Smart Contract Audit Checklist

Why Audit Smart Contracts?

Smart contracts are immutable once deployed and often manage significant financial value. A single vulnerability can lead to catastrophic losses — the DAO hack ($60M), Wormhole bridge exploit ($320M), and Ronin bridge hack ($620M) are stark reminders. A systematic audit checklist helps ensure no common vulnerability class is overlooked.

Reentrancy

Reentrancy occurs when a contract makes an external call before updating its state, allowing the called contract to re-enter and drain funds. The classic defense is the Checks-Effects-Interactions pattern.

• Follow CEI: validate inputs, update state, then make external calls
• Use OpenZeppelin's ReentrancyGuard for critical functions
• Watch for cross-function and cross-contract reentrancy
• Be aware of read-only reentrancy via view functions

Access Control

Improper access control is one of the most common vulnerability classes. Every privileged function must have explicit authorization checks.

• Use role-based access control (RBAC) via AccessControl
• Verify onlyOwner / onlyRole on all admin functions
• Check for missing access control on selfdestruct, delegatecall, and proxy upgrade functions
• Implement two-step ownership transfers

Integer Overflow/Underflow

Solidity 0.8+ has built-in overflow checks, but unchecked blocks and assembly bypass them. Always verify arithmetic in critical paths.

• Review all unchecked blocks for intentional overflow
• Check division by zero scenarios
• Verify precision loss in fixed-point arithmetic
• Watch for truncation in type casting (uint256 to uint128)

Oracle Manipulation

Price oracles are critical infrastructure for DeFi. Spot price manipulation via flash loans is a common attack vector.

• Never use spot prices from DEXs (easily manipulated in a single tx)
• Use Chainlink or TWAP oracles with sufficient observation periods
• Implement price deviation checks and circuit breakers
• Consider multi-oracle approaches for critical operations

Flash Loan Attacks

Flash loans allow borrowing unlimited capital within a single transaction. Any protocol relying on token balance or spot price within a single block is vulnerable.

• Identify all balance-dependent logic
• Use time-weighted values instead of instantaneous readings
• Implement borrow-repay atomicity checks where appropriate

Gas Optimization vs Security

Gas optimization should never compromise security. Common pitfalls include removing SafeMath checks (pre-0.8), using unchecked without careful analysis, and skipping zero-address checks to save gas.

Audit Process Checklist

1. Scope definition: identify all contracts, dependencies, and deployment configuration
2. Architecture review: understand the system design and trust assumptions
3. Line-by-line review: examine every function for the vulnerability classes above
4. Automated tooling: run Slither, Mythril, and Echidna for fuzzing
5. Test coverage: verify edge cases, boundary conditions, and failure modes
6. Economic analysis: model attack economics and MEV scenarios
7. Report and remediation: document findings with severity and provide fixes