Any external or public functions need to be analyzed to determine whether the contract can be attacked if a user re-enters that function or another.
ERC20 token interactions should always use SafeERC20 safeApprove and safeTransferFrom in the OpenZeppelin library.
Any math operations need to be checked for overflow and underflow conditions, using SafeMath or similar.
The contract should minimize trust in external calls.
All arguments, whether to an event or function, must be typed when possible.
address types should be avoided in favour of contract or interface types
Events must be emitted for any significant state change or event.
Names and documentation must be spelled correctly with no grammatical errors.
A complete readme must be included with the project. It needs:
a complete description
all test commands
deployment instructions and information
information on any additional scripts
Contracts must have (at minimum):
@title: short title. shouldn't repeat the description
@notice: descriptive enough so that the reader understands the intent of the contract.
Functions must have (at minimum):
@notice: explain what the function does
@param: explain each parameter
@return: explain the return param(s)
Events must have (at minimum):
@notice: describe when the event is emitted
@param: describe each of the args
Coverage must exceed 95%
A coverage tag must be included in the README
There must be a test suite for each contract
Functions should be tested in isolation as much as possible
Unit tests must run locally; i.e. they do not connect to a remote node.
A fork test script tests the contracts in the real world
All external / public functions should return a value when possible (to save gas)
Structs must be tightly packed
Values that don't change should be constants