Awesome Audits Checklists

NOTE: All the resources in this repo are for educational purposes only and have been curated especially for developers and auditors. Developers should use them to build more secure applications. Auditors should benefit from these resources as well, using them to learn and secure systems but they should not rely solely on checklists. Auditors should always adapt checklists to their specific context and prioritize a deep understanding of systems and security principles over rigid reliance on lists. This repository is a community effort, a collection of humble contributions from security researchers around the world. Thanks and respect to everyone who shares their knowledge to help make blockchain applications safer for all.

Table of Contents

• General Smart Contract Security & Audit Checklists
• ERC Standards & Edge Cases
• Bridges, Interoperability & Multichain
• DeFi Protocols
• Protocols Integration Security
• Proxies & Upgradability
• Signature Attacks
• Governance
• Chains Specific Security
• Wallets Security
• Other/Uncategorized
• Support
• Contribution

1. General Smart Contracts Security & Audit Checklists

• Solodit Checklist — by Cyfrin
  An actionable checklist for auditing and reviewing Solidity smart contracts.
• Ultimate Security Checklist — by Beirao
  A comprehensive checklist covering all essential aspects of smart contract security.
• General Audit Checklist — by Tamjid
  A general-purpose checklist for smart contract audits, covering common vulnerabilities.
• SCSVS - Smart Contract Security Verification Standard — by Composable Security
  A standardized framework for verifying the security of smart contracts.
• Smart Contract Security — by Rareskills
  An in-depth article on smart contract security concepts and best practices.
• Auditors Checklist — by Cyfrin
  Curated list of audit checklists of different auditors.
• Pre-Audit Preparation — by Composable Security
  Tips and steps to prepare your project for a successful smart contract audit.
• Development Security Toolkit — by Nascent
  A toolkit of scripts, resources and checklists for enhancing security during smart contract development.
• Multisig Security Best Practices — by Mudit Gupta
  Video guide covering security best practices for implementing and managing multi-signature wallets and governance systems.
• Bug Report Submission Checklist — by Immunefi
  Guidelines for submitting effective and complete bug reports.
• Anti-Hack Checklist — by QuillAudits
  A checklist focused on preventing hacks in DeFi protocols.
• Crisis Handbook - Smart Contract Hack - SEAL
  A Checklist to follow when protocols get hacked and handle smart contracts hack crisis.
• Practical Security Measures for Web3 Founders - Mehdi SigmaPrime
  This is a must watch and practical measures to take for every Web3 founders, developers & researchers.

2. ERC Standards & Edge Cases

ERC20

• Weird ERC20 Implementations — by d-xo
  A list of unusual or non-standard ERC20 token implementations.

ERC721

• Weird ERC721 Implementations — by ABA
  Examples of non-standard and quirky ERC721 contracts.
• ERC721 Security Thread — by Olympix
  A Twitter thread discussing ERC721-specific security issues.

ERC4626

• ERC4626 Security Checklist — by Solthodox
  A checklist for auditing ERC4626 (tokenized vault) contracts.
• ERC4626 Rounding Issues — by Sammy
  A Twitter thread highlighting rounding errors in ERC4626 implementations.
• ERC4626 Vault Security Primer — by DevDacian
  Biggest ERC4626 checklist. More than 350 direct vulnerabilities, many pitfalls, integration errors and more.

ERC4337 & Account Abstraction

• ERC4337 Security Checklist — by Aviggiano
  Security checklist for ERC4337 (account abstraction) contracts.

3. Core Blockchain, Node & Infra

• Core Node Security Guide — by Sigma Prime
  A comprehensive security engineer's guide to reviewing core blockchain nodes, covering systematic approaches to conducting thorough security reviews of blockchain node implementations like Reth.
• Blockchain Security Thread — by Misbah
  Twitter thread covering general blockchain security considerations and best practices.

3. Bridges, Interoperability & Multichain

• Interoperability Protocol Security Checklist — by Windhustler
  A checklist for securing interoperability protocols LyerZero, CCIP, Wormhole etc and cross-chain solutions.
• Multichain Auditor — by 0xJuancito
  A repository with resources and tools for auditing multichain protocols.
• Cross-chain Bridge Security Checklist — by Spearbit
  Checklist for auditing the security of cross-chain bridges.
• Blockchain Bridge Vulnerabilities — by the-caliber
  Repository documenting various blockchain bridge vulnerabilities and security considerations for cross-chain bridge implementations.
• LayerZero Security Research — by Guardian Audits
  Encyclopedia entry covering LayerZero protocol security research, vulnerabilities, and integration considerations.

4. DeFi Protocols

• AMM Audit Checklist — by Decurity
  A checklist for auditing AMM smart contracts.
• AMM Security & Audit Insights — by Millie Tez An in-depth article on security considerations and audit tips for Automated Market Maker protocols.
• CDP Audit Checklist — by Decurity
  Checklist for auditing Collateralized Debt Positions.
• LSD Audit Checklist — by Decurity
  Checklist for auditing LSD protocols.
• Guidelines for Auditing Staking Protocols - QuillAudits
• Useful reference for auditing staking protocols and can help you identify potential bugs.
• LSDs Best Practices — by MixBytes
  Security analysis and best practices for liquid staking derivatives.
• Liquid Restaking Tokens — by Sigma Prime
  An article on security considerations for liquid restaking tokens (LRTs).
• Liquidation Vulnerabilities — by Dacian
  Analysis of vulnerabilities in DeFi liquidation mechanisms.
• CLM Vulnerabilities — by Dacian
  Security issues and risks in concentrated liquidity managers.
• Slippage Attacks — by Dacian
  Explanation of slippage attacks in DeFi and how to prevent them.
• Precision Loss Errors — by Dacian
  Discussion of errors caused by precision loss in smart contracts.

5. Protocols Integration Security

• External Integrations: The Hidden Risk in Smart Contracts - by CharlesWang
• General External Integration Best practices and security risks.
• Across V3 Security Checklist — by TradMod (ABDul Rehman)
  A detailed checklist for auditing the security of Across V3 cross-chain messaging protocol integrations.
• LayerZero V2 Security Checklist — by windhustler
  A detailed checklist for auditing the security of LayerZero V2 cross-chain messaging protocol integrations.
• Wormhole Security Checklist — by windhustler
  A comprehensive audit checklist for Wormhole bridge integrations, highlighting key risks and best practices.
• Chainlink CCIP Security Checklist — by windhustler
  A thorough checklist for reviewing and securing Chainlink CCIP (Cross-Chain Interoperability Protocol) implementations.
• Berachain Oracle Bugs — by blckhv
  Twitter thread detailing bugs found in Berachain's oracle implementation.
• Stargate v2 Integration Checklist — by EngimaDark/Windhustler
  Secruity Checklist for for Stargate V2 contracts integrations.

UniswapV4 Hooks Integration Guides

• Questions To Ask Before Writing a Uniswap v4 Hook - by OpenZeppelin
  This guide outlines some key considerations when designing a UniswapV4 hook to suit your specific needs.
• Uniswap V4 Hooks Security Talk — by Damian (Composable Security)
  A detailed presentation on Uniswap V4's architecture and the main security threats and best practices when building custom hooks.
• Uniswap V4 Hooks Security Deep Dive — by Jota Carpanelli (OpenZeppelin)
  A technical walkthrough of Uniswap V4 hooks, including how to build, test, and secure custom hooks.
• Auditing Uniswap V4 Hooks — by Hacken
  An article outlining the main audit considerations, attack vectors, and recommendations for Uniswap V4 hook integrations.
• Uniswap V4 Hooks Security Considerations — by QuillAudits
  A breakdown of the new security challenges and mitigation strategies for Uniswap V4 and its hooks.
• Uniswap V4 Hooks Integration Security Considerations — by CertiK
  A blog post analyzing the unique security risks introduced by hooks in Uniswap V4 and how to address them.
• Uniswap V3/V4 Security — by Guardian Audits
  Comprehensive security research and analysis of Uniswap V3 and V4 protocols, covering integration risks and security considerations.

6. Proxies & Upgradability

• Upgradable Patterns — by Daniel Von Fange
  Video explaining common patterns for upgradable smart contracts.
• Upgradable Contracts Twitter Thread — by Pashov Krum
  Twitter thread discussing upgradability and proxy contract security.
• UUPS Proxy Security — by Rareskills
  Article analyzing the security of UUPS proxy pattern in Solidity.

7. Signature Attacks

• Signature Replay Attacks — by Dacian
  In-depth explanation of signature replay attacks in smart contracts.
• Signatures — by Coinmonks (Medium)
  A beginner-friendly guide to Ethereum signatures and their security implications.
• Signature Replays — by Dacian
  General overview of replay attack vectors and prevention.

8. Governance

• DAO Governance Attacks — by Dacian
  Analysis of attacks and vulnerabilities in DAO governance mechanisms.
• DAO Governance Security — by Sigma Prime
  Common vulnerabilities in protocol governance and DAOs, covering reentrancy, insider threats, flash loan voting, proposal execution issues, and other governance-specific attack vectors.

9. Chains Specific Security

• Multichain Auditor — by 0xJuancito
  A repository with resources and tools for auditing multichain protocols.

Solana

• Solana Program Security Guide — by Helius
  A comprehensive hitchhiker's guide to Solana program security covering common vulnerabilities, attack vectors, and mitigation strategies for intermediate/advanced developers building on Solana.
• Solana Best Practices — by Slowmist
  Best practices for securing Solana smart contracts.
• SPL Token-2022 - by Neodyme
  Potential security pitfalls and best practices for secure implementation of the new Solana SPL token extensions.
• Solana Not-So-Smart Contracts — by ToB Secure Contracts
  Examples of security issues in Solana contracts.
• Solana Advanced Security — by Nirlin
  Advanced security topics for Solana developers.

Arbitrum

• Arbitrum Integration Bugs — by Windhustler
  Arbitrum Security pitfalls and integration guide.

Algorand

• Algorand Not-So-Smart Contracts — by ToB Secure Contracts
  Security pitfalls and real-world issues in Algorand contracts.

Starknet (Cairo)

• Starknet Not-So-Smart Contracts — by ToB Secure Contracts
  Examples of vulnerabilities in Starknet (Cairo) contracts.

Cosmos

• Cosmos Not-So-Smart Contracts — by ToB Secure Contracts
  Security issues and case studies in Cosmos contracts.

Substrate

• Substrate Not-So-Smart Contracts — by ToB Secure Contracts
  Security analysis of Substrate-based smart contracts.

Ton

• Ton Not-So-Smart Contracts — by ToB Secure Contracts
  Security vulnerabilities in TON smart contracts.
• Ton Security Checklists — by PositiveSecurity
  Checklist for Auditing TON Smart Contracts

Tron

• Checklist for Auditing Tron Projects — by PositiveSecurity
  A guide to common bugs and integration pitfalls in Tron Contracts.

Blast

• Blast Integration Guide — by Nirlin
  A guide to common bugs and integration pitfalls in Blast.

Near

• Near Smart Contracts Checklist — Near Docs
  Near smart contracts security considerations list

Binance Chain

• BNB Chain Security Tips — by Cantina
  Top 15 security recommendations for BNB Chain developers covering vulnerability patterns, exploit defenses, and secure engineering practices specific to BNB Chain development.

10. Wallets Security

• Web3 Wallet Security Checklist — by BlockApex
  A practical checklist covering best practices for securing Web3 wallets.
• All Wallet Security Checklist — by SlowMist
  A comprehensive checklist for auditing and securing various types of crypto wallets.
• Account Abstraction — by MixBytes
  An article exploring security considerations for account abstraction.
• Account Abstraction Audit Checklist — by Slowmist
  Audit checklist for account abstraction wallets.
• Crypto Wallet Security Assessment Checklist — by Certik
  A checklist outlining key steps and best practices for assessing the security of crypto wallets.
• Web3 Wallet Security Checklist — by BlockApex
  A practical checklist covering best practices for securing Web3 wallets and wallet security assessment methodologies.

11. Other/Uncategorized

• Oracle Security Thread — by @0xjmaria
  Twitter thread detailing oracle-specific security considerations and vulnerabilities.

• Oracles and Pricing Security — by Sigma Prime
  Comprehensive guide to common vulnerabilities in oracles and pricing feeds, covering spot pricing attacks, homegrown oracle issues, time delays, gas congestion, and price manipulation techniques.

• Solidity Gas Optimizations — by TechnoGeek01
  A curated list of gas-saving techniques and best practices for Solidity smart contract development.

• 2020 Smart Contract Security Paper — by Nicola arXiv
  Academic paper reviewing the state of smart contract security as of 2020.

• Chainlink Oracle Attacks — by Cyfrin
  Article on past attacks and vulnerabilities involving Chainlink oracles.

• Chainlink VRF Security — by Chainlink
  Official documentation on the security model of Chainlink's Verifiable Random Function.

• SWC Registry — by SWC Registry
  A comprehensive database of known smart contract vulnerabilities, each with a unique identifier and detailed description.

• Solidity Inline Assembly Vulnerabilities — by Dacian
  Security risks and pitfalls when using inline assembly in Solidity.

• Solidity DevSecOps Standard — by 0xsomnus
  DevSecOps best practices and standards for Solidity development.

• How To Multisig - SEAL/fredrik
  Best practices on how to implement secure standard operation procedures for multisigs.

• CREATE/CREATE2 Security Pitfalls — by MixBytes
  Analysis of security pitfalls when using CREATE, CREATE2, and EXTCODESIZE opcodes in smart contract development.

• EIP-7702 Security Considerations — by Tincho/Red Guild Video discussion on security implications and considerations for EIP-7702 implementation.

Support

If you want to support this repo and its contributors, you can do it on the Terminal. Thanks!

Contribution

If you'd like to contribute reach out on X, or Simply create a PR anon :)