Home

Awesome

CryptoFin's Solidity Auditing Checklist

In the last year, hundreds of millions of dollars worth of crypto have been lost by faulty smart contracts.

Beyond devastating those who lose funds, these blunders harm the ecosystem as a whole by signaling the immaturity of smart contracts and reinforcing people’s wariness. Better due diligence processes could’ve prevented many of the issues found, saving a ton of headaches, money, and stifled progress.

At CryptoFin, we’ve audited many production-ready Solidity contracts. We’ve compiled a list of common findings, and issues to watch out for when auditing a contract for a mainnet launch.

We hope this checklist is useful to the community and will raise the bar for contract quality!

Checklist

Core Checks

These are basic checks to undertake with any contract. Our checklist reflects Solidity v0.4.24.

Testing and Software Engineering

Resilience

We always check for code that will mitigate risk when (not if) a contract fails. When a contract doesn’t have this, it’s often a warning sign.

Auditing

Auditing helps catch many bugs, but shouldn’t also be seen as a magic bullet. Your system still needs to handle failure gracefully.

High Risk Areas

When performing an audit, CryptoFin pays special attention to the these areas which require greater scrutiny, as they often add bugs.

Security Resources

Where to go from here

Many of these checklist items are well-suited for a linter. We welcome any contributors who want to take a crack at it.