Back to Blog
Security 15 min readMay 11, 2026

Smart Contract Audit Checklist: The Complete 47-Point Security Review Guide

Muhammad Zain

TelGates Team

After auditing 50+ protocols with combined TVL exceeding $200M, we've refined our audit checklist into 47 critical checkpoints. Here's our complete methodology.

Phase 1: Static Analysis (Automated)

  • Run Slither — check for reentrancy, unchecked returns, and state variable shadowing
  • Run Mythril — symbolic execution for reachability of critical paths
  • Run Echidna — property-based fuzzing with custom invariants
  • Check compiler version — use Solidity 0.8.20+ for built-in overflow protection
  • Verify all dependencies are pinned versions (no floating imports)

Phase 2: Access Control Review

6. Map every onlyOwner / onlyAdmin function — verify no privilege escalation 7. Check initializer functions cannot be called twice 8. Verify timelock exists on critical governance actions (minimum 24-48 hours) 9. Audit multi-sig configurations — threshold should be >50% of signers 10. Check for hidden admin functions or backdoors in proxy implementations

Phase 3: Financial Logic

11. Verify interest rate calculations handle edge cases (zero supply, max utilization) 12. Check rounding direction — always round against the user (protocol-favorable) 13. Verify fee calculations don't create dust or rounding exploits 14. Test with extreme values — 1 wei deposits, uint256.max approvals 15. Verify slippage protection on all swap/trade functions

Phase 4: Oracle Security

16. Never rely on single oracle source — use Chainlink + TWAP minimum 17. Check oracle freshness — reject stale prices (>1 hour for volatile assets) 18. Verify oracle manipulation resistance — can a flash loan attack move the price? 19. Test oracle failure modes — what happens when the oracle is down?

Phase 5: Economic Attack Vectors

20. Flash loan attack simulation — can borrowed funds manipulate protocol state? 21. Sandwich attack analysis — are any user-facing functions frontrunnable? 22. Donation attacks — can direct token transfers break share price calculations? 23. First depositor attack — does the vault protect against inflation attacks?

Pricing

  • Basic audit (single contract, <500 lines): $8,000-15,000
  • Standard audit (protocol with 3-5 contracts): $25,000-45,000
  • Comprehensive audit (full DeFi protocol): $50,000-80,000
  • Timeline: 2-4 weeks depending on complexity

More Articles

AI & Blockchain

The Convergence of AI and Blockchain: How These Two Technologies Are Reshaping Enterprise Solutions

DeFi Security

A Complete Guide to DeFi Smart Contract Security: Lessons from 50+ Audits