Smart Contract Audit Checklist: What a Real Security Audit Covers in 2026

Almost every protocol that gets drained had an audit. That sentence should bother anyone shipping on-chain code. The problem is rarely that auditing "doesn't work" — it's that the word audit covers everything from a two-hour automated scan to a multi-week adversarial review by senior engineers. The deliverable looks similar. The protection is not.

This is the checklist we run through on every engagement. Use it to scope your own code, and use it to interrogate any audit report you are handed before you trust it with user funds.

Before the audit even starts

Half of a good audit's value is created before anyone reads a line of Solidity. If a vendor skips this, the engagement is already weaker than it should be.

• A frozen commit. Auditing a moving target is theatre. The scope should be a specific commit hash, and changes after that point get re-reviewed, not waved through.
• The threat model in writing.Who can call what, what is trusted, what an attacker controls, and what "catastrophic" means for this protocol specifically.
• Economic assumptions stated out loud. Oracle sources, expected liquidity, collateral ratios, and what happens when those assumptions break — because attackers will break them on purpose.
• Tests and documentation. A protocol that cannot explain its own invariants to an auditor cannot explain them to a court later either.

The vulnerability classes that matter

Automated tooling catches the well-known shapes quickly, and it should — but tools find patterns, not intent. The classes below are where real money is lost, and most of them require a human who understands what the code is supposed to do.

Reentrancy and external call ordering

Still the most expensive bug class in DeFi history, and still shipped regularly. The checklist item is not "is there a nonReentrant modifier" — it is does state change before every external call, including cross-function and cross-contract read-only reentrancy through view functions and callbacks (ERC-777, ERC-721 onReceived, arbitrary call).

Access control and privilege

• Every privileged function: who can call it, and what is the blast radius if that key is compromised?
• Initializer and upgrade paths — can an uninitialized proxy be hijacked?
• Are admin powers timelocked, and is the timelock actually enforced rather than cosmetic?

Arithmetic and accounting

Solidity 0.8 removed silent overflow, not bad math. Rounding direction, precision loss in share/asset conversions, fee-on-transfer and rebasing tokens, and first-depositor share inflation are all live attack surfaces that no compiler protects you from.

Oracle and price manipulation

Spot price reads from an AMM are not an oracle — they are an attacker's lever. A real audit traces every price source through to its manipulation cost under flash-loan conditions, not just normal markets.

Economic and game-theoretic attacks

This is the line between a scan and an audit. Liquidation incentives that invert under stress, MEV and sandwich exposure, governance attacks via borrowed voting power, and donation/share-inflation griefing are not pattern-matchable. They require modeling the protocol as an adversary with capital. This is the core of what our smart contract audit service is built around.

How to read the report you get back

The report is the product. Judge it like one.

• Severity with reasoning. Every finding should state impact, likelihood, and the concrete attack path — not just a color.
• Reproducible proof of conceptfor anything high or critical. "Theoretically exploitable" with no PoC is a hypothesis, and it deserves to be challenged.
• Remediation verification. A real engagement re-reviews fixes. A fix that introduces a new bug is common enough that skipping this step quietly undoes the whole audit.
• An explicit scope and disclaimer. Honest auditors tell you what they did not look at. That is a sign of rigor, not weakness.

An audit is a checkpoint, not a finish line

A clean report describes one commit at one moment. The day you deploy an upgrade, integrate a new protocol, or list a non-standard token, the audited assumptions can quietly stop being true. Mature teams pair the audit with continuous wallet and transaction screening so that if something does slip through, malicious flows are flagged in real time rather than discovered on Twitter.

And if the worst happens anyway, the same forensic discipline that powers a good audit is what makes on-chain investigation and contract recovery possible. Security is a cycle, not a certificate.