A Beginner's Guide to Auditing an ERC20 Contract
Too Long; Didn't Read
Things to check when auditing the ERC20 contract:
When transferring tokens from one account to another, check whether the values are being updated correctly.
Similarly, when transferring ETH, check whether the state changes are happening before the transfer. For example, the balance should be reduced from the sender’s account before transferring it to the receiver. This will stop attacks like reentrancy.
Check all the external calls. Because external functions are the ones that can be called by anyone. If it has any bug then the attacker will drain the balance in the contract.
If the contract is having multiple user roles, then check all the roles, and check whether the access controls are applied properly.
Check whether the parent contracts (ERC20, Ownable) are standard contracts (e.g. written by OpenZeppelin) or are they custom-written contracts by the dev.