Reentrancy and bad math still show up in audits for a reason. A short tour of the Solidity bugs we look for first, written for people who are not full-time auditors.

Smart Contract Security Basics

On-chain code is hard to patch and easy to exploit if you get the basics wrong. You do not need a PhD to understand the common failure modes; you do need discipline and, for anything holding real value, a professional audit. This post is a plain-language tour of what we look for first in Solidity reviews.

Reentrancy

External calls (sending ETH, calling another contract) can run your function again before the first call finishes. If balances update after the call, an attacker can drain funds in one transaction.

Mitigation: Checks-effects-interactions: update state before external calls. Use ReentrancyGuard from OpenZeppelin where it fits. Prefer pull payments (users withdraw) over push (you send to them) when it matches your product.

Access control

Admin, mint, upgrade, and pause functions need explicit roles. One missing onlyOwner or wrong modifier has shipped many incidents.

Mitigation: Use AccessControl or Ownable from audited libraries. For serious admin power, use a multisig or timelock so one key cannot rug the contract overnight.

Arithmetic

Solidity 0.8+ checks overflow by default. Unchecked blocks and assembly are where old bugs creep back in.

Mitigation: Stay on 0.8+ for new code, avoid unchecked unless you have a written reason, and use SafeMath only when you must support older compilers.

Front-running and MEV

Pending transactions are visible. Bots can sandwich swaps or race your users.

Mitigation: Design invariants that survive reordering, use slippage and deadlines on AMM-style calls, and consider private mempools or commit-reveal where the use case allows.

Oracles and external data

A single price feed or admin-controlled value can destroy your logic if it lies or stalls.

Mitigation: Prefer decentralized oracles where possible, add sanity bounds, and plan for stale data.

Last word

No checklist replaces an audit for contracts that move money. This list helps you pass the first pass and have a serious conversation with auditors. We write and review Solidity; reach out if you want help before mainnet.

Cogent Softwares, Web3 and smart contract development.