Solidity Best Practices: Secure Smart Contracts, Gas Optimization & OpenZeppelin Patterns

## Solidity Coding Standards

Adopt clear naming conventions: use CamelCase for contract names and PascalCase for interfaces prefixed with 'I'. Always specify visibility modifiers explicitly and add detailed NatSpec comments for public/external functions.

```solidity
/// @title IERC20 Interface
/// @notice Standard ERC20 interface
interface IERC20 {
    function transfer(address to, uint256 amount) external returns (bool);
}

contract MyToken is IERC20 {
    // Implementation
}
```

Favor composition over deep inheritance to keep code maintainable.

## Security Patterns

Apply the Checks-Effects-Interactions (CEI) pattern to avoid reentrancy. Use OpenZeppelin's ReentrancyGuard and SafeERC20 for token handling. Prefer custom errors over strings for gas savings.

```solidity
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

contract Vault is ReentrancyGuard {
    using SafeERC20 for IERC20;

    error InsufficientBalance(uint256 available, uint256 required);

    function withdraw(uint256 amount) external nonReentrant {
        // Checks
        if (balance[msg.sender] < amount) revert InsufficientBalance(balance[msg.sender], amount);
        // Effects
        balance[msg.sender] -= amount;
        // Interactions
        token.safeTransfer(msg.sender, amount);
    }
}
```

Implement timelocks with OpenZeppelin's TimelockController and multisig via AccessControl for critical actions. Add Pausable for emergency pauses.

## Upgradeability & Access Control

For upgradeable contracts, use proxy patterns and secure initializer access. Leverage OpenZeppelin's AccessControl for role-based permissions.

```solidity
import "@openzeppelin/contracts/access/AccessControl.sol";

contract Governed is AccessControl {
    bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE");

    constructor() {
        _grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
    }

    function execute(address target, bytes calldata data) external onlyRole(ADMIN_ROLE) {
        // Execution logic
    }
}
```

## Gas Optimization Techniques

Pack storage variables efficiently, use immutable for constants, and custom errors. Employ assembly sparingly with full docs. Prefer pull payments over push to prevent DoS.

```solidity
contract OptimizedStorage {
    uint128 public packed1; // Pack with uint128
    uint128 public packed2;

    uint immutable constant FEE = 100; // Set once

    error InvalidAmount();

    function process() external {
        if (msg.value == 0) revert InvalidAmount();
    }
}
```

Use view/pure modifiers correctly and OpenZeppelin's Address library for safe external calls.

## Events & State Management

Emit events for all key state changes. Design state machines for complex flows and use ERC20Votes for governance tokens.

```solidity
 event Transfer(address indexed from, address indexed to, uint256 value);
 event Paused(address account);
```

## Randomness & Oracles

Avoid blockhash/timestamp for randomness; integrate Chainlink VRF.

## Testing & Workflow

Build unit, integration, and fuzz tests with Hardhat. Aim for 100% coverage on critical paths. Run Slither/Mythril in CI/CD. Use pre-commit hooks for linting.

```solidity
// Hardhat test example
import { expect } from "chai";
import { ethers } from "hardhat";

describe("Vault", () => {
  it("should withdraw correctly", async () => {
    // Test logic
  });
});
```

Conduct audits and bug bounties. Document architecture and decisions thoroughly.