2026-03-20

Pre-Audit Checklist

Everything you need to prepare before engaging a smart contract auditor. Documentation, code readiness, internal review, and scope definition.

Pre-Audit Checklist

Preparing properly before an audit starts saves time, reduces costs, and leads to better results. Use this checklist to ensure you're ready.

Documentation

  • Architecture overview — High-level diagram of your system, including all contracts and their interactions
  • Specification document — What the protocol is supposed to do, including edge cases and invariants
  • Deployment plan — Which contracts deploy where, constructor parameters, proxy patterns
  • Access control matrix — Who can call what functions with what permissions
  • External dependencies — List all oracles, bridges, and third-party contracts you interact with

Code Readiness

  • Code freeze — No changes to the codebase during the audit period
  • Compilation — Code compiles without errors or warnings on the latest stable compiler version
  • Test suite — All tests pass with clear output; aim for >90% line coverage
  • Clean repository — Remove dead code, commented-out blocks, and unused imports
  • NatSpec comments — All public and external functions have NatSpec documentation
  • Consistent formatting — Run your formatter (prettier-solidity, forge fmt) across the entire codebase

Internal Review

  • Self-audit — Run Slither, Mythril, or similar tools and address all high/medium findings
  • Fuzz testing — Write property-based tests for critical invariants using Echidna or Foundry fuzz
  • Peer review — At least one other developer has reviewed the code
  • Known issues list — Document any known limitations, accepted risks, or intentional deviations

Scope Definition

  • In-scope contracts — Explicit list of files and contract names to be audited
  • Out-of-scope items — Clearly mark test files, mock contracts, and third-party code
  • Lines of code count — Provide accurate LoC for scoping and pricing
  • Commit hash — Pin the exact commit to be audited

Communication Setup

  • Point of contact — Designate a technical lead who can answer auditor questions promptly
  • Communication channel — Set up a shared Slack channel, Telegram group, or similar
  • Response SLA — Commit to responding to auditor questions within 24 hours
  • Fix review window — Agree on timeline for remediations and fix verification