The Million Dollar Checklist
Most decentralized finance (DeFi) exploits are not zero-day vulnerabilities. They are well-documented anti-patterns — reentrancy, access control bypass, and logic errors — that teams simply overlooked in the rush to mainnet.
Before you spend $50,000+ on a formal external audit, your engineering team should be running through an exhaustive internal checklist. Here is the exact pre-audit checklist we use at Quantum Bases before deploying EVM-compatible contracts.
1. Access Control & Privilege Management
The most devastating hacks occur when an attacker gains administrative control.- Are all sensitive functions protected? Ensure functions that mint, burn, pause, or transfer funds have
onlyOwneror appropriate Role-Based Access Control (RBAC) modifiers. - Is there a multi-sig? No single private key should have admin rights in production. Use a Gnosis Safe (Safe{Core}) with a minimum threshold (e.g., 3-of-5).
- Is there a timelock? Administrative actions (like upgrading a contract or changing fee structures) must be routed through a Timelock contract with a minimum 48-hour delay so users can exit if they disagree with the change.
2. The Reentrancy Threat
The classic DAO hack vector is still alive and well.- Checks-Effects-Interactions: Are you strictly following this pattern? State changes (effects) MUST happen before external calls (interactions).
- ReentrancyGuard: Are you using OpenZeppelin's
nonReentrantmodifier on any function that sends Ether or interacts with untrusted contracts? - Read-Only Reentrancy: If your protocol provides pricing or state data to others, are you ensuring attackers cannot view manipulated state mid-transaction?
3. Math & Logic
With Solidity 0.8+, overflow/underflow is handled natively, but logic errors remain.- Precision Loss: Are you doing division before multiplication? (e.g.,
a / b * cwill lose precision. It must be(a * c) / b). - Stuck Ether: Is there a way to safely extract Ether or ERC20 tokens that are accidentally sent to the contract address?
- Loop Gas Limits: Are you looping over dynamically growing arrays? If the array gets too large, the function will exceed the block gas limit and permanently revert (Denial of Service).
4. External Dependencies & Oracles
Your protocol is only as secure as the weakest protocol it interacts with.- Oracle Manipulation: If you use an AMM like Uniswap as a price oracle, are you using a Time-Weighted Average Price (TWAP) rather than the spot price to prevent flash-loan manipulation?
- Chainlink Fallbacks: If the Chainlink oracle goes down or returns stale data, does your contract handle the failure gracefully instead of freezing?
- Token Standards: Does your contract handle "weird" ERC20 tokens safely? (e.g., Fee-on-transfer tokens, rebasing tokens, or tokens that don't return a boolean on
transfer). Always use OpenZeppelin'sSafeERC20.
If your team can confidently check off these boxes, you are ready for a formal audit. If not, it is time to pause development and fix the foundation.
