Smart Contract Refactoring
The contract works, funds aren't lost — but each new feature triggers panic. Storage layout has bloated, functions are 200 lines long, and tests are absent. Our experience shows that such technical debt accumulates unnoticed until it leads to critical failures or gas waste. We guarantee: after refactoring, the code becomes predictable and secure.
Where Technical Debt Hides Most Often
Suboptimal Storage Layout
Solidity packs variables into 32-byte slots. If variables are declared in the order uint128, uint256, uint128, that's three slots instead of two. On a contract with thousands of calls per day, reordering 8 variables for slot packing reduced gas on write operations by 40%. Savings — up to $5000 per year per user. That's real money going to gas.
Unbounded Loops as Gas Griefing
The pattern for (uint i = 0; i < users.length; i++) in a contract where users can grow is not just inefficient. An attacker adds 10,000 addresses, and a call to distribute() exceeds the block gas limit (30M gas). The function becomes unexecutable — contract stuck. Refactoring to a pull pattern with pagination solves this structurally.
Cross-Function Reentrancy
OpenZeppelin's ReentrancyGuard protects one function. But if withdraw() is guarded and claim() is not — and both modify the same balance mapping — reentrancy is possible. This is how an $80M exploit worked. During refactoring, we audit the entire call graph, not just individual functions.
How We Approach Refactoring
The first step is static analysis with Slither. In 2-3 minutes, it finds reentrancy, uninitialized variables, tx.origin authorization, and shadow variables. Slither gives hundreds of warnings — critical ones must be separated from informational. Then, Mythril for symbolic execution on key functions.
Here is the step-by-step process:
- Analysis: static and symbolic analysis (Slither, Mythril), compile a prioritized issue registry.
- Planning: group changes, isolate dependencies, write tests for edge cases.
- Refactoring: each change in a separate PR with tests. Apply Solidity best practices, Check-Effects-Interactions, Diamond pattern (EIP-2535).
- Testing: fuzz tests in Foundry, compare gas reports with
forge snapshot.
- Deployment: scripts on ethers.js, monitoring via Tenderly.
Example: Staking Pool Refactoring
On one project, we replaced an unbounded loop with a pull pattern with pagination. Added an emergencyWithdraw flag for safe exit under DoS. Implemented custom errors instead of string require — saving 100 gas per revert. Result: the distribute function became executable even with 50,000 users, and overall gas savings reached 15%.
Why Smart Contract Refactoring Is Cheaper Than an Audit?
An audit identifies issues but doesn't fix them. Refactoring eliminates technical debt immediately. We don't just write a report — we rewrite the code to be secure and gas-efficient. A typical audit costs $10-30k, and refactoring with fixes costs the same, but with working code. Contact us — we will assess your project and propose a work plan.
Gas Optimization: Specific Numbers
| Pattern |
Gas Savings (Approx.) |
| Slot packing variables |
20-40% on SSTORE |
| memory instead of storage in functions |
15-30% on reads |
| unchecked increment |
60-80 gas per iteration |
| calldata instead of memory |
50-100 gas per argument |
| Custom errors instead of require strings |
50-200 gas per revert |
Typical Issues and Solutions
| Issue |
Solution |
Savings/Benefit |
| Reentrancy across multiple functions |
Full call graph analysis + OpenZeppelin ReentrancyGuard |
Prevents losses up to $80M |
| Suboptimal storage layout |
Variable reordering, packing |
$5000/year gas savings |
| Unbounded loops |
Pull pattern with pagination |
Guaranteed function executability |
What Is Included in the Work
- Code audit with vulnerability registry and optimization opportunities.
- Fixing all critical and medium issues.
- Tests in Foundry (unit, integration, fuzz).
- Gas report comparison before/after.
- Documentation of changes and deployment instructions.
- Code warranty — 6 months support.
What Mistakes Are Most Often Made During Refactoring?
- Fix only obvious issues without checking cross-function reentrancy.
- Change ABI without isolation — break integrations.
- Forget to update tests after changes.
- Simplify storage layout but ignore inherited contracts.
Our engineers have 10+ years of blockchain development experience and have completed over 50 refactoring projects. Get a consultation — we'll tell you what needs fixing in your contract.
Solidity Version Upgrade
Migrating from 0.6/0.7 to 0.8+ includes: automatic overflow checks (SafeMath no longer needed), custom errors, and immutable variables. But it's not just changing the pragma — ABI encoding changes, assembly patterns require adaptation. We test each change in isolation.
OpenZeppelin ReentrancyGuard is the security standard we use as baseline. Contact us — we will assess your project and offer turnkey refactoring.
Smart Contract Development
We faced a situation: a contract was deployed, two weeks later a message arrives—the pool drained for $800k. Looked at the transaction in Tenderly: attacker called deposit(), inside an ERC-777 callback re-called withdraw()—balance only updated after the second exit. Classic reentrancy, but not via ETH transfer—through an ERC-777 hook. ReentrancyGuard was only on withdraw().
Such cases are not rare. A smart contract is financial logic with no possibility to patch it overnight. Our team develops turnkey contracts, embedding protection against reentrancy, MEV, and gas attacks from the early stages.
How We Develop Smart Contracts Turnkey
We start with business logic audit and stack selection. Solidity 0.8.x is the standard for EVM-compatible chains: Ethereum, Arbitrum, Optimism, Polygon, BSC, Avalanche C-Chain. For Solana, we use Rust and Anchor: the account and program model requires explicit declaration of all resources. For projects requiring formal verification, Move (Aptos, Sui) fits—linear types eliminate resource copying at the compiler level. Vyper is chosen for contracts where audit simplicity is critical (Curve Finance).
| Language |
Execution Model |
Typical Domain |
Risks |
| Solidity 0.8.x |
EVM, sequential |
DeFi, NFT, tokens |
Reentrancy, overflow (unchecked) |
| Rust (Anchor) |
Solana, parallel |
High-throughput DEX, games |
Incorrect account declaration |
| Move |
Aptos/Sui, resource |
Large protocols |
Ecosystem complexity |
| Vyper |
EVM, limited syntax |
Critical contracts (Curve) |
Compiler stability dependency |
Gas optimization is not premature optimization—it is an architectural decision. On Ethereum mainnet, deploying a poorly designed contract can cost a significant amount of ETH due to suboptimal storage layout. Repacking a Proposal structure from 7 slots to 4 saved thousands of gas per vote—substantial savings when scaled across thousands of votes per day.
Typical gas mistakes: passing arrays via memory instead of calldata in external functions (2–3x more expensive); using require with long strings instead of custom errors like error InsufficientBalance(...). Custom errors are cheaper on revert and pass structured data to the frontend.
Why Smart Contract Audit Is Critical for Security
Audit is not a one-time check—it is a built-in development stage. We use three levels:
-
Static analysis—
Slither (30 seconds in CI) detects reentrancy, uninitialized variables, dangerous delegatecall.
-
Fuzzing and invariant tests—
Foundry with --fuzz-runs 50000 finds edge cases missed by hundreds of unit tests. Real case: an AMM contract with custom math passed 150 Hardhat tests; Foundry found an integer division truncation that allowed a dust attack to accumulate dust on the contract. Echidna checks invariants ("sum of all balances ≤ totalSupply").
-
Manual code review—our engineers with 10+ years in blockchain identify logic errors that tools miss. For protocols with TVL > $1M, external audit from Trail of Bits, Consensys Diligence, or OpenZeppelin is mandatory. Timeline: 2–4 weeks.
Any upgradeable protocol must have a timelock. TimelockController from OpenZeppelin: operation proposed → wait minimum delay (48–72 hours) → executed. Without timelock, one compromised deployer wallet means losing the entire pool.
What Upgrade Patterns Do We Choose?
| Pattern |
Mechanism |
Risk |
When to Use |
Our Experience |
| Transparent Proxy (OZ) |
admin vs user separation |
Storage collision, centralization |
Standard projects |
15+ implementations |
| UUPS |
Upgrade logic in implementation |
Forget _authorizeUpgrade → contract permanently broken |
Gas-optimized projects |
7 projects |
| Diamond (EIP-2535) |
Multiple facets |
Audit complexity |
Large protocols with 10+ contracts |
3 deployments |
| Beacon Proxy |
One beacon for multiple proxies |
Beacon = single point of failure |
Factories of identical contracts |
5 factories |
Storage collision is the main danger of proxies. Implementation v2 must not add variables before existing ones. OpenZeppelin Upgrades plugin for Hardhat and Foundry checks this automatically, but only when using its API.
How to Protect a Contract from MEV and Front-Running
On Ethereum mainnet, transactions in the mempool are visible to all. MEV bots execute sandwich attacks on DEX, front-run mints and governance. Solution: commit-reveal scheme for auctions, private submission via Flashbots PROTECT RPC. EIP-7702 and PBS (proposer-builder separation) are changing the landscape but not yet widespread.
What Is the Development Process?
-
Analysis—functional specification, call diagram, edge case analysis. Without this, coding starts in vain.
-
Development—Solidity/Rust with tests in parallel. Test → code → refactoring. Use Foundry for fuzz and invariant tests.
-
Internal audit—Slither + Echidna + manual code review. Foundry invariant tests for protocol invariants.
-
External audit—for projects with real money. Timeline: 2–4 weeks.
-
Deployment—Foundry scripts or Hardhat Ignition with verification on Etherscan. Gnosis Safe for ownership transfer immediately after deployment.
-
Monitoring—Tenderly alerts, OpenZeppelin Defender, Forta Network.
What Is Included
- Architecture documentation and contract specification (NatSpec).
- Source code with repository and CI (Slither, Foundry, coverage).
- Deployed contract with verification on blockchain explorer.
- Audit results (internal and external upon request).
- Access to monitoring and management (Gnosis Safe).
- Code warranty: critical bug fixes within one month after deployment.
- Consultation on web integration (wagmi, RainbowKit).
Estimated Timelines
- ERC-20 token with basic functions: 1–2 weeks
- Vesting contract with cliff/linear schedule: 2–3 weeks
- NFT ERC-721/1155 with marketplace: 4–6 weeks
- AMM or lending protocol: 2–4 months
- Multichain protocol with bridge: 4–7 months
Audit adds 3–6 weeks and runs in parallel with final testing where possible. Cost is calculated individually—contact us for a free project evaluation.
Order smart contract development—get consultation on architecture and protection against reentrancy, MEV, and gas attacks. Want to discuss details? Write to us—we will select the optimal stack for your task.