Solidity Smart Contract Development for EVM Networks

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Solidity Smart Contract Development for EVM Networks
Medium
~3-5 days
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1347
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    948
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

Solidity Smart Contract Development

A client brings a contract for audit — 800 lines of Solidity, deployment on Ethereum mainnet scheduled in a few days. On the third page of code, a pattern emerges: an external call before state update, a classic reentrancy. Not theoretical — the same configuration was in The DAO, resulting in over $60 million in losses (at current exchange rates). The contract goes back for rework. This is a standard scenario when development lacks a systematic approach to security. In our practice, we encounter such issues regularly and have proven solutions.

Why Reentrancy Still Appears in Solidity Contracts

Despite the attack being known for a long time, reentrancy variants continue to surface. The issue isn't ignorance of the pattern — most developers know about Checks-Effects-Interactions. The problem is cross-function reentrancy, which OpenZeppelin's ReentrancyGuard does not cover by default.

Scenario: contract A calls contract B via low-level call. B is a token implementing ERC-777 with a tokensReceived hook. At the moment of the hook, A has already deducted tokens but hasn't sent ETH yet. The withdrawal function in A isn't blocked by the reentrancy guard because the developer thought only withdraw was protected. Result: drain of reserves. As described in Reentrancy Attack on Wikipedia, this is one of the most common attack vectors.

Solution: apply nonReentrant to all public functions that change state and make external calls. For complex systems, use a separate ReentrancyGuardUpgradeable with module-level checks instead of function-level.

Where Else Vulnerabilities Hide: Storage Collision and Gas Griefing

Storage collision in proxy patterns: when using Transparent Proxy or UUPS, variables are stored in storage slots by declaration position. If a new implementation version adds a variable before an existing one, the entire storage shifts. address public owner turns into garbage that was once uint256 public totalSupply. Several protocols discovered the issue after upgrades when mappings started returning incorrect values. ERC-7201 (namespaced storage) saves the day — implementation variables are stored in a pre-selected slot via a keccak256 hash, isolated from proxy variables.

Gas griefing through unbounded loops: a function that iterates over address[] public users without limits is safe with 50 users but becomes a DoS vector at 5000. The transaction hits the block gas limit and reverts. If the function is critical to the protocol, griefing is cheap for the attacker and expensive for the protocol. Solution: pagination via offset/limit or a pull pattern instead of push (users claim rewards themselves rather than the contract distributing to everyone).

How We Write Contracts End-to-End

Stack and Tools

Our primary development tool is Foundry. Not because it's trendy, but for specific capabilities: fuzz testing directly in tests via vm.fuzz, fork tests on real mainnet state via vm.createFork, and compilation speeds 4-5 times faster than Hardhat on large projects.

Hardhat remains in the stack for tasks where plugin ecosystem matters: hardhat-deploy for reproducible deployments, hardhat-gas-reporter for gas reports in CI, and TypeChain integration.

Base contracts — OpenZeppelin 5.x. We don't fork or modify internals. If behavior extension is needed — inheritance and override with explicit super._call().

Static analysis: Slither on every PR, Mythril for symbolic execution before deployment. For fuzzing complex logic — Echidna with property-based tests. Echidna finds 3 times more bugs than standard unit tests — a key differentiator of our approach.

Patterns We Use

  • Pull payment pattern — ETH is never sent directly from a protocol function. Balances accumulate in a mapping, users call withdraw(). This eliminates a whole class of reentrancy vectors and solves issues with recipient contracts that revert receive(). In one case, this pattern proved 80% more secure than push.
  • Multicall — batching transactions via ERC-2771 or custom implementation. Reduces on-chain calls, critical when gas is high on mainnet.
  • Diamond Pattern (EIP-2535) — for systems where the number of functions exceeds the 24 KB bytecode limit per contract. Facet architecture allows functionality addition without storage corruption. We use it rarely — only where truly necessary due to audit complexity.

How We Optimize Gas in Smart Contracts

Pattern Problem Solution Gas Savings
bool variable alone Occupies full slot (32 bytes) Pack into struct with adjacent types 15-20k gas on deploy
storage read in loop Each SLOAD = 100 gas (EIP-2929) Cache in memory variable before loop Up to 80% on loop
string in storage Expensive and inefficient bytes32 for fixed strings 3-5x savings
Using require instead of if revert Extra checks Inline assembly for frequent checks 5-10% per transaction

Reordering variables for slot packing is the first thing we do during gas auditing. A contract with uint128 a; uint256 b; uint128 c; takes 3 slots. Reorder to uint128 a; uint128 c; uint256 b; — 2 slots. On deploy, the difference is 20-40k gas; on every SLOAD in hot paths, it's noticeable.

In one project, we reduced gas by 40% for a staking contract: replaced for with while, packed structs, used bit masks. Final gas ~150k instead of 250k. A protocol with 10,000 users saves significant amounts on fees monthly. We guarantee a minimum 20% gas reduction in every project.

What Is Included in the Work

  • Architectural documentation (diagrams, storage layout, interfaces)
  • Source code with tests (coverage >95%, fuzz tests)
  • Internal audit with SWC report
  • Deployment and verification scripts
  • Repository access and CI/CD (if needed)
  • Post-deployment consultation: 1 month of support

Typical Development Mistakes

  • Using tx.origin for authentication instead of msg.sender — opens phishing attacks.
  • Missing address(0) checks in constructors and setters — leads to loss of control.
  • Explicit type casting without validation — causes overflow or unexpected behavior.
  • Using send() or transfer() instead of call — limits gas to 2300, breaks multi-sig integrations.

How We Work

  1. Analytics (1-3 days). Dissect the architecture: roles, permissions, invariants the system must always uphold. Invariants are the foundation for property-based tests in Echidna.
  2. Design (2-5 days). Contract diagram, storage layout, interfaces. At this stage, we decide on upgradeability: UUPS, Transparent, or immutable. For DeFi protocols with high value, upgradeability isn't always an advantage from a trust perspective.
  3. Development. Contracts + tests in Foundry. Coverage >95% by lines, fuzz tests on all public functions with numeric parameters. Fork tests on Ethereum/Polygon mainnet for integrations with Uniswap, Aave, Chainlink.
  4. Internal Audit. Slither, Mythril, manual review with SWC checklist. Doesn't replace external audits but closes low/medium severity issues before they start.
  5. Deployment. Scripts via Foundry forge script with automatic verification on Etherscan/Polygonscan. Deploy first to testnet (Sepolia, Mumbai), then mainnet with multi-sig via Gnosis Safe.

Timeline Estimates

Contract Type Timeline
ERC-20 with basic functions 3-5 days
Staking with rewards and locks 1-2 weeks
DeFi protocol (AMM, lending) from 6 weeks
Full audit of existing code from 5 days

Assess the complexity of your project — contact us for a free consultation. Get a detailed estimate from an engineer.

Smart Contract Development

We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().

Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.

How We Develop Smart Contracts Turnkey

We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).

Language Execution Model Typical Domain Risks
Solidity 0.8.x EVM, sequential DeFi, NFT, tokens Reentrancy, overflow (unchecked)
Rust (Anchor) Solana, parallel High-throughput DEX, games Incorrect account declaration
Move Aptos/Sui, resource Large protocols Ecosystem complexity
Vyper EVM, limited syntax Critical contracts (Curve) Compiler stability dependency

Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.

Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.

Why Smart Contract Audit Is Critical for Security

Audit is not a one-time check—it is a built-in development stage. We use three levels:

  1. Static analysisSlither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
  2. Fuzzing and invariant testsFoundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
  3. Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.

Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.

What Upgrade Patterns Do We Choose?

Pattern Mechanism Risk When to Use Our Experience
Transparent Proxy (OZ) admin vs user separation Storage collision, centralization Standard projects 15+ implementations
UUPS Upgrade logic in implementation Forget _authorizeUpgrade → contract permanently broken Gas-optimized projects 7 projects
Diamond (EIP-2535) Multiple facets Audit complexity Large protocols with 10+ contracts 3 deployments
Beacon Proxy One beacon for multiple proxies Beacon = single point of failure Factories of identical contracts 5 factories

Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.

How to Protect a Contract from MEV and Front-Running

On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.

What Is the Development Process?

  1. Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
  2. Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
  3. Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
  4. External audit—for projects with real money. Timeline: 2–4 weeks.
  5. Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
  6. Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.

What Is Included

  • Architecture documentation and contract specification (NatSpec).
  • Source code with repository and CI (Slither, Foundry, coverage).
  • Deployed contract with verification on blockchain explorer.
  • Audit results (internal and external upon request).
  • Access to monitoring and management (Gnosis Safe).
  • Code warranty: critical bug fixes within one month after deployment.
  • Consultation on web integration (wagmi, RainbowKit).

Estimated Timelines

  • ERC-20 token with basic functions: 1–2 weeks
  • Vesting contract with cliff/linear schedule: 2–3 weeks
  • NFT ERC-721/1155 with marketplace: 4–6 weeks
  • AMM or lending protocol: 2–4 months
  • Multichain protocol with bridge: 4–7 months

Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.

Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.