Testing

• Make unit tests as easy to understand as possible. Remove duplicate mocks and comments where necessary
• Ensure final contracts have 100% test coverage. As of 5/18 we are at 91.3%
  
• Write fuzz tests? - It looks like https://github.com/crytic/echidna is a popular choice

Both Contracts

• Lock the solidity version

GitcoinAttester

• remove setEASAddress and set address in constructor
• eas address is redundant if we have EAS contract we can get address

GitcoinVerifier

• revert within the _verify function. With this method you could remove the if statement all together and revert for the independent reasons(nonce/signature)
• remove _hashArray
• DOMAIN_SEPARATOR (contracts/GitcoinVerifier.sol#22) should be immutable
• attester (contracts/GitcoinVerifier.sol#16) should be immutable
• issuer (contracts/GitcoinVerifier.sol#17) should be immutable
• bytes32 private constant EIP712DOMAIN_TYPEHASH, bytes32 private constant STAMP_TYPEHASH, bytes32 private constant PASSPORT_TYPEHASH can be prehashed and the values can be assigned to the bytes32 value - will minimize gas in deployment
• Add an onlyOwner withdraw function to contract. Funds would currently be locked forever. This would also require the contract to be updated to ownable. Another option could be an allowed address set in the constructor/deployment
• Convert loops to unchecked loop to reduce gas usage https://hackmd.io/@totomanov/gas-optimization-loops#2-Increment-the-variable-in-an-unchecked-block

General

• remove console.logs
• Adjust hardhat compiler version to match solidity version that we lock to
• Move to yarn? We use this for all other project
• Ensure all contracts are fully commented
• Improve error handling - revert should be specific to case that causes revert
• Deployment Checklist(set env variables, contract owners, verifiers, etc..)