This checklist covers common vulnerabilities and issues to watch out for when conducting smart contract security audits. It compiles patterns seen in auditing contests and real-world assessments.
- Code commented clearly
- Comments match implementation
- Natspec comments exist
- Design decisions explained
- Current Solidity version used
- Linter warnings addressed
- Formatting consistent
- Code modularized into readable functions
- Follows standards like ERC20
- Behaviors match specifications
- Inputs/outputs as expected
- Events emitted properly
- Tokens minted/burned correctly
- Arithmetic accurate
- Roles defined properly
- Role authorization checked
- Ownership transfers protected
- Visibility specifiers used correctly
- Input types checked
- Input bounds checked
- Input encoding verified
- Proper handling of errors
- Front-running protection
- Reentrancy issues checked
- Checks for arithmetic under/overflow
- Flash loan protections in place
- Block values validated
- Protection against malicious governance
- Expected behavior with inherited contracts
- Proper handling of native token transfers
- Risks from composability with untrusted contracts
- Checks on integrated contract integrity