Smart Contract Pre-Audit Checklist: 68 Items Before Mainnet Deployment

Smart Contract Audit Checklist - What We Check Before Mainnet

68 items across six vulnerability classes - the things static analysis tools miss and auditors expect you to have already found.

Solidity Security Audit DeFi Smart Contracts Slither Foundry EVM

We've sent contracts to four external audit firms over the past two years. Every one of them has made the same observation: the quality of the pre-audit preparation matters as much as the auditors' expertise. Firms that spend the first two days of an engagement on Slither-level findings are burning audit budget on work that your own tooling should have caught before kickoff. This checklist is what we gate-check before telling an auditor a codebase is ready. It doesn't replace an expert review. It means the expert review can spend its time on the genuinely hard problems.

What's inside

The document is structured into 6 sections. Each is self-contained - you can use individual sections as standalone references or work through the document in sequence.

Reentrancy & call ordering (12 items)

The checks-effects-interactions pattern verification, cross-function reentrancy mapping, read-only reentrancy risk assessment for contracts whose state is consumed by external protocols, and the ReentrancyGuard deployment decisions that matter.

Access control (14 items)

Every public and external function visibility audit, two-step ownership transfer verification, constructor argument validation, role separation assessment, and the timelock configuration requirements for high-impact admin functions.

Arithmetic safety (10 items)

Unchecked block justification, division ordering, rounding direction for fee calculations, SafeCast usage, timestamp dependency assessment, and the specific patterns that pass Slither but still cause arithmetic bugs in production.

Oracle & price feed safety (11 items)

Spot price vs TWAP assessment for security-critical decisions, Chainlink staleness and zero-price handling, minAnswer/maxAnswer circuit breaker case testing, and the secondary source validation requirements that protect against single-oracle failure.

Upgradeability & storage layout (9 items)

Storage layout compatibility verification across upgrade cycles, storage gap presence in base contracts, initializer re-call protection, and the upgrade function access control and timelock requirements that are easy to miss during rapid development.

Testing & tooling (12 items)

Slither full detector suite completion, Mythril on fund-handling contracts, 100% line and branch coverage requirements, revert path test coverage, fuzz test requirements for numeric inputs, invariant test setup for solvency properties, and fork test requirements for external protocol integrations.

What this doesn't cover

This checklist covers EVM-compatible contracts written in Solidity. It does not cover Vyper-specific patterns, Rust/Solana contracts, or Move-based chains. It also does not cover economic exploit surface (flash loan attack vectors, AMM manipulation) beyond oracle safety - that analysis requires protocol-specific threat modelling rather than a generic checklist.

Who this is for

Solidity developers preparing a contract for external audit

Engineering leads running internal security reviews before engaging an audit firm

Teams participating in competitive audits (Code4rena, Sherlock) who want to clean up obvious findings before submission

Security engineers building internal pre-audit processes for a blockchain engineering team

How it was built

Used on every smart contract engagement Sequere has run since 2023. Informed by four external audits with Trail of Bits, Halborn, and Code4rena, and by internal reviews of contracts protecting over $40M in on-chain value. Updated December 2024 to include Foundry invariant test patterns and Aderyn static analysis.

Every resource Sequere publishes is written by the engineers who ran the actual engagement - not by a content team working from secondhand notes. The trade-off is that we publish less frequently. The benefit is that the specifics are real.

Download

This resource is free. Enter your email address and the download link is sent immediately - no marketing sequences, just the download.

If you use this resource on a real project and have feedback - things that were missing, out of date, or wrong - we want to hear it. Every update to this document has come from people who used it in production.