Technology Insights

Smart Contract Audit Checklist: 15 Things Every Project Must Verify

The 15 things every project must verify before deploying a smart contract, from reentrancy and access control to oracle integrity, upgradeability, and post-launch monitoring.

Direlli Team
7 min read
Smart Contract Audit Checklist: 15 Things Every Project Must Verify
Smart ContractsBlockchainSecurityWeb3AuditDeFiSolidity

A smart contract audit is a systematic security review of on-chain code before it controls real value. A thorough audit checklist spans three layers: code-level vulnerabilities (reentrancy, access control, arithmetic), economic and governance logic (oracle integrity, tokenomics, upgradeability), and process maturity (test coverage, dependencies, monitoring). Below are the 15 things every project must verify before mainnet deployment, written for founders and CTOs who need to know what "audited" actually means.

Why does a smart contract audit checklist matter?

Unlike traditional software, deployed smart contracts are immutable, publicly visible, and often custody funds directly. A single missed edge case can be exploited within minutes of launch, and there is no quiet patch-and-redeploy safety net. A checklist turns a vague promise of "we'll audit it" into a verifiable, repeatable standard. It also gives non-technical stakeholders a way to hold auditors accountable and to compare quotes on substance rather than price alone.

Use this list two ways: as a readiness gate before you commission an external review, and as a scorecard for grading the audit report you receive.

The 15-point smart contract audit checklist

Code-level security (items 1-6)

  1. Reentrancy protection. Confirm the code follows the checks-effects-interactions pattern and uses reentrancy guards around external calls. Ask specifically about modern variants such as cross-function and read-only reentrancy, which slip past naive single-function guards and have caused real losses.
  2. Access control and privilege management. Every privileged function (minting, pausing, upgrading, withdrawing) should be gated by explicit, well-scoped roles. Verify that admin powers sit behind a multisig or timelock rather than a single externally owned account with an unrecoverable key.
  3. Arithmetic safety. Ensure the contract relies on Solidity 0.8+ built-in overflow checks or a vetted math library, and that any unchecked block is deliberate and justified. Watch for rounding directions that consistently favor the protocol or, worse, an attacker draining dust over many calls.
  4. Safe external calls and token handling. Return values of low-level calls and token transfers must be checked, not assumed. Non-standard ERC-20 tokens (fee-on-transfer, rebasing, missing return values) routinely break integrations that were only tested against "nice" tokens.
  5. Denial-of-service resistance. Look for unbounded loops over user-controlled arrays, functions that a single reverting participant can permanently brick, and gas-griefing vectors. A contract anyone can freeze is as dangerous as one that leaks funds.
  6. Secure randomness. On-chain values like block.timestamp and blockhash are predictable and manipulable by validators. Any lottery, mint order, or reward logic that needs randomness should draw from a verifiable source such as a VRF (for example, Chainlink VRF) rather than block data.

Economic and protocol logic (items 7-11)

  1. Oracle and price-feed integrity. If your contract reads external prices, verify resistance to flash-loan-driven manipulation. Time-weighted average prices (TWAPs), reputable decentralized oracle networks, and sanity bounds are common mitigations. A single-block spot price from a low-liquidity pool is a red flag.
  2. Front-running and MEV exposure. Because pending transactions are public, sensitive operations can be sandwiched or front-run. Check for slippage protection, minimum-output parameters, and commit-reveal schemes wherever ordering affects outcomes.
  3. Business logic and invariants. The subtlest bugs are not syntax errors but broken economic assumptions: fees that can be bypassed, collateral ratios that can be gamed, or accounting that drifts over time. A strong audit states the protocol's core invariants and demonstrates they always hold.
  4. Upgradeability and proxy safety. If you use proxies, verify storage-layout compatibility across versions, correct initializer protection (no re-initialization), and tight control of the upgrade key. Upgradeability is a powerful feature and a large attack surface at the same time.
  5. Governance and timelocks. For DAOs and configurable protocols, confirm that parameter changes pass through a timelock so users can exit before a malicious or mistaken change takes effect, and that voting cannot be cheaply captured through borrowed or flash-loaned voting power.

Process and operational maturity (items 12-15)

  1. Test coverage and fuzzing. Ask for the coverage report. Beyond unit tests, mature teams use invariant and fuzz testing (Foundry, Echidna) to explore states a human reviewer would never enumerate by hand. Low coverage almost always correlates with undiscovered bugs.
  2. Dependency and library hygiene. Verify that third-party libraries are pinned to specific, audited versions (for example, current OpenZeppelin releases) and that no known-vulnerable versions remain. Supply-chain risk is real on-chain too.
  3. Documentation and specification match. The code should do what the whitepaper and NatSpec comments say it does. Gaps between intended and actual behavior are exactly where both auditors and attackers find issues.
  4. Post-deployment monitoring and incident response. An audit is a snapshot, not a guarantee. Confirm you have a pause or circuit-breaker mechanism, on-chain monitoring and alerting, a bug bounty program, and a documented plan for what happens when something goes wrong.

When should you audit a smart contract?

Audit before any mainnet deployment that touches value, and re-audit after any material code change, not just at launch. Because fixes get more expensive the later they are found, the most cost-effective approach is to design for auditability from day one and run internal reviews continuously. Teams shipping smart contract development work on blockchain development platforms should treat security as a phase of engineering, not a checkbox at the end.

How do you choose a smart contract auditor?

  • Relevant track record. Favor auditors who have reviewed protocols similar to yours (DeFi, NFTs, bridges, gaming) over pure generalists.
  • A clear methodology. A credible firm can explain its process: manual review, automated analysis, fuzzing, and a documented severity model.
  • An actionable report. Good reports classify findings by severity, explain impact and likelihood, give concrete remediation guidance, and include a re-review after fixes.
  • Independence. The people who wrote the code should not be the only people reviewing it. A second, independent set of eyes is the entire point.

Professional smart contract audits combine automated tooling with deep manual review, because the highest-severity issues are usually logic flaws that scanners cannot catch.

Frequently asked questions

How much does a smart contract audit cost?

Cost varies widely with scope, code size, and complexity. A small, single-contract review is far cheaper than auditing a multi-contract protocol with upgradeable proxies and external integrations. Rather than anchoring on a headline figure, ask what the price includes: manual review depth, fuzzing, a re-audit of fixes, and turnaround time. Engaging a senior team at competitive rates, such as Armenia-based delivery, can meaningfully improve value without cutting rigor.

How long does an audit take?

Timelines typically range from a few days for a very small contract to several weeks for a complex protocol, plus additional time for the fix-and-re-review cycle. Rushed audits are a false economy; build the schedule into your launch plan early.

Does an audit guarantee my contract is safe?

No. An audit substantially reduces risk but cannot prove the absence of all bugs, especially novel economic exploits. Treat it as one layer alongside thorough testing, a bug bounty, monitoring, and a tested incident-response plan.

Can I skip a formal audit if my code uses audited libraries?

Using audited libraries like OpenZeppelin is good practice, but your specific composition and business logic are unique and unreviewed. Most exploits target the custom logic that connects trusted building blocks, so a project-specific audit is still essential.

How Direlli can help

Direlli provides blockchain and Web3 engineering with a security-first approach, from architecture and smart contract development through independent review and post-launch monitoring. Rated 5.0 on Clutch and working with founders and teams internationally, our senior engineers help you ship on-chain products that hold up under real economic pressure. Contact us to scope an audit or stand up a dedicated blockchain team.

Back to Blog
Enjoyed this article?

Ready to Transform Your Business?

Let's discuss how our expertise can help you achieve your goals.

Get in Touch