2026-04-06

Founder's Security Checklist

A practical, non-technical security checklist for Web3 founders — from pre-development through ongoing operations.

Founder's Security Checklist

Security isn't just an audit. It's a process that starts before you write your first line of code and continues long after launch. Here's what experienced teams do.

Before Writing Code

  • Threat model your protocol — What assets are at risk? Who are the attackers? What's the worst-case scenario if your contracts are exploited?
  • Define your security budget — 10-15% of your raise is the industry standard for security spend (audits, tools, monitoring, bug bounties)
  • Choose a security-conscious development framework — Foundry is the current recommendation for Solidity projects. It has built-in fuzz testing, fast compilation, and a strong security community.

During Development

  • Run Slither on every PR — It's free, catches ~80% of common bugs, and takes seconds to run. No excuses for skipping it.
  • Write invariant tests with Echidna or Foundry fuzz — Unit tests prove your code does what you expect. Fuzz tests prove it doesn't do what you don't expect.
  • Use OpenZeppelin contracts for standard patterns — Don't reinvent tokens, access control, or upgradeable proxies. Battle-tested code > clever code.
  • Document your protocol's assumptions and trust model — Write down what has to be true for your protocol to be safe. Auditors will test these assumptions.

Before Audit

  • Code freeze — No changes during the audit. Moving targets waste auditor time and your money.
  • 100% test coverage on critical paths — If you haven't tested it, the auditor will spend time finding bugs you could have caught for free.
  • Run static analysis and fix all high/medium findings — Run Slither, Aderyn, or Mythril and fix everything before the audit starts. Don't pay auditors $500/hour to find things a free tool catches.
  • Prepare documentation — Architecture doc, deployment config, list of known risks, and any areas you're worried about. Good docs = faster, cheaper audit.
  • Budget for remediation time — Plan for 2-4 weeks of fixes after the audit. No codebase comes back clean on the first pass.

Choosing an Auditor

  • Get 3 quotes minimum — Pricing varies wildly. Don't accept the first proposal.
  • Check their track record on YOUR chain and protocol type — An Ethereum DeFi expert may not be the right fit for a Solana gaming project.
  • Ask for the lead auditor's name and experience — You're hiring people, not logos. Know who will actually review your code.
  • Verify they publish public reports — Transparency is a quality signal. Firms that hide their reports may have something to hide.
  • Use our auditor matching tool to find the right fit — We'll match you based on chain, budget, timeline, and project type.

After Audit

  • Fix ALL critical and high findings before launch — This is non-negotiable. If your auditor found a critical bug, assume attackers will too.
  • Get a re-audit or verification of fixes — Your fixes can introduce new bugs. Have the auditor verify their findings are actually resolved.
  • Set up monitoringForta, Hypernative, or OpenZeppelin Defender for real-time alerting on suspicious activity.
  • Launch a bug bounty programImmunefi is the standard for Web3. Budget 5-10% of TVL for critical bugs.
  • Have an incident response plan documented — Who gets called at 3am? What's the pause mechanism? Where's the war room?

Ongoing

  • Monitor your contracts with real-time alerting — Exploits happen fast. Minutes matter.
  • Review and update access controls quarterly — Who has admin keys? Are they in a multisig? Is the multisig threshold appropriate?
  • Keep dependencies updated — OpenZeppelin releases security patches. Stay current.
  • Budget for periodic re-audits — Annually, or after any major upgrade. The threat landscape changes constantly.