1. Smart Contract Security Coding Requirements

        
• Make sure to develop based on well-known libraries such as OpenZeppelin as much as possible;
• Make sure to include a compiler that uses SafeMath or 0.8.x to avoid most overflow issues;
• Make sure to follow function naming conventions, see: solidity style guide;
• Make sure that function and variable visibility are explicitly declared;
• Make sure that the function return value is explicitly assigned;
• Make sure that functions and parameters are well-annotated;
• Make sure that external calls correctly check the return value, including: transfer, transferFrom, send, call, delegatecall, etc.;
• Make sure that the implementation of the parameter type and return value of the interface is correct;
• Make sure that the key parameters of the contract are set up with authentication and use events to record;
• Make sure that the data structure of the new implementation contract of the upgradeable model is compatible with the data structure of the old implementation contract;
• Make sure that the logic involved in arithmetic operations in the code fully considers the precision problem, and avoids the problem of possible loss of precision caused by dividing and then multiplying;
• Make sure that the target address and function of low-level calls such as call are expected;
• When using low-level calls such as call, limit Gas according to business needs;
• Coding specifications are constrained, follow: first judge, then write variables, and then make external calls (Checks-Effects-Interactions);
• Make sure that external contracts that interact in business are compatible with each other, such as: deflation/inflation tokens, reentrant tokens such as ERC-777, ERC-677, ERC-721, see: Reentrancy Vulnerability Case;
• Make sure that external calls fully consider the risk of reentrancy;
• Avoid using a lot of loops to assign/read the contract’s storage variable;
• Avoid the problem of excessive concentration of authority as much as possible, especially the authority to modify the key parameters of the contract, separate authority, and use governance, timelock contract or multi-signature contract to manage as much as possible;
• The inheritance relationship of contracts should maintain linear inheritance, and ensure that the inherited contracts are really needed for business;
• Avoid using on-chain block data as a seed source for random;
• Make sure that the acquisition and use of random numbers fully consider the possibility of rollback attacks;
• Use Chainlink’s VRF to obtain reliable random, see: Chainlink VRF;
• Avoid using the token quantity of the third-party contract to directly calculate the LP Token price, see: How to get the price of LP correctly;
• Avoid a single price source when obtaining prices through third-party contracts. It is recommended to use at least 3 price sources;
• Use events as far as possible in key business processes to record the status of execution for data analysis when the project is running;
• Reserve the switch for an emergency suspension of the global and core business, so that it is convenient to stop losses in time when a black swan event occurs;
        
    

2. Test Case Code Requirements

        
• Make sure to include business process/function functional usability testing;
• Make sure that the unit test coverage rate is more than 95%, and the core code coverage rate must reach 100%;
        
    

3. Basic Security Configuration Requirements

        
• Make sure that the official email uses well-known service providers, such as Gmail;
• Make sure that the official email account opens MFA function;
• Make sure that the use of well-known domain name service providers, such as GoDaddy;
• Make sure that the use of excellent CDN service providers, such as Akamai and Cloudflare;
• Make sure that DNS configuration turns on DNSSec, set a strong password for the management account on the domain name service management platform, and turn on MFA authentication;
• Make sure that all mobile phones and computer devices use anti-virus software, such as Kaspersky, AVG, etc.;