The Smart Contract Audit Checklist We Run Internally
Before any external audit, we run this internal pass — covering access control, economic exploits, and upgrade safety.
Why internal passes come first
External auditors are expensive and finite. Sending them a codebase full of missing access modifiers wastes their time and your budget. Our internal checklist removes entire vulnerability classes before the first kickoff call.
It also creates shared language between protocol engineers and security reviewers so findings map to known categories instead of vague unease.
Access control and privilege edges
Enumerate every privileged function: upgrades, pauses, parameter changes, oracle setters, and rescue methods. Confirm least privilege, timelocks where appropriate, and no leftover debug backdoors.
Check initialisation patterns on proxies. Uninitialised implementations and front-runnable initialisers still appear in otherwise mature codebases.
Economic and oracle exploits
Model flash-loanable markets, donation attacks, and rounding asymmetries. Ask whether an attacker can force insolvency or extract value by manipulating a single external call.
Oracle assumptions deserve their own threat section. Stale prices, spot manipulation, and decimal mismatches are recurring root causes.
Upgrade and operational safety
Review storage layouts, upgrade authority, and emergency procedures. A perfect contract with an unsafe admin key is not secure.
Ship the checklist results with the audit package: known risks, test coverage maps, and invariant suites. Auditors catch more when you have already been honest about what worries you.
Checklist items we never skip
Reentrancy on value movement, CEI compliance, ERC-20 oddities, signature replay, and block.timestamp dependence all get explicit yes/no review. Ambiguous answers become tickets before mainnet.
Treat the checklist as living documentation. Every incident or near-miss adds a row so the organisation compounds security learning.
David Kim
Cloud Architect
Cloud architect specialising in Kubernetes, multi-tenant SaaS, and secure blockchain systems.