From 1dd70a19925629ad2e8892ccfd401d7fadadc839 Mon Sep 17 00:00:00 2001
From: Sleepy <92123154+morphean-sec@users.noreply.github.com>
Date: Fri, 18 Feb 2022 00:30:06 +0300
Subject: [PATCH] Add several new tips

Added several new tips with some applying to gas optimization, tooling and compiler bugs. Is it out of bounds to add examples of tools for automated analysis methods i.e `Use symbolic analysis via tools like Mythril.`
---
 README.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d916068..aaafe1d 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,8 @@ _Based off work by [BoringCrypto](https://github.com/sushiswap/bentobox/blob/mas
 - `F17` - If the function requires the contract be in an uninitialized state, check an explicit `initialized` variable. Do not use `owner == address(0)` or other similar checks as substitutes.
 - `F18` - Only use `private` to intentionally prevent child contracts from calling the function, prefer `internal` for flexibility.
 - `F19` - Use `virtual` if there are legitimate (and safe) instances where a child contract may wish to override the function's behavior.
+- `F20` - Use `calldata` instead of `memory` for function parameters if the function argument is only read in Solidity 0.8.*.
+- `F21` - Use short revert strings or custom error messages with solidity 0.8.4.
 
 ## Modifiers
 
@@ -117,6 +119,8 @@ _Based off work by [BoringCrypto](https://github.com/sushiswap/bentobox/blob/mas
 - `C49` - When fuzzing functions that only operate on specific numerical ranges use modulo to tighten the fuzzer's inputs (such as `x = x % 10000 + 1` to restrict from 1 to 10,000).
 - `C50` - Use ternary expressions to simplify branching logic wherever possible.
 - `C51` - When operating on more than one address, ask yourself what happens if they're the same.
+- `C52` - Cache the length in for loops. Explanation [here](https://gist.github.com/hrkrshnn/ee8fabd532058307229d65dcd5836ddc#caching-the-length-in-for-loops)
+- `C53` - Consider using atleast Solidity v0.8.9 and up to avoid compiler bugs like Keccak Caching, ABI decoder bug for multi-dimensional memory arrays, signed immutables and user defined value types bug. This has the bonus of the compiler giving you more gas optimizations and safety checks for free.
 
 ## External Calls
 
@@ -162,8 +166,9 @@ _Based off work by [BoringCrypto](https://github.com/sushiswap/bentobox/blob/mas
 - `P1` - Use the right license (you must use GPL if you depend on GPL code, etc).
 - `P2` - Unit test everything.
 - `P3` - Fuzz test as much as possible.
-- `P4` - Use symbolic execution where possible.
-- `P5` - Run Slither/Solhint and review all findings.
+- `P4` - Use formal verification where needed and as often as possible.
+- `P5` - Use symbolic execution where possible.
+- `P6` - Run Slither/Solhint and review all findings.
 
 ## DeFi