Solidity Development

Comprehensive skill for EVM/Solidity smart contract development, combining build/test workflows, gas optimization, and security analysis.

When This Skill Activates

• Working on .sol files
• Running Foundry commands (forge, cast, anvil)
• Contract deployment or testing
• ABI or interface changes
• Gas optimization tasks
• Security review or pre-audit preparation

Scope

• Solidity contracts (core protocol)
• Foundry tests and scripts
• Deployment scripts
• Contract interfaces and ABIs
• Gas analysis and optimization
• Security scanning (Slither)

Part 1: Development Workflows

Build & Test

forge build
forge test
forge test -vvv  # verbose
forge test --match-test "testSpecificFunction"
forge test --match-path test/SomeContract.t.sol

Deploy

forge script script/Deploy.s.sol --broadcast --rpc-url $RPC_URL

After Contract Changes

1. Update interface if signature changed
2. Rebuild ABIs: forge build
3. Run tests: forge test
4. Sync to frontend if needed

Code Standards

• Use OpenZeppelin for standard patterns
• Custom errors over require strings
• Events for all state changes
• NatSpec comments on public functions
• WAD math (1e18) for precision, convert at boundaries

Part 2: Gas Optimization

Gas Analysis Commands

# Create baseline snapshot
forge snapshot --snap .gas-baseline

# Run gas report
forge test --gas-report

# Compare against baseline
forge snapshot --diff .gas-baseline

# Check specific function
forge test --match-test test_PlaceOrder --gas-report -vvv

# Storage layout analysis
forge inspect ContractName storage-layout --pretty

Optimization Patterns

Gas Optimization Checklist

• Storage variables packed efficiently
• Hot path functions use calldata for arrays
• Loops have unchecked increments
• Storage reads cached in local variables
• No redundant zero-initializations
• Short-circuit conditions ordered by cost

Anti-Patterns

• Don't optimize cold paths at expense of readability
• Don't use assembly unless savings > 1000 gas
• Don't sacrifice security for gas savings

Part 3: Security Analysis

Slither Commands

# Full analysis
slither . --config-file slither.config.json

# Target specific contract
slither src/ContractName.sol

# Generate JSON report
slither . --json slither-report.json

# Run specific detector
slither . --detect reentrancy-eth

# Function summary
slither . --print function-summary

High-Severity Detectors

Security Checklist

Access Control

• All external functions have proper modifiers
• Owner/admin functions protected
• Role-based access properly enforced

Reentrancy

• CEI pattern followed (Checks-Effects-Interactions)
• External calls after state updates
• ReentrancyGuard on vulnerable functions

Math & Validation

• Arithmetic checked or intentionally unchecked
• Division by zero protected
• Zero address checks
• Array bounds checked

Common Vulnerability Patterns

Reentrancy

// VULNERABLE
function withdraw() external {
    uint256 amount = balances[msg.sender];
    (bool success,) = msg.sender.call{value: amount}("");
    balances[msg.sender] = 0; // State update AFTER external call
}

// FIXED
function withdraw() external nonReentrant {
    uint256 amount = balances[msg.sender];
    balances[msg.sender] = 0; // State update BEFORE external call
    (bool success,) = msg.sender.call{value: amount}("");
}

Access Control

// VULNERABLE
function setPrice(uint256 price) external {
    currentPrice = price; // No access control
}

// FIXED
function setPrice(uint256 price) external onlyOwner {
    currentPrice = price;
}

DeFi-Specific Checks

• No same-block price dependencies (flash loan risk)
• Slippage protection on swaps
• Commit-reveal for sensitive ops
• Deadline parameters respected
• Oracle manipulation protected (use TWAP/Chainlink)

Audit Preparation Checklist

• forge build compiles without warnings
• forge test passes with >80% coverage
• Slither runs clean (or issues documented)
• All external functions documented (NatSpec)
• Access control matrix documented
• Invariant tests pass
• Dependencies audited/pinned