilege.

W3X-KEY-02highmanual-review
Signing frontend supply chain is protected.

Integrity checks and dependency pinning for the signer UI and its assets.