SoliditySolidity避坑指南

Reentrancy

• - External calls before state updates — attacker can re-enter before state changes
• Checks-Effects-Interactions pattern — validate, update state, THEN external call
• INLINECODE0 from OpenZeppelin — use nonReentrant modifier on vulnerable functions
• INLINECODE2 and send() have 2300 gas limit — but don't rely on this for security

Integer Handling

• - Solidity 0.8+ reverts on overflow — but unchecked {} blocks bypass this
• Division truncates toward zero — 5 / 2 = 2, no decimals
• Use fixed-point math for precision — multiply before divide, or use libraries
• INLINECODE6 for max value — don't hardcode large numbers

Gas Gotchas

• - Unbounded loops can exceed block gas limit — paginate or limit iterations
• Storage writes cost 20k gas — memory/calldata much cheaper
• INLINECODE7 refunds gas but has limits — refund capped, don't rely on it
• Reading storage in loop — cache in memory variable first

Visibility and Access

• - State variables default to internal — not private, derived contracts see them
• INLINECODE10 doesn't mean hidden — all blockchain data is public, just not accessible from other contracts
• INLINECODE11 is original sender — use msg.sender, tx.origin enables phishing attacks
• INLINECODE14 can't be called internally — use public or this.func() (wastes gas)

Ether Handling

• - payable required to receive ether — non-payable functions reject ether
• INLINECODE18 sends ether bypassing fallback — contract can receive ether without receive function
• Check return value of send() — returns false on failure, doesn't revert
• INLINECODE20 preferred over transfer() — forward all gas, check return value

Storage vs Memory

• - storage persists, memory is temporary — storage costs gas, memory doesn't persist
• Structs/arrays parameter default to memory — explicit storage to modify state
• INLINECODE26 for external function inputs — read-only, cheaper than memory
• Storage layout matters for upgrades — never reorder or remove storage variables

Upgradeable Contracts

• - Constructors don't run in proxies — use initialize() with initializer modifier
• Storage collision between proxy and impl — use EIP-1967 storage slots
• Never selfdestruct implementation — breaks all proxies pointing to it
• INLINECODE30 uses caller's storage — impl contract storage layout must match proxy

Common Mistakes

• - Block timestamp can be manipulated slightly — don't use for randomness or precise timing
• INLINECODE31 for user errors, assert for invariants — assert failures indicate bugs
• String comparison with == doesn't work — use INLINECODE34
• Events not indexed — first 3 params can be indexed for efficient filtering