Check_list_of_static_analysis.md

Check list of static analysis

This list aims to remind auditors of both common and rare issues of smart contract project. The resource is our previous project experience.

Typical issues

• Gas costs can be reduced on specific conditions:

• Using string in struct costs more gas than bytes32. See example
• Unnecessary check. See example
• Assigning a variable and return it can be combine to onle line. See example
• Not assigning a global variable to a local variable. See example
• Uint256 can be used in replacement of uint8 to save gas. See example and the reason

• Whether all declared variables/modifiers/functions/events/files been used? See example_1, example_2
• Whether log a event after critical behaviour like transfer/mint/burn/change owner, etc? See example_1, example_2
• Prefer explicit declaration of variable types. See example_1, example_2
• Prefer explicit declaration of variables access modifiers. See example
• Alwayse use latest version of compiler. See example
• The declaration of pragma version should be at the top of the file, before any imports happen. See example
• Enforce the use of specific solc version and the reasons. See example_1, example_2
• Dead code should be removed. See example
• Consistent naming convention (normally CamelCase). See example_1, example_2
• Make visibility explicitly declared on everything. See example
• Avoid magic numbers. See example
• Comment needs updating to reflect code logic. See example
• Use .transfer instead of .send. See example
• Convention is to use capital letters for the token "symbol". See example
• Recommend using braces for single line if/for statement. See example. See discussion
• Functions should throw an error instead of returning false. See example
• Measure time milestones with timestamps, not block height. See example
• Improve code readability by making use of solidity time uints. See example
• The inheritance should be declared explicitly. See example
• Repeated safety checks can be replaced by modifier. See example
• Public variables and functions should have different names to aviod duplicate. See example
• A function should return a result if its declaration says that. See example
• Favour require() over If() statements. See example

Other issues

• Unnecessary gas spent when avoiding double distribution
• Inconsistent use of require and revert
• Inconsistency in variable types
• Tokens are not automatically transferred to investors
• Remove comment in Non-English and add ENG comments
• Safemath should be used