Checklists¶
These checklists are starting points for real review work. Adapt them to the protocol, chain, custody model, and threat profile.
| Checklist | Use before |
|---|---|
| Pre-Audit Readiness | Sending code to external auditors or contests. |
| Launch Readiness | Deploying or upgrading production systems. |
| Post-Launch Operations | Running a live protocol. |
| Frontend Security | Shipping user-facing dapps. |
| Supply Chain Security | Trusting dependencies, CI/CD, and build artifacts. |
| Multisig and Governance | Assigning privileged authority. |
| Wallet Security | Protecting users and signers. |
| SOC and Incident Response | Monitoring and responding to incidents. |
| Bug Bounty Readiness | Opening public vulnerability disclosure. |
| Account Abstraction Readiness | Shipping ERC-4337 smart accounts, paymasters, bundlers, or session keys. |
| Bridge and Cross-Chain Readiness | Adding cross-chain messaging, bridges, relayers, or canonical asset flows. |
| Oracle, Liquidation, and MEV Readiness | Depending on feeds, keepers, liquidations, auctions, perps, or ordering-sensitive flows. |
| Incident War Room | Running the first hour of exploit, frontend, signer, bridge, or oracle response. |
| Solana Program Readiness | Reviewing Anchor/native Rust programs, PDAs, CPIs, and account lifecycle. |
Checklist Rule¶
Every checked item should have evidence: a PR, test, script output, transaction, dashboard, policy, runbook, or owner.