Audit Checklist

Reentrancy Protection

All functions that send Ether or tokens to external addresses must follow the Checks-Effects-Interactions pattern.

Verify that state variables are updated before any external calls are made. Use transfer/send methods or reentrancy guards where necessary.

Access Control

Critical state-changing functions (e.g., setOwner, pause, upgrade, mint) must be guarded by proper access modifiers (e.g., onlyOwner, onlyRole).

Check that function visibility is correctly set (e.g., internal, external, private).

Integer Overflow/Underflow

All arithmetic operations, especially those based on user input, must be safe.

For Solidity >= 0.8.0, verify the compiler's default overflow checks are not disabled. For older versions, ensure the use of SafeMath libraries.

Denial-of-Service (DoS)

Operations must not iterate over unbounded arrays or map sizes that could be arbitrarily inflated by a malicious user, leading to excessive gas costs.

Check all loops to ensure iteration counts are fixed or restricted.

External Call Security

All interactions with unknown or untrusted external contracts are handled safely.

Ensure that results of external calls are checked and fail gracefully if necessary. Use call wrappers to limit reentrancy risk.

Visibility

State variables and functions intended for internal use must be declared private or internal.

Review all function and variable declarations for accidental public exposure.

Functional Specification

The contract logic precisely matches the intended business logic and all requirements documented in the functional specification.

Verify contract against all use cases and edge cases defined in the project scope.

State Transitions

The contract's state (e.g., token balances, operational phase) transitions correctly and predictably.

Trace critical functions (transfer, claim, lock) to ensure state variables update correctly.

Error Handling

All potential failure points are handled gracefully with clear, descriptive error messages.

Ensure that require() or revert() statements are used everywhere necessary and that custom error codes are defined and leveraged.

Event Emission

All critical state changes and value transfers must emit an appropriate Event to allow for off-chain monitoring, indexing, and UI responsiveness.

Verify that an Event is emitted for every action that changes a user-facing state.

Slither

Detects various security vulnerabilities (e.g., reentrancy, unprotected calls, misuses of msg.sender) and code optimization issues.

Must be executed with all security and efficiency detectors enabled.

Mythril

Performs symbolic execution to find potential execution paths that could lead to vulnerabilities (e.g., integer overflows, assertion failures).

Must be run using its security analysis modes (e.g., full scan, execution path analysis).

Solhint

Enforces code style and security best practices, ensuring clean and maintainable code.

Must pass all configured security and style rulesets without warnings.