actually the best practice is not writing your own code and using thoroughly audited industry standards. Writing your own smart contracts for things that other people have already done and secured is akin to rolling out your own cryptography. Obviously, just like it's happened with openssl in the cryptography equivalency, this can also go wrong, but it's less likely.
If you write your own you should get your code audited by a specialist, or many, before deploying.
So many things wrong about that, it's the cryptocurrency equivalent of installing random software packages on your critical servers.