Blockchain

The Smart Contract Audit Checklist Every Web3 Founder Needs Before Mainnet

April 20258 min read
The Smart Contract Audit Checklist Every Web3 Founder Needs Before Mainnet

The Million Dollar Checklist

Most decentralized finance (DeFi) exploits are not zero-day vulnerabilities. They are well-documented anti-patterns — reentrancy, access control bypass, and logic errors — that teams simply overlooked in the rush to mainnet.

Before you spend $50,000+ on a formal external audit, your engineering team should be running through an exhaustive internal checklist. Here is the exact pre-audit checklist we use at Quantum Bases before deploying EVM-compatible contracts.

1. Access Control & Privilege Management

The most devastating hacks occur when an attacker gains administrative control.
  • Are all sensitive functions protected? Ensure functions that mint, burn, pause, or transfer funds have onlyOwner or appropriate Role-Based Access Control (RBAC) modifiers.
  • Is there a multi-sig? No single private key should have admin rights in production. Use a Gnosis Safe (Safe{Core}) with a minimum threshold (e.g., 3-of-5).
  • Is there a timelock? Administrative actions (like upgrading a contract or changing fee structures) must be routed through a Timelock contract with a minimum 48-hour delay so users can exit if they disagree with the change.

2. The Reentrancy Threat

The classic DAO hack vector is still alive and well.
  • Checks-Effects-Interactions: Are you strictly following this pattern? State changes (effects) MUST happen before external calls (interactions).
  • ReentrancyGuard: Are you using OpenZeppelin's nonReentrant modifier on any function that sends Ether or interacts with untrusted contracts?
  • Read-Only Reentrancy: If your protocol provides pricing or state data to others, are you ensuring attackers cannot view manipulated state mid-transaction?

3. Math & Logic

With Solidity 0.8+, overflow/underflow is handled natively, but logic errors remain.
  • Precision Loss: Are you doing division before multiplication? (e.g., a / b * c will lose precision. It must be (a * c) / b).
  • Stuck Ether: Is there a way to safely extract Ether or ERC20 tokens that are accidentally sent to the contract address?
  • Loop Gas Limits: Are you looping over dynamically growing arrays? If the array gets too large, the function will exceed the block gas limit and permanently revert (Denial of Service).

4. External Dependencies & Oracles

Your protocol is only as secure as the weakest protocol it interacts with.
  • Oracle Manipulation: If you use an AMM like Uniswap as a price oracle, are you using a Time-Weighted Average Price (TWAP) rather than the spot price to prevent flash-loan manipulation?
  • Chainlink Fallbacks: If the Chainlink oracle goes down or returns stale data, does your contract handle the failure gracefully instead of freezing?
  • Token Standards: Does your contract handle "weird" ERC20 tokens safely? (e.g., Fee-on-transfer tokens, rebasing tokens, or tokens that don't return a boolean on transfer). Always use OpenZeppelin's SafeERC20.

If your team can confidently check off these boxes, you are ready for a formal audit. If not, it is time to pause development and fix the foundation.