The following is an informal compendium of ways you can screw up when mixing and matching smart contracts:
- Be aware of front running on changes to the
allowedvalue. - Be aware that some tokens don't return a boolean on success or failure.
- Some token balances change overtime, even without a transfer.
- Use
balanceOf(addr)over internal accounting. (https://medium.com/trustless-fund/atoken-withdrawal-vulnerability-disclosure-5d8eadc64539)
- Use
- These tokens have the same interface as ERC20, but they enable reentrancy. Use a mutex, or strictly adhere to checks effects interactions.
- Watch out for rounding errors
- Watch out for replay attacks
- calls to EOAs return true!
- Push over pull
- Selector colissions
- Watch out for Gas grieffing attacks