Audit Engagement Checklist for Smart Contract Auditors
A complete audit methodology checklist covering every phase of a professional smart contract security review—from initial scoping to final report delivery. Used by top audit firms.
Smart Contract Auditor64 items Updated May 17, 2026
0 of 64 complete (0%)
Pre-Engagement Phase
Initial scoping and preparation before the audit begins.
Architecture Review
High-level analysis of system design and threat model.
Manual Code Review
Line-by-line analysis of contract code.
Automated Analysis
Tool-assisted vulnerability detection.
DeFi-Specific Checks
Protocol-specific vulnerability patterns.
Integration Testing
Testing contract interactions with external systems.
Finding Documentation
Recording and classifying discovered issues.
Report Delivery
Finalizing and delivering the audit report.
Pro Tips
Build a personal vulnerability checklist: Maintain your own list of patterns based on past audits and public exploits. Update it after every engagement.
Read the code multiple times with different lenses: First pass for understanding, second for logic errors, third for edge cases, fourth for economic attacks.
Always question trust assumptions: Admin keys get compromised, oracles fail, external protocols get hacked. Test what happens when trusted components misbehave.
Write PoCs for every medium+ finding: A working exploit removes all doubt about severity and helps clients prioritize fixes.
Study past exploits weekly: Follow rekt.news, DeFiHackLabs, and post-mortems. Most vulnerabilities are variations of known patterns.