Pre Audit Checklist

Prepare your smart contracts for security review. Before requesting an external audit or running deep scans, ensure your codebase is ready. This checklist...

Last updated: January 14, 2026

Pre-Audit Checklist

Prepare your smart contracts for security review.

Overview

Before requesting an external audit or running deep scans, ensure your codebase is ready. This checklist helps you maximize the value of security reviews.

Code Preparation

Documentation

  • NatSpec comments on all public/external functions
  • Architecture documentation explaining system design
  • Deployment documentation with expected configurations
  • Invariants documented for key properties
  • Known issues list with accepted risks

Code Quality

  • No TODO comments in production code
  • No commented-out code blocks
  • Consistent naming conventions throughout
  • No magic numbers - use named constants
  • No unused code - remove dead code paths

Dependencies

  • All dependencies pinned to specific versions
  • Dependencies are audited or well-known
  • No deprecated dependencies
  • License compatibility verified

BlockSecOps Pre-Scan

Run Standard Scan First

Before deep scan:

blocksecops scan --preset standard

Address all Critical and High findings before proceeding.

Clear Known Issues

  • All Critical findings fixed or documented as accepted
  • All High findings fixed or documented
  • Medium findings reviewed and prioritized
  • No compilation errors or warnings

Test Coverage

Unit Tests

  • 100% function coverage for critical paths
  • Edge case testing (zero values, max values)
  • Access control tests for all restricted functions
  • Failure case tests (expected reverts)

Integration Tests

  • Multi-contract interactions tested
  • External integrations tested
  • Deployment scenarios tested
  • Upgrade paths tested (if applicable)

Security Tests

  • Reentrancy tests
  • Overflow/underflow tests
  • Access control bypass attempts
  • Front-running scenarios

Fuzz Testing

  • Invariant tests for core properties
  • Fuzz inputs on user-facing functions
  • Minimum 10,000 runs per test

Code Review

Self-Review

  • Read through entire codebase fresh
  • Check all math operations
  • Verify access control patterns
  • Review state machine transitions

Peer Review

  • At least one other developer reviewed
  • Fresh eyes on critical functions
  • Architecture decisions challenged
  • Edge cases discussed

Specific Checks

Access Control

  • Every state-changing function has access control
  • Admin functions are time-locked (if appropriate)
  • Role hierarchy is correctly implemented
  • Renounce ownership is intentional (if used)

Arithmetic

  • No unhandled overflows (or using Solidity 0.8+)
  • Division by zero handled
  • Precision loss minimized
  • Rounding direction is intentional

External Calls

  • All external calls use checks-effects-interactions
  • Return values are checked
  • Reentrancy guards where needed
  • Gas limits considered for loops

Token Handling

  • ERC20 approve race condition handled
  • Non-standard tokens considered (USDT, etc.)
  • Zero-transfer behavior handled
  • Fee-on-transfer tokens considered (if supported)

Oracles

  • Freshness checks on oracle data
  • Multiple oracle sources (if critical)
  • Fallback for oracle failures
  • Price manipulation resistance

Project Organization

Repository Structure

project/
├── contracts/          # Source contracts
├── interfaces/         # Interface definitions
├── libraries/          # Shared libraries
├── test/              # Test files
├── scripts/           # Deployment scripts
├── docs/              # Documentation
│   ├── ARCHITECTURE.md
│   ├── DEPLOYMENT.md
│   └── SECURITY.md
├── audits/            # Previous audit reports
└── README.md

Security Documentation

Create SECURITY.md:

# Security

## Bug Bounty

[Link to bug bounty program if applicable]

## Audit Status

[List of completed audits]

## Known Issues

[List of accepted risks with justification]

## Contact

[Security contact information]

Final BlockSecOps Scan

Deep Scan Checklist

  • All standard scan issues addressed
  • All dependencies included in upload
  • Configuration files included
  • Test files excluded (or included if wanted)

Run Deep Scan

blocksecops scan --preset deep

Review Results

  • All Critical findings resolved
  • All High findings resolved or accepted with justification
  • Medium findings prioritized
  • Export report for documentation

Audit Preparation Package

What to Provide Auditors

  1. Source Code

    • Clean repository
    • Tagged commit for audit scope
    • All dependencies

  2. Documentation

    • Architecture overview
    • Deployment guide
    • Known issues

  3. Test Suite

    • All tests passing
    • Coverage report

  4. BlockSecOps Report

    • Latest scan results
    • Resolution status of findings

Recommended Format

Create an audit package:

# Create audit commit
git tag audit-v1.0

# Export report
blocksecops export --format pdf --output audit-prep-report.pdf

# Create archive
zip -r audit-package.zip \
  contracts/ \
  interfaces/ \
  libraries/ \
  test/ \
  docs/ \
  audit-prep-report.pdf

Timeline

Typical Preparation

Phase Duration
Initial cleanup 1-2 days
Test completion 3-5 days
BlockSecOps scanning 1 day
Issue remediation 3-5 days
Final review 1-2 days

Total: 1-2 weeks

Next Steps