Solidity Smart Contract Checklist

1. Reentrancy

2. Sandwich attacks (front-running/back-running)

3. Flash loan attacks (oracle manipulation)

4. Block stuffing

5. DoS with revert or infinite gas consumption

6. DoS due to Underflow

7. Metamorphic contracts (bytecode mutation)

8. Signature replay attacks

9. Short address attacks (Solidity <0.5.0)

10. Token approval griefing

11. Unexpected non-zero ether balance (self-destruct)

12. Calls to arbitrary contracts

13. Every address can accept ether leads to DoS

14. Force-feeding attacks

15. Weak on-chain randomness (prevrandao)

16. Unbounded loops (pagination)

17. Unbounded gas consumption by returning a lot of data

18. Default enum values

19. Duplicate array elements

20. Hash collisions with dynamic types (packed ABI encoding)

21. Storage collisions with delegate call

22. Function selector collisions (zero selectors)

23. Wrong inheritance order

24. Strict Equalities DoS

25. Integer overflow/underflow (Solidity <0.8.0)

26. Lack of precision in calculations

27. Access control via tx. origin

28. Problems with ERC20 decimals

29. Misinitialization of contracts (ownership/proxy)

30. Private key leaks in .env files

31. Directional character (U+202E) usage (Solidity <0.7.6)

32. Compiler bugs

33. Price Oracle Manipulation

34. Unlimited Token allowance

35. Lack of Access Controls

36. Asserting contract from Code Size

37. Delegate call to Untrusted Callee

38. Unsafe Typecast

39. Write to Arbitrary storage collision

40. Insufficient User-Input Validation

41. Unchecked return value

42. Message call with hard-coded gas

43. Short Address attack

44. Divide before multiply

45. Unsafe Ownership transfer

46. Improper Array Deletion

47. Dirty High Order Bits

48. Floating Point Arithmetic

49. Unexpected Ether Leading to DoS

50. Use of deprecated solidity Functions

51. Check for Gas Optimizations

52. Forcefully Send Ether with Selfdestruct

53. Hidden malicious code

54. Honeypots

55. on-chain & off-chain data handling

56. Ineffective key-management

57. Transaction order manipulation

58. Governance-related vulnerabilities

59. Incorrect Integration

60. Vulnerable Rebalancing/Buyback Mechanics

61. Faulty Native Token handling

62. Serialization/Parsing Issues

63. Naive Trust Assumptions

64. Uninitialized Proxies

65. Reinitialization Vulnerability

66. Incorrect Special Character Handling

67. Botched Upgrades

68. Governance Takeovers

69. Flawed Math

70. Transaction Replay Attack

71. Logic Errors

72. Exploiting Approvals

73. Gas Siphoning

74. UI Issues

75. Check for Business Logic Vulnerabilities

76. Check for correct inheritance

77. Check if the spot price from an AMM as an oracle is used

78. Check for tokens that use too many or too few decimals

79. Check if internal accounting is mixed with actual balances

80. Check if the Contract approves tokens before transferFrom to avoid revert

81. Check if state variable layout is followed when using delegate-call in proxy contracts

82. Check if events are emitted on critical functions

83. Fake Proxy

84. The non-Proxy Proxy

85. Legit code Malicious initialization

86. Chainlink price is used without checking validity