{"id":21400577,"url":"https://github.com/cybersecurityup/smart-contracts-audit-checklist","last_synced_at":"2026-01-29T16:36:28.415Z","repository":{"id":256041894,"uuid":"854193195","full_name":"CyberSecurityUP/smart-contracts-audit-checklist","owner":"CyberSecurityUP","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-09T03:07:16.000Z","size":12,"stargazers_count":27,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-02T08:18:39.608Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CyberSecurityUP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-08T16:12:56.000Z","updated_at":"2025-05-22T20:04:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"be3afc67-d422-412d-afc4-c8e7828cc629","html_url":"https://github.com/CyberSecurityUP/smart-contracts-audit-checklist","commit_stats":null,"previous_names":["cybersecurityup/smart-contracts-audit-checklist"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CyberSecurityUP/smart-contracts-audit-checklist","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2Fsmart-contracts-audit-checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2Fsmart-contracts-audit-checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2Fsmart-contracts-audit-checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2Fsmart-contracts-audit-checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CyberSecurityUP","download_url":"https://codeload.github.com/CyberSecurityUP/smart-contracts-audit-checklist/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2Fsmart-contracts-audit-checklist/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28880980,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T10:31:27.438Z","status":"ssl_error","status_checked_at":"2026-01-29T10:31:01.017Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T15:23:04.973Z","updated_at":"2026-01-29T16:36:28.400Z","avatar_url":"https://github.com/CyberSecurityUP.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# smart-contracts-audit-checklist\n\n### **General Security**\n- [ ] **Audit**: Has the contract been reviewed by a third-party security audit?\n- [ ] **Review external contracts**: Does the contract interact securely with other external contracts?\n- [ ] **Check admin permissions**: Are administrative functions restricted to authorized users only?\n- [ ] **Secure contract upgrade process**: Is there a secure method for upgrading or migrating the contract?\n\n### **Input Validation**\n- [ ] **Validate user inputs**: Are all inputs from users properly validated to prevent issues like **injection** or **overflows**?\n- [ ] **Reentrancy**: Is the contract vulnerable to **reentrancy attacks**? Ensure functions update their internal state before making external calls.\n- [ ] **Test for Reentrancy**: Use automated tools like Slither to test for reentrancy vulnerabilities. Ensure functions update internal state before making external calls.\n- [ ] **Validate All Inputs**: Ensure all user inputs, including transaction amounts, addresses, and IDs, are validated to avoid common issues like overflow, underflow, or invalid entries.\n- [ ] **Test Invalid or Out-of-Order Transactions**: Test the contract’s ability to handle invalid transaction sequences, especially grouped transactions.\n\n### **Access Control**\n- [ ] **Check access restrictions**: Are only authorized users able to access critical functions or sensitive data?\n- [ ] **Correct function visibility**: Are functions marked with the correct visibility (`private`, `internal`, `public`)?\n- [ ] **Admin function protection**: Are critical administrative functions like `mint`, `burn`, and `pause` properly secured?\n- [ ] **Check Ownership and Admin Privileges**: Ensure that only authorized addresses can perform critical operations like minting, burning, staking, and withdrawal.\n- [ ] **Multisig Program**: Implement multisig mechanisms for key administrative operations to prevent malicious actions by a single admin.\n- [ ] **Role-based Function Access**: Test if the contract properly limits access to certain functions based on roles, like signatory and validator.\n\n### **Integer Overflows/Underflows**\n- [ ] **Validate arithmetic calculations**: Are all arithmetic operations protected from **overflows** and **underflows**? Is `SafeMath` or equivalent being used?\n\n### **Timestamp Dependency**\n- [ ] **Check usage of `block.timestamp`**: Does the contract rely on `block.timestamp` in a way that could be manipulated by miners?\n\n### **Time-Based Attacks**\n- [ ] **Timestamp Dependence**: Check for reliance on `block.timestamp` and ensure it cannot be manipulated by miners to gain unfair advantages.\n- [ ] **Pool Start and End Date Validation**: Confirm that pool start dates are properly validated to prevent issues where a pool starts in the past.\n\n### **Arithmetic Safety**\n- [ ] **Integer Overflow and Underflow**: Verify that arithmetic operations in the contract are protected using libraries like `SafeMath` or similar mechanisms. Check for missing underflow protection as identified in Yieldly audits.\n\n### **Governance**\n- [ ] **DAO and Governance Attacks**: Test for possible governance manipulation where attackers could execute critical actions like upgrading contracts, minting new tokens, or changing protocol rules.\n- [ ] **Threshold Validation for Voting**: Verify that threshold limits are properly defined and applied in voting mechanisms for signatory and validator roles.\n\n### **External Call Failures**\n- [ ] **Validate external calls**: Does the contract properly check the return values of external calls to ensure execution halts on failure?\n- [ ] **Call and Delegatecall**: Are functions using `call()` or `delegatecall()` implemented securely to avoid malicious code execution?\n- [ ] **Unchecked External Calls**: Ensure that external calls are properly validated and that the contract does not proceed after failed external calls.\n- [ ] **Proxy Contract Validation**: Verify that the contract utilizes proxy contracts securely. Ensure that transactions routed through the proxy cannot be bypassed.\n\n### **Gas Manipulation**\n- [ ] **Gas limits**: Are contract functions designed to stay within gas limits? Are long-running loops avoided to prevent gas exhaustion?\n- [ ] **Efficient gas usage**: Ensure that gas is not wasted unnecessarily, particularly in critical functions.\n\n### **Token Management**\n- [ ] **ERC20/721 compliance**: Are the token contracts (ERC20, ERC721) following the proper standards?\n- [ ] **Transfer permissions**: Can transfer functions be manipulated? Does the contract handle permissions and limits correctly?\n\n### **Insecure Randomness**\n- [ ] **Randomness generation**: If the contract generates random numbers, are they generated securely to avoid manipulation?\n\n### **Denial of Service (DoS)**\n- [ ] **Test DoS resistance**: Can the contract be locked or rendered unusable by malicious transactions that consume excessive gas or halt critical functions?\n- [ ] **Loops in functions**: Ensure that functions looping over arrays or lists do not allow attackers to exhaust gas limits.\n\n### **State Management**\n- [ ] **Storage and data access**: Ensure the contract is storing and accessing data efficiently.\n- [ ] **State updates**: Does the contract correctly update its state after each transaction?\n\n### **Front-running Attacks**\n- [ ] **Prevent front-running**: Can important transactions be manipulated or reordered by front-running attacks?\n\n### **Phishing Attacks**\n- [ ] **Protect against phishing**: Test how the contract handles interactions with user interfaces that may deceive users.\n\n### **Randomness Vulnerabilities**\n- [ ] **Test randomness sources**: Are random numbers generated using secure and unpredictable sources to prevent manipulation?\n\n### **Emergency Functions**\n- [ ] **Implement Emergency Withdraw**: Confirm that users have access to emergency withdrawal functions to recover funds if a contract enters an unexpected state. Ensure admin privileges on emergency actions are not overly restrictive.\n\n### **Staking, Pools, and Rewards**\n- [ ] **Reward Calculation Verification**: Test if staking rewards and pool ratios are calculated correctly after staking and withdrawing actions. Ensure that updates to rewards are triggered as expected.\n- [ ] **Dynamic Testing for Pool Operations**: Perform dynamic tests to ensure that pool ratios and user claimable amounts are updated correctly.\n\n### **Oracle Manipulation**\n- [ ] **Secure oracle usage**: If the contract relies on external oracles, are they protected against manipulation?\n- [ ] **Secure Randomness**: Ensure that random number generation is not predictable or manipulable, especially in lottery or staking functionalities.\n- [ ] **Oracle Manipulation**: Test contracts for potential oracle manipulation that could lead to pricing or staking rewards being incorrectly calculated.\n\n### **OWASP-related Vulnerabilities for Smart Contracts**\n- [ ] **Proper data validation**: Are inputs and outputs validated properly to prevent data integrity issues?\n- [ ] **Correct cryptography implementation**: Are cryptographic methods and hashing applied according to best practices?\n- [ ] **Access control and authentication**: Are there any vulnerabilities allowing unauthorized users to access restricted functions?\n- [ ] **Injection mitigation**: Ensure the contract is not vulnerable to data or command injection.\n\n### **Manual Testing Considerations**\n- [ ] **Admin Bypass Testing**: Attempt to bypass admin privileges or role restrictions by manipulating function parameters or transaction sequences.\n- [ ] **Test Role-based Enhancements**: Verify that role-based enhancements are structured properly, ensuring that only authorized users can perform specific actions.\n\n### **Tools to Automate Smart Contract Testing**\n- [ ] **MythX**: Automatically analyze contracts for common vulnerabilities.\n- [ ] **Slither**: Detect logic vulnerabilities, reentrancy issues, and gas optimizations.\n- [ ] **Manticore**: Symbolic execution and fuzzing tool for smart contracts.\n- [ ] **Oyente**: Static analyzer to find issues like reentrancy, uncontrolled loops, and others.\n\n### **Smart Contract Best Practices**\n- [ ] **Adhere to Versioning**: Ensure the contract explicitly defines the Solidity or Algorand version (`pragma version`) being used to avoid unintended behavior during compilatio.\n- [ ] **Boundaries for Function Parameters**: Check that input values for functions have well-defined boundaries, such as ensuring array sizes or transaction amounts are reasonable.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fsmart-contracts-audit-checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcybersecurityup%2Fsmart-contracts-audit-checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fsmart-contracts-audit-checklist/lists"}