solidity-erc-standards
ERC Token Standard Guidelines
When to Apply
- Implementing a new token (Fungible, NFT, Multi-token, or Vault).
- Reviewing existing token implementations for standard compliance.
- Integrating with external tokens (e.g., DeFi protocols, marketplaces).
- Extending standards with custom logic (e.g., Permit, Votes, Enumerable).
ERC20: Fungible Tokens
- Required:
totalSupply,balanceOf,transfer,allowance,approve,transferFrom. - SafeERC20: ALWAYS wrap external ERC20 calls (
transfer,transferFrom,approve) using OpenZeppelin'sSafeERC20to handle tokens that returnfalseinstead of reverting. - Race Condition: The
approvefunction has a known race condition. UseincreaseAllowanceanddecreaseAllowance(OpenZeppelin) orERC20Permitto mitigate. - ERC20Permit (EIP-2612): Use for gasless approvals via signatures (
permitfunction). - ERC20Votes: Use for governance tokens to enable delegation and checkpointing.
- Common Pitfall: Some tokens (like USDT) do not return a boolean on
transfer, causing calls to revert if the interface expects a return value.
ERC721: Non-Fungible Tokens
- Required:
balanceOf,ownerOf,safeTransferFrom,transferFrom,approve,setApprovalForAll,getApproved,isApprovedForAll. - safeTransferFrom: Always prefer
safeTransferFromovertransferFromto ensure the recipient can handle NFTs (viaonERC721Received). - ERC721Enumerable: Provides on-chain tracking of all tokens. High gas cost for transfers; avoid unless necessary for on-chain discovery.
- Metadata: Use
tokenURIto link to JSON metadata. Off-chain (IPFS/Arweave) is standard; on-chain (Base64) is used for "fully on-chain" NFTs. - Common Pitfall: Reentrancy via
onERC721Receivedcallback duringsafeTransferFrom. UsenonReentrantor follow Checks-Effects-Interactions (SCWE-046, SCWE-138).
ERC1155: Multi-Token
- When to use: When managing multiple token types (fungible and non-fungible) in a single contract. More gas-efficient for batch operations.
- Batch Operations: Use
safeBatchTransferFromandbalanceOfBatchto reduce gas for multiple transfers. - URI Pattern: Use a single URI with the
{id}substitution string (e.g.,https://api.com/{id}.json). - Common Pitfall: Forgetting to implement
balanceOfBatchor incorrect implementation of the receiver callback.
ERC4626: Tokenized Vault
- Calculations:
convertToShares(assets to shares) andconvertToAssets(shares to assets). - Rounding: Favor the vault. Round DOWN on
deposit/mint(fewer shares for assets) and round UP onwithdraw/redeem(more shares for assets). - Inflation Attack: First depositor can manipulate share price. Prevent by minting "dead shares" to
address(0)on the first deposit (SCWE-049). - Common Pitfall: Incorrect rounding direction leading to "free" shares or assets over time.
Implementation Choice
| OpenZeppelin | Solady | |
|---|---|---|
| Gas | Higher | Lower |
| Readability | More readable | More optimized |
| Extensions | Many available | Fewer but efficient |
| When to use | Most projects | Gas-critical applications |
Testing Strategies
- ERC20: Test
transfer(balance changes),approve/transferFrom(allowance logic), and edge cases (0 amount,type(uint256).max). - ERC721: Test
mint,transfer,approval, andERC721Enumerable(if used). VerifyonERC721Receivedtriggers. - ERC1155: Test batch transfers, URI substitution, and receiver callbacks.
- ERC4626: Test deposit/withdraw symmetry (1:1 if no yield), share calculations, and rounding edge cases.
Enhanced with MCP
When the solidity-agent-toolkit is available, leverage these tools for ERC implementation:
Interface Lookup:
erc://{standard}: Full interface definition, required functions, events, and extension list for ERC20, ERC721, ERC1155, ERC4626
Implementation Verification:
check_vulnerability: Verify code against known ERC-specific vulnerabilitiesmatch_vulnerability_patterns: Detect missing SafeERC20, approval race conditions, reentrancy in callbackssearch_vulnerabilities: Look up SCWE entries related to token standards (e.g., "ERC20", "reentrancy")get_remediation: Get fix guidance for specific SCWE IDs found during review
Code Generation:
- Use the
generate_ercprompt for scaffolding compliant token implementations
References
More from whackur/solidity-agent-toolkit
solidity-hardhat-development
Hardhat 3 development workflow for Solidity smart contracts. Use when building, testing, or deploying with Hardhat 3.x (hardhat, ignition, EDR). Covers ESM-first project setup, defineConfig, Solidity-native tests, TypeScript tests, multichain support, Hardhat Ignition deployment, and hook-based plugin system. Triggers on tasks involving hardhat init, hardhat build, hardhat test, hardhat ignition, or Hardhat-based Solidity development.
37solidity-foundry-development
Foundry development workflow for Solidity smart contracts. Use when building, testing, or deploying with Foundry (forge, cast, anvil). Covers project setup, foundry.toml configuration, testing patterns, fuzz testing, invariant testing, fork testing, cheatcodes, deployment scripts, and debugging. Triggers on tasks involving forge build, forge test, forge script, cast, anvil, or Foundry-based Solidity development.
31solidity-security-best-practices
Smart contract security best practices for Solidity development. Use when writing, reviewing, or auditing Solidity code. Covers reentrancy prevention, access control patterns, safe external calls, input validation, upgrade safety, and OWASP Smart Contract Top 10 vulnerabilities. Triggers on tasks involving security, vulnerability detection, access control, CEI pattern, ReentrancyGuard, SafeERC20, or smart contract auditing.
27solidity-code-review
Smart contract code review and security audit methodology for Solidity. Use when reviewing, auditing, or assessing the security of Solidity code. Provides structured review process, severity classification, key inspection areas, and OWASP SCWE integration. Triggers on tasks involving code review, security audit, vulnerability assessment, smart contract review, or best practices check.
21solidity-gas-optimization
Gas optimization patterns for Solidity smart contracts. Use when optimizing contract deployment costs, runtime gas usage, or storage efficiency. Covers storage packing, custom errors, immutable variables, calldata optimization, loop patterns, assembly usage, and Solady gas-optimized alternatives. Triggers on tasks involving gas optimization, storage layout, deployment cost reduction, or EVM efficiency.
19solidity-adversarial-analysis
Adversarial scenario analysis and threat modeling for Solidity smart contracts. Use when analyzing contracts from an attacker's perspective, identifying multi-step attack vectors, or performing threat modeling. Covers flash loan attacks, oracle manipulation, MEV/front-running, governance exploits, reentrancy scenarios, access control bypasses, economic logic exploits, and cross-contract composability risks. Triggers on tasks involving adversarial analysis, threat modeling, attack scenarios, attack vectors, exploit analysis, or red team review.
15