Solidity Mastery

Name: @tank/solidity-mastery
Author: Elad Ben Haim

Core Philosophy

Security before features -- Every function is a potential attack surface. Apply checks-effects-interactions, use OpenZeppelin battle-tested contracts, and audit before mainnet.
Gas is user cost -- Every opcode costs money. Pack storage, prefer calldata over memory, use custom errors, and benchmark with forge snapshot.
Immutability demands correctness -- Deployed contracts cannot be patched. Test exhaustively with fuzz and invariant tests before deployment.
Compose from audited primitives -- Extend OpenZeppelin rather than reimplementing. Custom cryptography and token logic introduces unaudited risk.
Upgradeability is a tradeoff -- Proxies add complexity and trust assumptions. Use only when the protocol genuinely requires post-deployment changes.

Use Case	Standard	Key Feature
Fungible currency/utility token	ERC-20	Balances, approve/transferFrom
Unique collectibles/NFTs	ERC-721	Token IDs, ownerOf
Mixed fungible + non-fungible	ERC-1155	Batch transfers, multi-token
Tokenized vault / yield	ERC-4626	Deposit/withdraw/shares math
-> See `references/erc-standards.md`

Run forge snapshot to baseline gas per test
Pack storage variables (smaller types in same slot)
Replace require(cond, "msg") with custom errors
Use calldata instead of memory for read-only external args
Wrap safe arithmetic in unchecked {} blocks -> See references/gas-optimization.md

Write unit tests extending forge-std/Test.sol
Use vm.prank, vm.expectRevert, vm.deal cheatcodes
Add fuzz tests with parameterized inputs
Write invariant tests for protocol-wide properties
Run forge test -vvv for full trace on failure -> See references/foundry-toolchain.md

Choose pattern: UUPS (lightweight) or Transparent Proxy (admin separation)
Use OpenZeppelin upgradeable variants (@openzeppelin/contracts-upgradeable)
Never define constructors -- use initializer functions
Maintain storage layout compatibility across versions -> See references/upgradeable-contracts.md

Follow checks-effects-interactions: validate, update state, then call external
Use OpenZeppelin ReentrancyGuard for defense-in-depth
Consider transient storage locks (Solidity 0.8.28+, EIP-1153) -> See references/security-vulnerabilities.md

Signal	Use
Fast compilation, Solidity-native tests	Foundry (forge)
JavaScript/TypeScript integration needed	Hardhat
Quick prototyping in browser	Remix IDE
Production project	Foundry + Hardhat hybrid

Signal	Pattern
Simple standalone contract	Direct deployment
Need post-deployment upgrades	UUPS or Transparent Proxy
Deploy many identical contracts	Factory (Clone/CREATE2)
Complex multi-contract system	Diamond (EIP-2535) or modular

Signal	Pattern
Single privileged address	`Ownable` (OpenZeppelin)
Multiple roles with distinct permissions	`AccessControl` (role-based)
Time-delayed admin operations	`TimelockController`
Governance by token holders	Governor + Timelock

File	Contents
`references/security-vulnerabilities.md`	Reentrancy, access control flaws, flash loan attacks, integer issues, front-running, tx.origin, delegatecall risks, audit checklist
`references/gas-optimization.md`	Storage packing, calldata vs memory, custom errors, unchecked math, immutable/constant, batch operations, compiler optimizer settings
`references/erc-standards.md`	ERC-20, ERC-721, ERC-1155, ERC-4626 implementation patterns, extensions, common pitfalls, OpenZeppelin usage
`references/foundry-toolchain.md`	Forge test, script, deploy, fuzz testing, invariant testing, cheatcodes, gas snapshots, Cast CLI, Anvil forking
`references/upgradeable-contracts.md`	UUPS, transparent proxy, beacon proxy, storage layout, initializers, upgrade safety, OpenZeppelin Upgrades
`references/contract-patterns.md`	Factory, clone (EIP-1167), CREATE2, diamond (EIP-2535), access control, state machines, pull payments
`references/deployment-verification.md`	Multi-chain deployment, Foundry scripts, constructor args encoding, Etherscan verification, deterministic deploys