22 March 2026·12 min read

BlockchainSecuritySolidityAudit

Smart contract audit checklist — the one we actually use

A checklist for the last days before mainnet: threat model, tests, fuzz, deploy, monitor — 30+ items we never skip.

Last verified22 March 2026

By Dezső MezőFounder, DField Solutions

ShareX LinkedIn#

Reviewed by:Dezső Mező· Founder · Engineer, DField Solutions· 22 Mar 2026

A single re-entrancy bug cost $180M once. A single access-control miss zeroed out thousands of users. Blockchain doesn't forgive. This checklist is what we run on every project before the first mainnet transaction.

I. Threat model (1–2 days)

Economic actors: who profits from an exploit?
Admin surface: what permissions exist, who controls them?
Oracle dependencies: which oracle, what's the fallback?
Flashloan surfaces: can the contract be manipulated within a single tx?
MEV / front-running exposure.

II. Test coverage

100% line coverage isn't the goal — the goal is a scenario test for every economic situation. Foundry or Hardhat, augmented with invariant tests.

// Foundry invariant test
contract TreasuryInvariants is Test {
    function invariant_totalSupplyMatchesBalances() public {
        uint256 sum;
        for (uint256 i = 0; i < users.length; i++) {
            sum += treasury.balanceOf(users[i]);
        }
        assertEq(sum, treasury.totalSupply());
    }
}

III. Fuzz campaign

Echidna 10M+ runs with every property instrumented.
Foundry fuzz on the edges of the parameter range.
Special attention: reentrancy, overflow, access control, rounding.

IV. Static analysis

Slither — baseline net, but many false positives.
Mythril symbolic execution, slower but deeper.
Aderyn (Rust-based) — fast, modern.

V. Manual review

Tools don't find every business-logic bug. Read the contracts line by line. Focus: state transitions, permissioning, rollback, migration. Four-eye principle — two independent reviewers.

VI. Deploy pipeline

Local anvil / hardhat node: integration tests.
Testnet (Sepolia, Arbitrum Sepolia): ~2 weeks of traffic.
Canary mainnet: TVL cap, phased.
Full rollout + TVL lift in steps.

VII. Onchain monitor

30–90 days of production monitoring: anomaly detection (flashloan patterns, TVL jumps, suspicious gas usage). Pager pipeline at threshold.

Never deploy to mainnet on a Friday afternoon. Ever. Not even for a 'small update'.

Summary

This list isn't complete, but it's the repeatable part of what we do. If you'd like, we can run it against your code — 2–8 weeks to a full audit report as PRs.

ShareX LinkedIn#

Dezső Mező

Founder, DField Solutions

I've shipped production products from fintech to creator-tooling — for startups and enterprises, from Budapest to San Francisco.

ABOUT →Let's talk →

Keep reading

20 Apr 2026·10 min read

NIS2 for SaaS: minimum checklist for 2026

What NIS2 actually demands from a mid-size SaaS: incident reporting, supply-chain, access control, and 3 basic rules we run ourselves.

Read

05 Mar 2026·9 min read

GDPR + AI: training on user data in 2026 — what's allowed, what isn't

'We train on user data' — one sentence most startups drop without friction. In 2026 it opens a GDPR door. Here's the concrete checklist.

Read

18 Feb 2026·8 min read

EU AI Act for SaaS: what you actually have to do in 2026

AI Act is live. Who it affects, which tier you're in, deadlines — and the three things worth starting now.

Read

Would rather build together?

Let's talk about your project. 30 minutes, no strings.

Let's talk