2026-04-06

Founder's Security Checklist

Security isn't just an audit. It's a process that starts before your first line of code and continues long after launch. Here's what experienced teams do.

Phase 1 of 6

Before Writing Code

  • Threat model your protocol — What assets are at risk? Who are the attackers? What's the worst-case scenario if your contracts are exploited?
  • Define your security budget — 10–15% of your raise is the industry standard for security spend (audits, tools, monitoring, bug bounties).
  • Choose a security-conscious dev framework — Foundry is the current recommendation for Solidity. Built-in fuzz testing, fast compilation, strong security community.
Phase 2 of 6

During Development

  • Run Slither on every PR — Free, catches ~80% of common bugs, takes seconds. No excuses for skipping it.
  • Write invariant tests with Echidna or Foundry fuzz — Unit tests prove your code does what you expect. Fuzz tests prove it doesn't do what you don't expect.
  • Use OpenZeppelin for standard patterns — Don't reinvent tokens, access control, or upgradeable proxies. Battle-tested code > clever code.
  • Document your assumptions and trust model — Write down what has to be true for your protocol to be safe. Auditors will test these assumptions.
Phase 3 of 6

Before Audit

  • Code freeze — No changes during the audit. Moving targets waste auditor time and your money.
  • 100% test coverage on critical paths — If you haven't tested it, the auditor will spend time finding bugs you could have caught for free.
  • Run static analysis first — Run Slither, Aderyn, or Mythril and fix everything. Don't pay auditors $500/hr to find things a free tool catches.
  • Prepare documentation — Architecture doc, deployment config, known risks, areas of concern. Good docs = faster, cheaper audit.
  • Budget for remediation — Plan for 2–4 weeks of fixes. No codebase comes back clean on the first pass.
Phase 4 of 6

Choosing an Auditor

  • Get 3 quotes minimum — Pricing varies wildly. Don't accept the first proposal.
  • Check track record on YOUR chain and protocol type — An Ethereum DeFi expert may not be the right fit for a Solana gaming project.
  • Ask for the lead auditor's name — You're hiring people, not logos. Know who will actually review your code.
  • Verify they publish public reports — Transparency is a quality signal. Firms that hide their reports may have something to hide.
Phase 5 of 6

After Audit

  • Fix ALL critical and high findings — Non-negotiable. If your auditor found it, assume attackers will too.
  • Get a re-audit of fixes — Your fixes can introduce new bugs. Have the auditor verify their findings are resolved.
  • Set up monitoring — Forta, Hypernative, or OpenZeppelin Defender for real-time alerting on suspicious activity.
  • Launch a bug bounty — Immunefi is the standard for Web3. Budget 5–10% of TVL for critical bugs.
  • Document your incident response plan — Who gets called at 3am? What's the pause mechanism? Where's the war room?
Phase 6 of 6

Ongoing Operations

  • Real-time contract monitoring — Exploits happen fast. Minutes matter.
  • Review access controls quarterly — Who has admin keys? Are they in a multisig? Is the threshold appropriate?
  • Keep dependencies updated — OpenZeppelin releases security patches. Stay current.
  • Budget for periodic re-audits — Annually, or after any major upgrade. The threat landscape changes constantly.

Ready to Find an Auditor?

If you've checked off the "Before Audit" phase, you're ready. Let us match you with an auditor based on your chain, budget, and timeline.

Get Matched With an Auditor