// the find
tamjid0x01/SmartContracts-audit-checklist
A checklist of things to look for when auditing Solidity smart contracts.
A Markdown checklist for auditing Solidity smart contracts, organized by category: variables, functions, modifiers, external calls, events, and DeFi-specific concerns. It's a starting point for auditors entering the space, not a substitute for tooling or experience. The repo doubles as a resource list pointing to public audit reports and platforms.
The categorized structure (V1-V10, F1-F19, C1-C51, etc.) makes it easy to run through mechanically without missing sections. The DeFi section specifically calls out practical gotchas like rebasing tokens, fee-on-transfer tokens, and AMM spot price oracle abuse — these are the ones that actually bite people. The links to public audit reports from Consensys, Trail of Bits, and OpenZeppelin are genuinely useful for learning what real findings look like. SWC reference numbers are included inline, so you can look up the spec for any item that's unclear.
Stale in several places: still recommends SafeMath when Solidity 0.8+ checked arithmetic makes it unnecessary for most cases, and some items reference patterns that have been superseded (e.g. `address.transfer()` warning is good, but the fix it suggests — `.call.value(...)` — uses old syntax). There's no code, tests, or tooling — it's purely a README, so there's nothing to run or integrate into a CI pipeline. Last updated October 2023, missing anything from the past two years of DeFi exploits (cross-chain bridge attacks, ERC-4626 inflation attacks, transient storage footguns from EIP-1153). The crowdsale section takes up significant space for a contract pattern that's largely obsolete.