The Smart Contract Audit Checklist: 12 Things Every Protocol Needs to Verify

After auditing 50+ protocols, we've compiled the vulnerabilities that get exploited most often. Some are in 30% of contracts we review.

The Checklist

1. Reentrancy guards: External calls without reentrancy protection remain the #1 exploit vector.
2. Access control: Missing or improperly implemented modifiers on sensitive functions.
3. Integer overflow/underflow: Especially in older Solidity versions without built-in checks.
4. Price oracle manipulation: Reliance on single price sources without circuit breakers.
5. Flash loan attacks: Lack of timestamp or block number dependencies in critical logic.
6. Front-running: Transactions that can be sandwiched for profit.
7. Missing event emissions: Off-chain systems relying on contract state without proper event tracking.
8. Initialization functions: Contracts that can be re-initialized after deployment.
9. Proxy pattern vulnerabilities: Storage collisions, delegatecall injection.
10. Cross-function race conditions: Related functions that can be called in unsafe sequences.
11. Decimal precision: Assumptions about token decimals causing accounting errors.
12. Emergency withdrawal functions: Backdoors that bypass normal withdrawal logic.

What We Look For

Automated tools catch the obvious stuff. We find the logic flaws that only become apparent when you trace transactions end-to-end.

The vulnerabilities that actually get exploited aren't the ones that look bad in a scanner report. They're the ones that seem fine in isolation but break under real market conditions.

The Bottom Line

If you're launching a protocol and haven't had a professional audit, you're shipping with known vulnerabilities you don't know about.

We've found critical issues in code that had already passed two other audits. That's not a knock on those auditors — it's a reminder that thoroughness matters more than reputation.