Audit Engagement Checklist for Smart Contract Auditors

Document all contracts in scope, lines of code, and expected deliverables. Clarify what's out of scope.

Collect whitepapers, architecture docs, previous audits, and design specifications from the client.

List all oracles, external protocols, and third-party contracts the system interacts with.

Set up secure channels for questions, findings disclosure, and progress updates.

Study any prior audits to understand historical issues and verify fixes.

Clone repo, install dependencies, ensure all tests pass, set up debugging tools.

Discuss critical properties that must always hold—these become primary audit targets.

Document what roles are trusted, what external systems are trusted, and failure assumptions.

Diagram inheritance relationships and identify diamond/multiple inheritance issues.

Document all privileged roles, their capabilities, and how permissions can change.

Analyze proxy patterns, upgrade timelock, and storage collision risks.

Document all cross-contract calls and potential reentrancy entry points.

Understand token flows, fee mechanisms, and economic invariants.

Analyze price feed sources, staleness handling, and manipulation resistance.

Map all possible states and valid transitions for stateful contracts.

Document admin keys, multisig requirements, and potential single points of failure.

Analyze each entry point for input validation, access control, and state changes.

Follow all value transfers to verify accounting accuracy and prevent fund loss.

Check for overflow/underflow, rounding errors, and precision loss.

Identify unbounded loops that could cause DoS via gas exhaustion.

Verify CEI pattern or reentrancy locks on all external calls.

Check for slot collisions in upgradeable contracts and packed struct issues.

Verify appropriate use of require/revert, custom errors, and error messages.

Verify all state changes emit appropriate events for off-chain tracking.

Execute static analysis tools and triage all findings.

Use symbolic execution to explore edge cases and constraint violations.

Set up Echidna or Foundry fuzzing with property-based tests.

Use Certora or Halmos for critical invariant verification.

Identify expensive operations and suggest optimizations.

Ensure test suite covers all branches and edge cases.

Check imported libraries for known vulnerabilities.

Check Solidity version, optimizer settings, and via-IR usage.

Attempt price manipulation, governance attacks, and liquidity drainage via flash loans.

Test TWAP effectiveness, multi-oracle fallbacks, and manipulation costs.

Identify sandwich attack vectors, frontrunning opportunities, and backrunning risks.

Verify liquidation thresholds, incentives, and cascade prevention.

Test utilization curves, rate jumps, and economic stability.

Verify deadline parameters, minimum output amounts, and price bounds.

Check first depositor attacks, rounding exploits, and share inflation.

Test vote buying, flash loan voting, and proposal spam attacks.

Run integration tests against forked mainnet state with real protocol data.

Test message passing, finality assumptions, and bridge failure handling.

Simulate stale prices, oracle downtime, and manipulation attempts.

Test storage migrations, initialization, and rollback scenarios.

Verify pause mechanisms, emergency withdrawals, and circuit breakers.

Test interactions with other DeFi protocols and potential conflicts.

Verify critical functions work within block gas limits during high gas periods.

Test keeper bots, relayers, and off-chain computation correctness.

Use consistent severity ratings: Critical, High, Medium, Low, Informational.

Provide PoC code or step-by-step instructions to reproduce each finding.

Describe worst-case scenarios, affected users, and potential fund loss.

Suggest specific code changes or architectural improvements.

Reference similar past exploits, documentation, or security guidelines.

Maintain status tracking: Open, Acknowledged, Fixed, Won't Fix.

Note any factors that reduce severity or exploitability.

Link findings that share root causes or have combined impact.

Have findings reviewed by another auditor before client delivery.

Review all fixes and confirm they address the root cause without introducing new issues.

Mark all findings as Fixed, Partially Fixed, Acknowledged, or Disputed.

Summarize overall security posture, key risks, and recommendations.

Clearly state scope boundaries, time constraints, and what wasn't reviewed.

Suggest monitoring, incident response, and post-deployment security measures.

Review findings with client team and answer technical questions.

Securely store PoCs, notes, and tooling output for future reference.