rules.md
December 11, 2025 · View on GitHub
Best Practices Rules
| Rule Id | Error | Recommended | Deprecated |
|---|---|---|---|
| code-complexity | Function has cyclomatic complexity "current" but allowed no more than configured max complexity. | ||
| explicit-types | Forbid or enforce explicit types (like uint256) that have an alias (like uint). | ✔️ | |
| function-max-lines | Function body contains "count" lines but allowed no more than maxlines. | ✔️ | |
| max-line-length | Line length should not exceed configured number of characters. | ||
| max-states-count | Contract has "some count" states declarations but allowed no more than defined max states. | ✔️ | |
| no-console | No console.log/logInt/logBytesX/logString/etc & No hardhat and forge-std console.sol import statements. | ✔️ | |
| no-empty-blocks | Code block has zero statements inside. Exceptions apply. | ✔️ | |
| no-global-import | Import statement includes an entire file instead of selected symbols. | ✔️ | |
| no-unused-import | Imported object name is not being used by the contract. | ✔️ | |
| no-unused-private-funcs | Private function "name" is not being used within its defining contract. Support overloads. | ||
| no-unused-vars | Variable "name" is unused. | ✔️ | |
| one-contract-per-file | Enforces the use of ONE Contract per file see here | ✔️ | |
| payable-fallback | When fallback is not payable and there is no receive function you will not be able to receive currency. | ||
| reason-string | Require or revert statement must have a reason string and check that each reason string is at most N characters long. | ✔️ | |
| use-natspec | Enforces the presence and correctness of NatSpec tags. | ✔️ | |
| constructor-syntax | Constructors should use the new constructor keyword. | ✔️ |
Style Guide Rules
| Rule Id | Error | Recommended | Deprecated |
|---|---|---|---|
| interface-starts-with-i | Solidity Interfaces names should start with an I | ✔️ | |
| duplicated-imports | Check if an import is done twice in the same file and there is no alias | ✔️ | |
| const-name-snakecase | Constant name must be in capitalized SNAKE_CASE. (Does not check IMMUTABLES, use immutable-vars-naming) | ✔️ | |
| contract-name-capwords | Contract, Structs and Enums should be in CapWords. | ✔️ | |
| event-name-capwords | Event name must be in CapWords. | ✔️ | |
| foundry-test-function-naming | Enforce naming convention on functions for Foundry test cases | ||
| foundry-test-functions | Enforce naming convention on functions for Foundry test cases (DEPRECATED, use foundry-test-functions-naming) | ||
| func-name-mixedcase | Function name must be in mixedCase. | ✔️ | |
| func-named-parameters | Enforce named parameters for function calls with 4 or more arguments. This rule may have some false positives | ||
| func-param-name-mixedcase | Function param name must be in mixedCase. | ||
| immutable-vars-naming | Check Immutable variables. Capitalized SNAKE_CASE or mixedCase depending on configuration. | ✔️ | |
| modifier-name-mixedcase | Modifier name must be in mixedCase. | ||
| named-parameters-mapping | Solidity v0.8.18 introduced named parameters on the mappings definition. | ||
| private-vars-leading-underscore | Non-external functions and state variables should start with a single underscore. Others, shouldn't | ||
| use-forbidden-name | Avoid to use letters 'I', 'l', 'O' as identifiers. | ✔️ | |
| var-name-mixedcase | Variable names must be in mixedCase. (Does not check IMMUTABLES nor CONSTANTS (use inherent rules for that) | ✔️ | |
| imports-on-top | Import statements must be on top. | ✔️ | |
| imports-order | Order the imports of the contract to follow a certain hierarchy (read "Notes section") | ||
| ordering | Check order of elements in file and inside each contract, according to the style guide | ||
| visibility-modifier-order | Visibility modifier must be first in list of modifiers. | ✔️ |
Gas Consumption Rules
| Rule Id | Error | Recommended | Deprecated |
|---|---|---|---|
| gas-calldata-parameters | Suggest calldata keyword on function arguments when read only | ✔️ | |
| gas-custom-errors | Enforces the use of Custom Errors over Require with strings error and Revert statements | ✔️ | |
| gas-increment-by-one | Suggest increments by one, like this ++i instead of other type | ✔️ | |
| gas-indexed-events | Suggest indexed arguments on events for uint, bool and address | ✔️ | |
| gas-length-in-loops | Suggest replacing object.length in a loop condition to avoid calculation on each lap | ||
| gas-multitoken1155 | ERC1155 is a cheaper non-fungible token than ERC721 | ||
| gas-named-return-values | Enforce the return values of a function to be named | ||
| gas-small-strings | Keep strings smaller than 32 bytes. Promote the use of custom errors | ✔️ | |
| gas-strict-inequalities | Suggest Strict Inequalities over non Strict ones | ✔️ | |
| gas-struct-packing | Suggest to re-arrange struct packing order when it is inefficient | ✔️ |
Miscellaneous
| Rule Id | Error | Recommended | Deprecated |
|---|---|---|---|
| comprehensive-interface | Check that all public or external functions are overridden. This is useful to make sure that the whole API is extracted in an interface. | ||
| foundry-no-block-time-number | Warn on the use of block.timestamp / block.number inside Foundry test files; recommend vm.getBlockTimestamp() / vm.getBlockNumber(). | ||
| import-path-check | Check if an import file exists in target path | ✔️ | |
| quotes | Enforces the use of double or simple quotes as configured for string literals. Values must be 'single' or 'double'. | ✔️ |
Security Rules
| Rule Id | Error | Recommended | Deprecated |
|---|---|---|---|
| avoid-call-value | Avoid to use ".call.value()()". | ✔️ | |
| avoid-low-level-calls | Avoid to use low level calls. | ✔️ | |
| avoid-sha3 | Use "keccak256" instead of deprecated "sha3". | ✔️ | |
| avoid-suicide | Use "selfdestruct" instead of deprecated "suicide". | ✔️ | |
| avoid-throw | "throw" is deprecated, avoid to use it. | ✔️ | |
| avoid-tx-origin | Avoid to use tx.origin. | ✔️ | |
| check-send-result | Check result of "send" call. | ✔️ | |
| compiler-version | Compiler version must satisfy a semver requirement at least ^0.8.24. | ✔️ | |
| func-visibility | Explicitly mark visibility in function. | ✔️ | |
| multiple-sends | Avoid multiple calls of "send" method in single transaction. | ✔️ | |
| no-complex-fallback | Fallback function must be simple. | ✔️ | |
| no-immutable-before-declaration | Immutable variables should not be used in state variable initializers before they are declared. | ✔️ | |
| no-inline-assembly | Avoid to use inline assembly. It is acceptable only in rare cases. | ✔️ | |
| not-rely-on-block-hash | Do not rely on "block.blockhash". Miners can influence its value. | ✔️ | |
| not-rely-on-time | Avoid making time-based decisions in your business logic. | ||
| reentrancy | Possible reentrancy vulnerabilities. Avoid state changes after transfer. | ✔️ | |
| state-visibility | Explicitly mark visibility of state. | ✔️ |