Smart contract security: the developer checklist before mainnet deployment

Smart contract bugs are permanent and public. Unlike web application bugs that can be patched in minutes, a deployed contract vulnerability is immutable — often exploitable before a fix is possible. Every mainnet deployment should pass this checklist.

Reentrancy remains the most common critical vulnerability. Follow Checks-Effects-Interactions: validate all state checks first, update state before making external calls, and use ReentrancyGuard from OpenZeppelin on functions that transfer value.

Access control must be explicit. Every privileged function should have explicit role-based access control using OpenZeppelin AccessControl or Ownable. Default to restrictive and add permissions deliberately — never the reverse.

Integer arithmetic in older Solidity required SafeMath. Solidity 0.8+ includes overflow checking by default. The risk now is in unchecked{} blocks where you bypass this protection — verify every unchecked block is provably safe.

Oracle manipulation affects DeFi contracts that read prices from external sources. Use time-weighted average prices (TWAP) rather than spot prices for on-chain financial calculations.

Static analysis with Slither catches a large class of vulnerability patterns automatically — reentrancy, incorrect access control, dangerous patterns. Run it before every audit. Echidna fuzz testing finds edge cases in mathematical logic that manual review misses.

Third-party audits are non-negotiable for contracts handling significant value. Simplileap's internal review is a necessary but not sufficient quality gate — retain Trail of Bits, ConsenSys Diligence, or OpenZeppelin for independent review.