James Bachini

Pre Audit Checklist For DeFi/Web3 Projects

PREAUDIT CHECKLIST

Here’s a Pre Audit & Bug Bounty Checklist for DeFi Protocols and Web3 Projects, adapted from best practices and structured for easy use across projects preparing for third party audits or launching a bug bounty program.

Use this checklist to prepare your protocol for a formal audit and/or bug bounty launch. Completing these tasks will not only improve audit outcomes but also build trust with your users and community.

CODE & TESTING

1. Unit Tests

  • [ ] Comprehensive unit test suite exists.
  • [ ] Tests cover major logic branches and edge cases.
  • [ ] Use a reputable framework (e.g, Hardhat, Foundry).

2. System Tests

  • [ ] Integration/system level tests are implemented.
  • [ ] Ensure tests cover contract interactions and edge case flows.

3. Test Coverage

  • [ ] Use a tool like solidity coverage to generate a report.
  • [ ] Aim for >90% code coverage, but prioritise high risk functions.

4. Test Reports

  • [ ] Export test results to a persistent format (PDF or markdown).
  • [ ] Include in your public repository or audit prep folder.

SECURITY MECHANISMS

5. Contract Pausability, Upgradeability & Timelocks

  • [ ] Contracts implement a pause() mechanism.
  • [ ] Timelocks are clearly defined and set (48h-1 week recommended).
  • [ ] Upgrade logic (e.g, UUPS or proxy pattern) is documented.
  • [ ] Rationale provided for any deviations from these standards.

6. Flashloan & Front running Protections

  • [ ] Identify and mitigate risks from flashloan attacks.
  • [ ] Front running countermeasures (e.g, commit reveal, off chain signing) are implemented where applicable.
  • [ ] Include links to explanations or documentation.

GENERAL PROJECT READINESS

7. Review Meetings & Test Logs

  • [ ] Maintain meeting minutes for internal code reviews.
  • [ ] Combine with test reports to show active development oversight.

8. Public Code Repository

  • [ ] Repository is public.
  • [ ] Includes README, license, and contribution history.
  • [ ] Commits and contributions trace back to project’s development team.

9. Team Transparency

  • [ ] At least two team members are publicly doxxed (LinkedIn, personal site, or social media).
  • [ ] Optional Use pseudonymous verification if full doxxing isn’t feasible.

THIRD PARTY AUDITS

10. Security Audits

  • [ ] At least one independent audit completed.
  • [ ] Audit findings and responses are published.
  • [ ] If possible, conduct a second audit after fixes.
  • [ ] Use reputable audit firms (e.g, Trail of Bits, ConsenSys Diligence).

BUG BOUNTY PROGRAM

11. Program Setup

Choose one:

  • [ ] Internal Add a bug bounty page to your documentation with clear scope and payout terms.
  • [ ] External Use a platform like Immunefi or Hackerone.

12. Bounty Rewards

  • [ ] Active bounty program is live.
  • [ ] Recommended bounty tiers
    • $100k+ or 10% TVL Full marks
    • $50k+ or 5% TVL Strong
    • $10k+ and active Good
  • [ ] Clearly state what is in scope and out of scope.

ON CHAIN & COMMUNITY ACTIVITY

13. Contract Usage

  • [ ] Encourage testnet use via community (Discord, faucet, tutorials).
  • [ ] Record testnet or mainnet interaction logs as proof of engagement.

DOCUMENTATION REQUIREMENTS

14. Smart Contract Addresses

  • [ ] Document all deployed contract addresses and networks (mainnet + testnet).

15. Testing Transparency

  • [ ] Explicitly link to or list
  • Unit tests
  • System/integration tests
  • Code coverage results

16. Admin Controls

  • [ ] Describe upgrade and emergency control mechanisms.
  • [ ] Document owner roles, multisigs, governance, etc.

17. Oracle Integration

  • [ ] Specify if oracles are used and by which contracts.
  • [ ] Describe price feed mechanics, update intervals, and fail safes.

18. Function Reference

  • [ ] Provide technical documentation for every public and external contract function.
  • [ ] Follow the format of Uniswap or Aave technical references if possible.

19. Traceability

  • [ ] Ensure documentation directly links to
  • Code repository
  • Contract addresses
  • Test cases
  • Architecture diagrams (if available)

FINAL PACKAGING

  • [ ] Create an “Audit Pack” folder in your repository containing
    • Test reports
    • Audit reports
    • Bug bounty terms
    • Admin control documentation
    • Links to external docs (oracles, functions, etc.)

By completing this checklist, your protocol will be better positioned to pass an audit efficiently and launch a credible bug bounty program. Beyond just scorekeeping, each item adds real security and transparency value for your users and stakeholders.

Get The Blockchain Sector Newsletter, binge the YouTube channel and connect with me on Twitter

The Blockchain Sector newsletter goes out a few times a month when there is breaking news or interesting developments to discuss. All the content I produce is free, if you’d like to help please share this content on social media.

Thank you.

James Bachini

Disclaimer: Not a financial advisor, not financial advice. The content I create is to document my journey and for educational and entertainment purposes only. It is not under any circumstances investment advice. I am not an investment or trading professional and am learning myself while still making plenty of mistakes along the way. Any code published is experimental and not production ready to be used for financial transactions. Do your own research and do not play with funds you do not want to lose.

Posted

in

,

by

James

Tags: