Smart Contract Auditing Guide
Learn the methodology, tools, and best practices for auditing smart contracts. Whether you're a developer reviewing your own code or an aspiring auditor.
The Audit Process
Scoping
Define audit scope, review documentation, understand business logic
Manual Review
Line-by-line code review looking for vulnerabilities and logic errors
Automated Analysis
Run static analysis tools and fuzzers to find common issues
Reporting
Document findings, assign severity, provide recommendations
Severity Classification
Critical
Direct loss of funds or complete contract compromise
High
Significant impact on contract functionality or user funds
Medium
Limited impact, requires specific conditions to exploit
Low
Minor issues, best practices, or informational findings
Security Checklist
Access Control
- All admin functions have proper access modifiers
- Role-based access control is properly implemented
- Ownership transfer is two-step
- Critical functions have timelock or multisig
State Management
- State changes follow Checks-Effects-Interactions
- ReentrancyGuard on external call functions
- No unexpected state mutations
- Proper initialization of storage variables
External Calls
- Return values are checked
- Low-level calls handle failures
- No unbounded loops with external calls
- Delegate calls are safe
Math & Logic
- SafeMath or Solidity 0.8+ for arithmetic
- Division before multiplication avoided
- Proper decimal handling
- Edge cases handled (zero values, max values)
Manual Review Techniques
Line-by-Line Review
Read every line of code, understanding what it does and why.
- • Start with entry points
- • Follow data flow
- • Question every assumption
Threat Modeling
Think like an attacker. What would you try to exploit?
- • Identify trust boundaries
- • Map attack surfaces
- • Consider edge cases
Pattern Matching
Look for known vulnerable patterns in the code.
- • External calls before state changes
- • Unchecked return values
- • Missing access controls
Audit Report Structure
1. Executive Summary
High-level overview of the audit, key findings, and overall security assessment.
2. Scope & Methodology
What was audited, commit hash, tools used, and testing approach.
3. Findings
Detailed vulnerabilities with severity, description, impact, and remediation.
4. Recommendations
General security improvements and best practices suggestions.
5. Appendix
Tool outputs, test results, and additional technical details.
Common Audit Mistakes
Don't
- • Rely solely on automated tools
- • Skip reading documentation and specs
- • Ignore "low severity" findings
- • Audit without understanding the business logic
- • Rush through the review to meet deadlines
- • Assume tested code is secure
Do
- • Combine manual review with automated tools
- • Understand the full context and use cases
- • Test your findings with PoC exploits
- • Review dependencies and external contracts
- • Consider economic/game theory attacks
- • Provide clear, actionable recommendations
Essential Tools
Ready to Audit Your Contract?
Use ChainLens to automatically scan for vulnerabilities before a manual audit.