{"id":18602441,"url":"https://github.com/softstack/solidity-audit-checklist","last_synced_at":"2025-05-16T17:34:43.725Z","repository":{"id":134462559,"uuid":"529176618","full_name":"softstack/solidity-audit-checklist","owner":"softstack","description":null,"archived":false,"fork":false,"pushed_at":"2022-08-26T08:26:40.000Z","size":2,"stargazers_count":7,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-11T12:56:20.855Z","etag":null,"topics":["audit","avax","bsc","polygon","smart-contracts","solidity"],"latest_commit_sha":null,"homepage":"https://chainsulting.de","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/softstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-26T08:26:39.000Z","updated_at":"2025-03-08T12:46:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"a2074990-654a-4bd0-ba25-0ca27f2f190c","html_url":"https://github.com/softstack/solidity-audit-checklist","commit_stats":null,"previous_names":["softstackhq/solidity-audit-checklist","softstack/solidity-audit-checklist"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Fsolidity-audit-checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Fsolidity-audit-checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Fsolidity-audit-checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Fsolidity-audit-checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/softstack","download_url":"https://codeload.github.com/softstack/solidity-audit-checklist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254576938,"owners_count":22094484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","avax","bsc","polygon","smart-contracts","solidity"],"created_at":"2024-11-07T02:11:23.761Z","updated_at":"2025-05-16T17:34:43.705Z","avatar_url":"https://github.com/softstack.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr /\u003e\n  \u003cimg src=\"https://user-images.githubusercontent.com/168240/40218684-0e4f3e12-5a27-11e8-8a4f-ef2e4af685bd.png\" alt=\"Solidity Audit Checklist\" width=\"700\" /\u003e\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n\u003c/h1\u003e\n\n\u003e A checklist of things to look for when auditing Solidity smart contracts.\n\nThis is not a comprehensive list and solidity is quickly evolving so please do due dilegence on your part.\n\nNot all listed items will apply to your specific smart contract.\n\nIn no particular order:\n\n- [ ] All functions are `internal` except where explictly required to be `public`/`external`. [[?](https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7)]\n- [ ] There are no arithmetic overflows/underflows in math operations.\n- [ ] Using the OpenZeppelin safe math library [[?](https://github.com/OpenZeppelin/openzeppelin-solidity/tree/master/contracts/math)].\n- [ ] Ether or tokens cannot be accidentally sent to the address `0x0`.\n- [ ] Conditions are checked using `require` before operations and state changes.\n- [ ] State is being set before and performing actions.\n- [ ] Protected from reentry attacks (A calling B calling A). [[?](https://medium.com/@gus_tavo_guim/reentrancy-attack-on-smart-contracts-how-to-identify-the-exploitable-and-an-example-of-an-attack-4470a2d8dfe4)]\n- [ ] Properly implements the ERC20 interface [[?](https://github.com/ethereum/eips/issues/20)].\n- [ ] Only using modifier if necessary in more than one place.\n- [ ] All types are being explicitly set (e.g. using `uint256` instead of `uint`).\n- [ ] All methods and loops are within the maximum allowed gas limt.\n- [ ] There are no unnecessary initalizations in the constructor (remember, default values are set).\n- [ ] There is complete test coverage; every smart contract method and every possible type of input is being tested.\n- [ ] Performed fuzz testing by using random inputs.\n- [ ] Tested all the possible different states that the contract can be in.\n- [ ] Ether and token amounts are dealt in wei units.\n- [ ] The crowdsale end block/timestamp comes after start block/timestamp.\n- [ ] The crowdsale token exchange/conversion rate is properly set.\n- [ ] The crowdsale soft/hard cap is set.\n- [ ] The crowdsale min/max contribution allowed is set and tested.\n- [ ] The crowdsale whitelisting functionality is tested.\n- [ ] The crowdsale refund logic is tested.\n- [ ] Crowdsale participants are given their proportional token amounts or are allowed to claim their contribution.\n- [ ] The length of each stage of the crowdsale is properly configured (e.g. presale, public sale).\n- [ ] Specified which functions are intented to be controlled by the owner only (e.g. pausing crowdsale, progressing crowdsale stage, enabling distribution of tokens, etc..).\n- [ ] The crowdsale vesting logic is tested.\n- [ ] The crowdsale has a fail-safe mode that when enabled by owner, restricts calls to function and enables refund functionality.\n- [ ] The crowdsale has a fallback function in place if it makes reasonable sense.\n- [ ] The fallback function does not accept call data or only accepts prefixed data to avoid function signature collisions.\n- [ ] Imported libraries have been previously audited and don't contain dyanmic parts that can be swapped out in future versions which can be be used maliciously. [[?](http://swende.se/blog/Devcon1-and-contract-security.html)]\n- [ ] Token transfer statements are wrapped in a `require`.\n- [ ] Using `require` and `assert` properly. Only use `assert` for things that should never happen, typically used to validate state after making changes.\n- [ ] Using `keccak256` instead of the alias `sha3`.\n- [ ] Protected from ERC20 short address attack. [[?](https://vessenes.com/the-erc20-short-address-attack-explained/)].\n- [ ] Protected from recursive call attacks.\n- [ ] Arbitrary string inputs have length limits.\n- [ ] No secret data is exposed (all data on the blockchain is public).\n- [ ] Avoided using array where possible and using mappings instead.\n- [ ] Does not rely on block hashes for randomness (miners have influence on this).\n- [ ] Does not use `tx.origin` anywhere. [[?](https://vessenes.com/tx-origin-and-ethereum-oh-my/)]\n- [ ] Array items are shifted down when an item is deleted to avoid leaving a gap.\n- [ ] Use `revert` instead of `throw`.\n- [ ] Functions exit immediately when conditions aren't meant.\n- [ ] Using the latest stable version of Solidity.\n- [ ] Prefer pattern where receipient withdrawals funds instead of contract sending funds, however not always applicable.\n- [ ] Resolved warnings from compiler.\n\n\n## Resources\n\n- [Smart contract best pracitices](https://github.com/ConsenSys/smart-contract-best-practices)\n- [Solidity idiosyncrasies](https://github.com/miguelmota/solidity-idiosyncrasies)\n- [Solidity security considerations](http://solidity.readthedocs.io/en/develop/security-considerations.html)\n- [Methodological security review of a smart contract](https://ethereum.stackexchange.com/questions/8551/methodological-security-review-of-a-smart-contract)\n- [List of helper/utility functions](./UTILS.md)\n\n## License\n\nMIT","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftstack%2Fsolidity-audit-checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoftstack%2Fsolidity-audit-checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftstack%2Fsolidity-audit-checklist/lists"}