- Download the code
- Read the documentation
- CLOC to see the metrics (lines of code and number of contracts) - Rank the contracts on the basis of complexity
- Take notes in the same code while manual review
- Don't fall in the rabbit hole (move on to other files once you have spent enough time on it)
- Ask the people who have made the contract (not always feasibile)
- Vulnerability reports + Resonsibility disclosures + newsletters
- Make a comprehensive Audit Report