Every protocol team knows they need an audit before launch. Fewer know how to actually prepare for one, what to expect during the process, or what to do after the report lands. The result: wasted time, inflated audit costs, and — worst case — launching with unresolved vulnerabilities.
This is the practical guide we wish every team had before their first audit engagement.
$953M
Lost to Access Control Bugs (2025)
10–20%
Of Project Budget Should Go to Security
6–8 weeks
Schedule Audit Before Launch
100%
Test Coverage Target
Phase 1: Internal Self-Audit (Weeks 1–2)
Before you spend a dollar on an external audit, run through everything you can catch yourself. Every issue you fix now is one fewer billable hour from your auditor — and one fewer vulnerability in production.
Run Static Analysis Tools
These are free, fast, and catch a surprising number of real bugs:
| Area | What to Check |
|---|---|
| Slither | 92+ detectors for reentrancy, access control, unused variables, and more. Run with: slither . |
| Aderyn | Rust-based, fast Solidity analysis. Good for quick passes during development. Run with: aderyn . |
| Mythril | Symbolic execution engine. Slower but catches deeper issues like unchecked calls and integer bugs. Run with: myth analyze contract.sol |
| Solidity Compiler Warnings | Enable all warnings and treat them as errors. The compiler catches more than you think. |
Fix everything these tools flag. If a finding is a genuine false positive, document why. Your external auditor will run these same tools — having clean results shows you've done your homework. For installation guides and advanced usage of each tool, see our Free Smart Contract Audit Tools in 2026 guide.
Write Comprehensive Tests
Aim for 100% line coverage, but more importantly, test the negative paths:
- What happens when a user tries to withdraw more than their balance?
- What happens when the oracle returns a stale price?
- What happens when two transactions interact in the same block?
- What happens when an admin function is called by a non-admin?
Use Foundry's built-in fuzz testing to generate random inputs and find edge cases your unit tests miss:
function testFuzz_withdraw(uint256 amount) public {
vm.assume(amount > 0 && amount <= type(uint128).max);
token.mint(address(this), amount);
token.approve(address(vault), amount);
vault.deposit(amount);
vault.withdraw(amount);
assertEq(vault.balanceOf(address(this)), 0);
}
Internal Code Review
Do a line-by-line review with your team. Focus on:
- Access control — Who can call each function? Are admin functions properly restricted?
- State changes before external calls — The checks-effects-interactions pattern should be second nature. See our Reentrancy Attacks Explained deep dive.
- Edge cases — Zero amounts, max values, empty arrays, first depositor / last withdrawer scenarios.
- Upgrade paths — If using proxies, is the storage layout safe? Can the upgrade function itself be compromised?
💡The Pre-Audit Documentation Checklist
Prepare these before contacting any auditor: (1) Architecture overview with contract interaction diagram, (2) Functional requirements for each contract, (3) Known risks and design trade-offs, (4) Complete test suite with instructions to run, (5) Deployment scripts and configuration. Good documentation cuts audit time — and cost — by 20–30%.
Phase 2: Automated AI Audit (Week 3)
After your internal review, run an AI-powered audit to catch anything you missed. AI tools are particularly good at:
- Tracing data flows across multiple contracts
- Identifying price oracle dependency chains
- Flagging flash loan amplification vectors
- Detecting known vulnerability patterns you might have introduced while fixing other bugs
This step typically costs $3,000–$15,000 and takes days rather than weeks. It's cheap insurance before the more expensive manual audit. For a detailed cost breakdown, see our Smart Contract Audit Cost in 2026 pricing guide.
Phase 3: External Manual Audit (Weeks 4–8)
This is where the real expertise comes in. Here's how to get the most out of it.
Choosing Your Auditor
For an in-depth guide on evaluating audit firms, see How to Choose a Smart Contract Auditor: A Buyer's Guide.
| Area | What to Check |
|---|---|
| Track Record | Have they audited protocols similar to yours? Ask for references. |
| Methodology | Do they combine static analysis, manual review, and dynamic testing? |
| Team Size | At least 2 auditors per engagement prevents individual blind spots. |
| Communication | Will they ask questions during the audit? Good auditors engage with your team, not just your code. |
| Timeline | 2–4 weeks for standard DeFi. Be suspicious of anyone promising 3 days. |
What Auditors Actually Do
A thorough manual audit follows a structured process:
Scoping
Auditors review your documentation, understand the protocol's design, and identify high-risk areas to prioritize.
Analysis
Line-by-line code review, threat modeling, and testing of business logic assumptions. This is where most critical findings emerge.
Testing
Dynamic testing, fuzzing of custom invariants, and cross-function interaction testing.
Reporting
Findings classified by severity with detailed descriptions, proof-of-concept exploits, and remediation recommendations.
Verification
After you fix the findings, auditors verify remediations and confirm no regressions were introduced.
Code Freeze is Non-Negotiable
Freeze your code before the audit starts. Every change you make during an active audit wastes auditor time, introduces potential new bugs, and delays the report. If you're still making feature changes, you're not ready for an audit.
Phase 4: Address Findings (Weeks 8–10)
When the audit report arrives, prioritize by severity:
| Severity | Examples |
|---|---|
| Critical | Reentrancy, access control bypass, fund theft |
| High | Oracle manipulation, unchecked return values, privilege escalation |
| Medium | Front-running, precision loss, DoS vectors |
| Low | Gas optimization, informational findings, best practices |
Critical and High findings must be fixed before launch. No exceptions. These are exploitable vulnerabilities that will cost you money.
Medium findings should be fixed unless you have a documented, valid reason not to. "We'll fix it after launch" is not a valid reason.
Low and Informational findings are best practices and code quality improvements. Fix what you can, acknowledge the rest.
After fixing, request a re-audit of the changed code. This typically costs $5,000–$20,000 and takes 3–5 days. It's worth it — we've seen teams introduce new critical vulnerabilities while fixing old ones. For help interpreting findings, see How to Read a Security Audit Report.
Phase 5: Post-Audit Launch Preparation
Your audit report is clean. You're ready to deploy. But security doesn't end at launch. For a comprehensive post-deployment guide, see Post-Audit: How to Maintain Security After the Report.
Deploy a Bug Bounty Program
Launch a bug bounty on Immunefi or a similar platform before or immediately after deployment. Set bounties proportional to your TVL:
- Critical: $50,000–$500,000 (or 10% of funds at risk)
- High: $10,000–$50,000
- Medium: $2,000–$10,000
In 2025, Immunefi paid out over $110 million to white-hat researchers. Bug bounties are the most cost-effective continuous security coverage available.
Set Up Monitoring
| Area | What to Check |
|---|---|
| Forta Network | Decentralized monitoring bots that detect suspicious transactions in real-time. |
| OpenZeppelin Defender | Automated alerts and response actions (auto-pause on anomalies). |
| Custom Alerts | Monitor for unusual withdrawals, governance proposals, oracle price deviations, and large flash loans. |
Prepare an Incident Response Plan
Before launch, document:
- Who has the authority to pause the protocol?
- What are the emergency multisig procedures?
- How will you communicate with users during an incident?
- What's your war room process for analyzing and responding to exploits?
The OWASP Smart Contract Top 10 (2026)
These are the vulnerability categories that auditors prioritize. Know them before your audit. For a broader deployment checklist, see our DeFi Security Checklist 2026 and Smart Contract Audit Checklist: Before You Deploy.
| Area | What to Check |
|---|---|
| SC01 — Access Control | $953M in losses. Who can call what, and under what conditions? |
| SC02 — Business Logic | Protocol-specific design flaws that allow unintended behavior. |
| SC03 — Oracle Manipulation | Price feed manipulation via flash loans or low-liquidity pools. |
| SC04 — Flash Loan Attacks | Amplifying small vulnerabilities with borrowed capital. |
| SC05 — Input Validation | Missing checks on function parameters and external data. |
| SC06 — Unchecked External Calls | Failing to handle reverts from external contract calls. |
| SC07 — Arithmetic Errors | Rounding, precision loss, and calculation bugs. |
| SC08 — Reentrancy | $35.7M in losses. State changes after external calls. |
| SC09 — Integer Issues | Overflow and underflow in unchecked blocks or older Solidity versions. |
| SC10 — Proxy Vulnerabilities | Storage collisions, uninitialized implementations, upgrade hijacking. New for 2026. See our deep dive on Smart Contract Upgradability. |
🛑Don't Launch Without an Audit
In 2025, DeFi protocols lost $3.4 billion to exploits. The majority of hacked protocols had either no audit, an incomplete audit, or deployed code that differed from what was audited. A $30,000–$80,000 audit is a rounding error compared to the cost of a hack.
The Timeline at a Glance
Self-Audit
Weeks 1–2: Static analysis, tests, internal review
AI Audit
Week 3: Automated scanning for known patterns
Manual Audit
Weeks 4–8: External expert review
Fix + Re-Audit
Weeks 8–10: Address findings, verify remediations
Launch
Week 10+: Deploy with monitoring and bug bounty active
Start this process 10–12 weeks before your target launch date. If you're behind schedule, don't skip steps — push the launch.
Ready to start your audit process? RedVolt's AI-powered smart contract auditor handles Phase 2 — scanning your Solidity contracts for known vulnerability patterns in hours, not weeks. Upload your contracts or talk to our team about a full expert engagement.