30 Common Mistakes Smart Contract Auditors Make
Even experienced auditors make mistakes that can lead to missed vulnerabilities or inaccurate reports. Learn from these common pitfalls to improve your audit quality.
Preparation Mistakes
Errors made before the actual code review begins.
Not reading the documentation first
Jumping straight into code without understanding intended behavior leads to false positives and missed business logic bugs.
What happens: Miss context-dependent vulnerabilities
Fix: Spend first 10-15% of audit time on docs, specs, and similar protocol audits.
Unclear scope definition
Starting without clear scope leads to wasted time on out-of-scope contracts or missing in-scope dependencies.
What happens: Inefficient time use and missed vulnerabilities
Fix: Get explicit scope confirmation in writing before starting any code review.
Skipping automated tool runs
Not running Slither, Mythril, or other tools because you think manual review is sufficient.
What happens: Miss low-hanging fruit that tools catch instantly
Fix: Always run automated tools first. They catch issues you might overlook.
Not setting up the local environment
Reviewing code without being able to run tests or write PoCs limits vulnerability verification.
What happens: Cannot verify findings with proof of concept
Fix: Clone repo and get tests passing before deep code review.
Underestimating audit time needed
Accepting tight deadlines leads to rushed reviews and missed vulnerabilities.
What happens: Incomplete audit coverage
Fix: Use realistic time estimates. Complex DeFi needs 1000+ lines per day is aggressive.
Technical Mistakes
Errors in vulnerability identification and analysis.
Focusing only on code, not economics
Missing economic exploits because you only look for code bugs, not incentive manipulation.
What happens: Miss profitable exploits that don't require code bugs
Fix: Model economic attacks. Ask: how would someone profit from manipulating this?
Missing cross-contract reentrancy
Only checking for single-contract reentrancy when the protocol has multiple interacting contracts.
What happens: Miss complex reentrancy paths
Fix: Map all external calls and check if any can re-enter other protocol contracts.
Ignoring external dependencies
Not reviewing how the contract interacts with external protocols like Uniswap, Aave, or Chainlink.
What happens: Miss integration vulnerabilities
Fix: Review external call assumptions. Check for edge cases in integrated protocols.
Not testing edge cases
Only testing happy path scenarios without considering zero values, max values, or empty arrays.
What happens: Miss boundary condition bugs
Fix: Systematically test all boundary conditions in critical functions.
Misunderstanding protocol assumptions
Making incorrect assumptions about how the protocol should work without verifying with the team.
What happens: False positives that waste everyone's time
Fix: When unsure, ask the team. Document assumptions in your notes.
Missing read-only reentrancy
Not considering that view functions can return stale data during reentrancy.
What happens: Miss reentrancy that affects external protocols
Fix: Check if other protocols read state during external calls.
Analysis Mistakes
Errors in vulnerability assessment and severity rating.
Incorrect severity assessment
Rating findings too high or too low damages credibility and prioritization.
What happens: Team ignores valid findings or panics over minor issues
Fix: Use consistent severity framework. High/Critical requires fund loss or protocol break.
Not writing proof of concept
Reporting theoretical vulnerabilities without proving they're exploitable.
What happens: Invalid findings that cannot be reproduced
Fix: Write PoC for all medium+ findings. If you cannot exploit it, reconsider.
Missing the root cause
Reporting symptoms rather than underlying vulnerability leads to incomplete fixes.
What happens: Fix addresses symptom but root cause remains exploitable
Fix: Always identify why the vulnerability exists, not just what it does.
Duplicate findings from different angles
Reporting the same underlying issue multiple times as separate findings.
What happens: Inflated finding count, wastes team time reviewing duplicates
Fix: Before adding finding, check if it shares root cause with existing finding.
Missing attack prerequisites
Not clearly stating what conditions must exist for the attack to succeed.
What happens: Overstated severity or invalid findings
Fix: Document all prerequisites: timing, capital, permissions, market conditions.
Ignoring gas costs in attack profitability
Reporting attacks that are unprofitable after gas costs are considered.
What happens: Invalid economic exploits
Fix: Calculate full attack cost including gas and flash loan fees.
Report Writing Mistakes
Errors in documenting and communicating findings.
Unclear vulnerability descriptions
Writing descriptions that only make sense to you, not the development team.
What happens: Team cannot understand or fix the issue
Fix: Write for developers who did not audit. Include context and clear steps.
Missing code references
Not including specific line numbers and file paths for vulnerable code.
What happens: Team cannot locate the vulnerable code
Fix: Include file path, line numbers, and relevant code snippets.
Vague recommendations
Suggesting fixes like 'add validation' without specifying what validation.
What happens: Team implements incomplete fix
Fix: Provide specific, implementable fix recommendations with code examples.
Not explaining impact clearly
Technical description without business impact leaves team unsure how to prioritize.
What happens: Critical issues may be deprioritized
Fix: Always explain: what can attacker do, how much can they steal, what breaks.
Forgetting to verify fixes
Not reviewing the fixes implemented for your findings.
What happens: Incomplete or incorrect fixes deploy to mainnet
Fix: Review all fix commits. Verify root cause addressed, not just symptom.
Poor report organization
Dumping findings without logical organization or executive summary.
What happens: Stakeholders cannot quickly understand risk exposure
Fix: Include executive summary, group by severity, provide statistics.
Process Mistakes
Workflow and professional conduct errors.
Working in isolation without team discussion
Not discussing potential findings with other auditors leads to missed insights.
What happens: Lower quality audit, duplicate efforts
Fix: Schedule regular sync calls. Discuss interesting code paths and potential issues.
Not tracking time per area
Spending too much time on one area while neglecting others.
What happens: Uneven coverage leaves blind spots
Fix: Track time spent per contract or area. Ensure balanced coverage.
Disclosing vulnerabilities inappropriately
Sharing findings publicly before the team has patched.
What happens: Enable exploits, damage reputation, potential legal issues
Fix: Follow responsible disclosure. Never share details until fixed.
Not maintaining finding database
Each audit starts from scratch without leveraging patterns from past audits.
What happens: Slower audits, repeated mistakes
Fix: Maintain personal database of finding patterns and vulnerable code patterns.
Skipping the retest phase
Assuming fixes are correct without verification.
What happens: Broken or incomplete fixes go to production
Fix: Always verify fixes address root cause and don't introduce new issues.
Ignoring test coverage gaps
Not reviewing what tests exist and what code paths remain untested.
What happens: Critical paths may be untested, hiding bugs
Fix: Review test coverage. Flag untested code as higher risk.
Missing cross-protocol interactions
Auditing in isolation without considering how other protocols might interact.
What happens: Composability attacks missed
Fix: Consider flash loan attack vectors and other protocol interactions.
Not tracking previous audits
Failing to review findings from previous audits of the same protocol.
What happens: Re-introducing old vulnerabilities or missing recurring patterns
Fix: Always request and review previous audit reports.
Tips from the field
- 1.
Keep a checklist of common vulnerabilities and check each one explicitly. Do not rely on memory.
- 2.
Take breaks. Auditor fatigue causes missed findings. Fresh eyes catch more bugs.
- 3.
Build relationships with protocol teams. Good communication improves audit quality for everyone.
- 4.
Study every post-mortem. When a protocol gets exploited, understand exactly what the auditors missed.
- 5.
Contribute to open-source security tools. Building tools deepens your understanding of vulnerability patterns.