What I check first in a small Solidity contract

A repeatable review path for access control, external calls, state transitions, and accounting assumptions.

For a small Solidity contract, I start by reading the permission model before reading the clever parts. Who owns the contract, who can change settings, and which functions move value?

After that, I look at external calls and state updates. If the contract sends ETH, calls tokens, or depends on another contract, the ordering matters more than the surface-level intent.

Then I write down the assumptions in plain language. If the contract expects balances, roles, or totals to stay true, those expectations should become tests or invariants.