DeFi Code Review Checklist

Check compound interest formulas, accrual frequency, and precision handling.

Verify share/asset conversions. Look for rounding direction vulnerabilities.

Verify fee percentages, recipients, and collection timing.

Check liquidation thresholds, LTV calculations, and health factor formulas.

Check reward accrual, claiming, and vesting calculations.

Review order of operations. Multiply before divide to preserve precision.

Verify slippage tolerance is applied correctly in swaps.

Verify handling of 6-decimal (USDC), 8-decimal (WBTC), and 18-decimal tokens.

Confirm stale price detection with appropriate thresholds per asset.

Assess if prices can be manipulated within a single transaction.

Verify TWAP window is long enough to resist manipulation.

Verify behavior when primary oracle fails or returns invalid data.

Ensure oracle prices are correctly scaled for calculations.

Verify answeredInRound >= roundId for fresh data.

Verify extreme price movements trigger protection mechanisms.

Assess if oracle updates create arbitrage or attack opportunities.

Verify liquidation incentives ensure positions are closed before underwater.

Check handling of insufficient liquidity for withdrawals.

Ensure interest rates respond appropriately to utilization.

Verify initial share minting doesn't allow share manipulation.

Check for donation attacks that inflate share value.

Check that protocol reserves are correctly accumulated.

Verify small amounts don't cause DoS or accounting issues.

Verify circuit breakers and emergency withdrawal paths.

Check if user transactions can be profitably sandwiched.

Identify transactions that leak profitable information.

Verify swaps/operations have expiration timestamps.

Confirm minimum output amounts are enforced correctly.

Check if liquidation ordering can be gamed for MEV.

Assess if just-in-time liquidity can exploit users.

Identify if large trades create backrunning value.

For sensitive operations, recommend Flashbots or similar.

Verify admin capabilities are documented and limited appropriately.

Sensitive parameters should have timelock delays.

Different functions should require different roles.

Check proxy patterns, storage layouts, and upgrade auth.

Verify pause scope, who can trigger, and unpause process.

Critical functions should require multiple signers.

Identify single points of failure or excessive admin power.

Admin-settable parameters should have sensible limits.

Verify CEI pattern or reentrancy guards on all external calls.

Check for approval race conditions and infinite approvals.

If implementing callbacks (flash loans), verify caller validation.

Document assumptions about integrated protocols.

If using flash loans, verify proper repayment and callback security.

Verify view functions can't be manipulated via reentrancy.

Check assumptions about external protocol behavior.

Check handling of fee-on-transfer, rebasing, and non-standard tokens.

New code should have comprehensive tests including edge cases.

Mathematical operations should be fuzz tested.

Complex user flows should have end-to-end tests.

Protocol invariants should be tested with property-based tests.

All public functions should have complete documentation.

PR should explain what changed and why.

High-frequency functions should be gas efficient.

State changes should emit appropriate events.