Smart Contract Development Best Practices: Solidity, Rust, and Move in 2026
Smart contract bugs cost the industry $2.1B in 2025. This guide covers development best practices across Solidity, Rust, and Move with proven testing and security patterns.
Smart Contract Development Best Practices: Solidity, Rust, and Move in 2026
Smart contract vulnerabilities cost the Web3 industry $2.1 billion in 2025. Unlike traditional software, deployed smart contracts are immutable β a bug in production means permanent loss of funds. This makes development practices not just engineering quality β they're financial security.
Smart Contract Development Best Practices: Solidity, Rust, and Move in 2026
Smart contract bugs cost the industry $2.1B in 2025. This guide covers development best practices across Solidity, Rust, and Move with proven testing and security patterns.
Smart Contract Development Best Practices: Solidity, Rust, and Move in 2026
Smart contract vulnerabilities cost the Web3 industry $2.1 billion in 2025. Unlike traditional software, deployed smart contracts are immutable β a bug in production means permanent loss of funds. This makes development practices not just engineering quality β they're financial security.
Layer 3: Invariant Tests (5% of tests β but highest value)
β’Define properties that must ALWAYS hold
β’Run thousands of random transaction sequences
β’Example: "total supply must equal sum of all balances"
β’Catches bugs unit tests miss
Foundry Testing Example
// Invariant test β property must always hold
function invariant_totalSupplyMatchesBalances() public {
uint256 totalFromBalances = 0;
for (uint i = 0; i < actors.length; i++) {
totalFromBalances += token.balanceOf(actors[i]);
}
assertEq(token.totalSupply(), totalFromBalances);
}
// Fuzz test β random inputs
function testFuzz_transfer(address to, uint256 amount) public {
vm.assume(to != address(0));
vm.assume(amount <= token.balanceOf(address(this)));
uint256 preBal = token.balanceOf(to);
token.transfer(to, amount);
assertEq(token.balanceOf(to), preBal + amount);
}
Gas Optimization
High-Impact Optimizations
1. Storage is Expensive ($0.20 per SSTORE at 30 gwei)
β’Pack struct variables (multiple uint96 values in one slot)
β’Use mappings over arrays when order doesn't matter
β’Cache storage reads in memory variables
2. Calldata Over Memory
β’Use calldata for read-only function parameters
β’Saves 200+ gas per parameter vs memory
3. Batch Operations
β’Multi-call patterns for batch transfers
β’ERC-1155 over multiple ERC-721 for batch NFT operations
4. Assembly for Hot Paths
β’Inline assembly for frequently-called functions
β’Custom errors over require strings (saves ~50 gas per call)
β’Unchecked math where overflow is impossible
Gas Benchmarking
Always benchmark before and after optimization:
forge test --gas-report
forge snapshot --diff
Security Checklist
Pre-Deployment
β’ 100% unit test coverage on all public/external functions
β’ Invariant tests for critical properties
β’ Static analysis (Slither) with zero high/medium findings
β’ Fuzzing (Echidna) with 1M+ runs
β’ Professional audit by 2+ firms
β’ Bug bounty program set up (Immunefi)
β’ Timelock on admin functions
β’ Emergency pause mechanism
β’ Upgrade path documented (if upgradeable)
Common Vulnerabilities to Check
β’Reentrancy: All external calls after state changes
β’Integer overflow: Use Solidity 0.8+ or SafeMath
β’Access control: All admin functions properly restricted
β’Front-running: Commit-reveal schemes where needed
β’Signature replay: Include nonces and chain ID
β’Precision loss: Multiply before divide, use sufficient decimals
Key Takeaways
β’Test with invariants, not just units β invariant testing catches bugs that unit tests miss by running thousands of random transaction sequences
β’Gas optimization has real ROI β at scale, storage packing and calldata usage save thousands of dollars daily
β’Audit is necessary but not sufficient β combine professional audits with fuzzing, formal verification, and bug bounties
β’Choose the right language for your chain β Solidity for EVM, Rust for Solana, Move for Sui/Aptos
FAQ
How much does a smart contract audit cost?
Professional audits range from $10K for simple contracts to $500K+ for complex DeFi protocols. Typical costs: simple token ($10-30K), DeFi protocol ($50-200K), complex system ($200-500K). Timeline is 2-8 weeks. Always get at least 2 independent audits for contracts holding significant value.
Is Solidity still the best language for smart contracts?
For EVM-compatible chains (Ethereum, Arbitrum, Base), yes β largest ecosystem, most tooling, biggest hiring pool. For Solana, Rust with Anchor is the standard. For Sui/Aptos, Move offers the strongest safety guarantees. The "best" depends on your target chain and team expertise.
What is formal verification and do I need it?
Formal verification mathematically proves that contract code satisfies specified properties. Tools like Certora Prover can prove invariants hold for ALL possible inputs, not just tested ones. Essential for contracts holding >$10M or managing user funds. Cost: $50K-$200K on top of standard audits.
How do I find and hire smart contract developers?
The Web3 talent pool is concentrated on: GitHub (open-source contributions), ETHGlobal hackathon winners, audit competition platforms (Code4rena, Sherlock), and specialized recruitment agencies. Expect to pay $150K-$400K for senior Solidity engineers; Rust/Move developers command 20-30% premiums.
Layer 3: Invariant Tests (5% of tests β but highest value)
β’Define properties that must ALWAYS hold
β’Run thousands of random transaction sequences
β’Example: "total supply must equal sum of all balances"
β’Catches bugs unit tests miss
Foundry Testing Example
// Invariant test β property must always hold
function invariant_totalSupplyMatchesBalances() public {
uint256 totalFromBalances = 0;
for (uint i = 0; i < actors.length; i++) {
totalFromBalances += token.balanceOf(actors[i]);
}
assertEq(token.totalSupply(), totalFromBalances);
}
// Fuzz test β random inputs
function testFuzz_transfer(address to, uint256 amount) public {
vm.assume(to != address(0));
vm.assume(amount <= token.balanceOf(address(this)));
uint256 preBal = token.balanceOf(to);
token.transfer(to, amount);
assertEq(token.balanceOf(to), preBal + amount);
}
Gas Optimization
High-Impact Optimizations
1. Storage is Expensive ($0.20 per SSTORE at 30 gwei)
β’Pack struct variables (multiple uint96 values in one slot)
β’Use mappings over arrays when order doesn't matter
β’Cache storage reads in memory variables
2. Calldata Over Memory
β’Use calldata for read-only function parameters
β’Saves 200+ gas per parameter vs memory
3. Batch Operations
β’Multi-call patterns for batch transfers
β’ERC-1155 over multiple ERC-721 for batch NFT operations
4. Assembly for Hot Paths
β’Inline assembly for frequently-called functions
β’Custom errors over require strings (saves ~50 gas per call)
β’Unchecked math where overflow is impossible
Gas Benchmarking
Always benchmark before and after optimization:
forge test --gas-report
forge snapshot --diff
Security Checklist
Pre-Deployment
β’ 100% unit test coverage on all public/external functions
β’ Invariant tests for critical properties
β’ Static analysis (Slither) with zero high/medium findings
β’ Fuzzing (Echidna) with 1M+ runs
β’ Professional audit by 2+ firms
β’ Bug bounty program set up (Immunefi)
β’ Timelock on admin functions
β’ Emergency pause mechanism
β’ Upgrade path documented (if upgradeable)
Common Vulnerabilities to Check
β’Reentrancy: All external calls after state changes
β’Integer overflow: Use Solidity 0.8+ or SafeMath
β’Access control: All admin functions properly restricted
β’Front-running: Commit-reveal schemes where needed
β’Signature replay: Include nonces and chain ID
β’Precision loss: Multiply before divide, use sufficient decimals
Key Takeaways
β’Test with invariants, not just units β invariant testing catches bugs that unit tests miss by running thousands of random transaction sequences
β’Gas optimization has real ROI β at scale, storage packing and calldata usage save thousands of dollars daily
β’Audit is necessary but not sufficient β combine professional audits with fuzzing, formal verification, and bug bounties
β’Choose the right language for your chain β Solidity for EVM, Rust for Solana, Move for Sui/Aptos
FAQ
How much does a smart contract audit cost?
Professional audits range from $10K for simple contracts to $500K+ for complex DeFi protocols. Typical costs: simple token ($10-30K), DeFi protocol ($50-200K), complex system ($200-500K). Timeline is 2-8 weeks. Always get at least 2 independent audits for contracts holding significant value.
Is Solidity still the best language for smart contracts?
For EVM-compatible chains (Ethereum, Arbitrum, Base), yes β largest ecosystem, most tooling, biggest hiring pool. For Solana, Rust with Anchor is the standard. For Sui/Aptos, Move offers the strongest safety guarantees. The "best" depends on your target chain and team expertise.
What is formal verification and do I need it?
Formal verification mathematically proves that contract code satisfies specified properties. Tools like Certora Prover can prove invariants hold for ALL possible inputs, not just tested ones. Essential for contracts holding >$10M or managing user funds. Cost: $50K-$200K on top of standard audits.
How do I find and hire smart contract developers?
The Web3 talent pool is concentrated on: GitHub (open-source contributions), ETHGlobal hackathon winners, audit competition platforms (Code4rena, Sherlock), and specialized recruitment agencies. Expect to pay $150K-$400K for senior Solidity engineers; Rust/Move developers command 20-30% premiums.
