---
title: "Smart contract audit checklist · the one we actually use"
description: "Before you ship to mainnet, run this list. 30+ check items across threat model, tests, fuzz, deploy and monitor · the one we run on our own projects."
date: 2026-03-22
updated: 2026-03-22
author: "Dezső Mező"
tags: "Blockchain, Security, Solidity, Audit"
slug: smart-contract-audit-checklist
canonical: https://dfieldsolutions.com/blog/smart-contract-audit-checklist
---

# Smart contract audit checklist · the one we actually use

A checklist for the last days before mainnet: threat model, tests, fuzz, deploy, monitor · 30+ items we never skip.
A single re-entrancy bug cost $180M once. A single access-control miss zeroed out thousands of users. Blockchain doesn't forgive. This checklist is what we run on every project before the first mainnet transaction.

## I. Threat model (1-2 days)

- Economic actors: who profits from an exploit?
- Admin surface: what permissions exist, who controls them?
- Oracle dependencies: which oracle, what's the fallback?
- Flashloan surfaces: can the contract be manipulated within a single tx?
- MEV / front-running exposure.

## II. Test coverage

100% line coverage isn't the goal · the goal is a scenario test for every economic situation. Foundry or Hardhat, augmented with invariant tests.

```sol
// Foundry invariant test
contract TreasuryInvariants is Test {
    function invariant_totalSupplyMatchesBalances() public {
        uint256 sum;
        for (uint256 i = 0; i < users.length; i++) {
            sum += treasury.balanceOf(users[i]);
        }
        assertEq(sum, treasury.totalSupply());
    }
}
```

## III. Fuzz campaign

- Echidna 10M+ runs with every property instrumented.
- Foundry fuzz on the edges of the parameter range.
- Special attention: reentrancy, overflow, access control, rounding.

## IV. Static analysis

- Slither · baseline net, but many false positives.
- Mythril symbolic execution, slower but deeper.
- Aderyn (Rust-based) · fast, modern.

## V. Manual review

Tools don't find every business-logic bug. Read the contracts line by line. Focus: state transitions, permissioning, rollback, migration. Four-eye principle · two independent reviewers.

## VI. Deploy pipeline

1. Local anvil / hardhat node: integration tests.
2. Testnet (Sepolia, Arbitrum Sepolia): ~2 weeks of traffic.
3. Canary mainnet: TVL cap, phased.
4. Full rollout + TVL lift in steps.

## VII. Onchain monitor

30-90 days of production monitoring: anomaly detection (flashloan patterns, TVL jumps, suspicious gas usage). Pager pipeline at threshold.

> **WARN:** Never deploy to mainnet on a Friday afternoon. Ever. Not even for a 'small update'.

## Summary

This list isn't complete, but it's the repeatable part of what we do. If you'd like, we can run it against your code · 2-8 weeks to a full audit report as PRs.

---

Source: https://dfieldsolutions.com/blog/smart-contract-audit-checklist
Author: Dezső Mező · Founder, DField Solutions
Site: https://dfieldsolutions.com