Sales

Miscellaneous

<aside> 🌐

Over 1400+ Smart contract security audits and pentests with 7+ years of experience across DeFi, NFTs, bridges, wallets, and full-stack dApps, we've audited protocols that ranged from simple tokens to complex multi-chain systems. Many projects suffer from rushed preparations, leading to basic findings dominating audit reports, instead of uncovering subtle economic or integration risks.

This expanded Audit Readiness Document covers the full stack: Smart Contracts, Frontend (dApp), Backend/Infrastructure, and Operational Security (OpSec). Proper preparation across all layers ensures auditors focus on high-impact issues, reduces remediation cycles, and builds a robust, trustless protocol.

A standout tool for streamlining this process is **Aegis by QuillAudits**. It's a dedicated platform designed to make protocols audit-ready with end-to-end OpSec coverage. Aegis provides protocol-specific security checkpoints for smart contracts, dApps (frontend interactions), backend APIs, and operational practices. It includes dashboards, checklists, progress tracking - helping teams systematically address risks before a formal audit. Highly recommended for structured preparation.

Preparation can reduce audit costs by 30-60%, minimize critical findings, and accelerate secure launches.

</aside>

Here is a list of things that the auditee must Prepare Before the Audit Starts

1. Project and Team Readiness (Full Stack)

Feature Complete & Scope Frozen: All components (contracts, frontend, backend) should be production-ready. No major refactors during audit.
Multi-Disciplinary Team: Include blockchain devs, full-stack web devs, DevOps/SecOps, and security-minded reviewers.
Threat Modeling: Conduct a session covering on-chain, off-chain, and human risks.
Incident Response Plan: Include blockchain-specific actions (e.g., pause contracts, revoke API keys, revoke approvals).

Checklist:

[ ] Defined in-scope components: contracts, frontend repo, backend services, infra.
[ ] Communication channel for auditors (e.g., shared Slack/Discord).
[ ] Budget for full-stack audit if needed (smart contracts + dApp pentest).

2. Documentation (Across Stack)

Architecture Diagram: Include contract interactions, frontend-backend flows, API endpoints, wallet connections, oracles/indexers.
Specs & Invariants: Detail business logic, user flows, API contracts, trust assumptions (e.g., "Relies on Infura RPC reliability").
NatSpec + API Docs: Full comments for contracts; Swagger/OpenAPI for backend.
Frontend Docs: Wallet integration details, transaction signing flows.
OpSec Docs: Key management policies, admin procedures.

Checklist:

[ ] 100% documentation coverage.
[ ] Threat model document.
[ ] In-scope/out-of-scope clearly listed.

3. Smart Contracts Readiness

Libraries & Standards: OpenZeppelin latest; avoid custom ERC20/721 unless necessary.
Compiler: ^0.8.24+; no warnings.
Best Practices: Reentrancy guards, Checks-Effects-Interactions, custom errors, proper initialization.
Upgradability: Strict adherence to patterns; storage collision prevention.
Economic Security: Consider flash loans, MEV, oracle manipulations.

Tools:

Slither, Aderyn, Mythril—resolve all high/medium.
Foundry/Echidna fuzzing—run extensive campaigns.

Checklist:

[ ] 95-100% test coverage (unit, integration, invariants).
[ ] No unresolved static analysis findings.
[ ] Deployment/verification scripts ready.

4. Frontend (dApp) Readiness

Frontend is often the primary attack surface for users (phishing, malicious approvals, XSS).

Wallet Integration: Use Web3Modal or trusted libraries (wagmi/viem for Ethers.js alternatives). Never handle private keys.
Secure Connections: HTTPS only; HSTS; Content Security Policy (CSP) to block inline scripts/XSS.
Transaction Handling: Clear previews; confirmations for approvals/transactions; prevent blind signing.
Vulnerability Checks: No stored secrets; proper input sanitization; rate limiting on forms.
UI/UX Security: Warn on unlimited approvals; revoke links; phishing-resistant domain (e.g., ENS).

Best Practices:

Follow OWASP Top 10 for web apps.
Use subresource integrity (SRI) for scripts.
Immutable deployments (IPFS/Vercel for static sites).

Testing:

Unit/integration with Jest/Cypress.
Manual pentest: Simulate phishing, session hijacking.
Tools: npm audit, Snyk, Retire.js for dependencies.

Checklist:

[ ] No console-exposed secrets.
[ ] Wallet connects via secure providers only.
[ ] E2E tests cover critical flows (connect, approve, transact).

5. Backend & Infrastructure Readiness

Backend often includes indexers, APIs, relayers, oracles—common points for DoS, data leaks.

API Security: Rate limiting, authentication (JWT/API keys), input validation.
Secrets Management: No hardcoded keys; use Vault/Doppler/ENV vars.
Database: Encrypted at rest; least-privilege access.
Infrastructure: VPC isolation; WAF (Cloudflare/AWS); DDoS protection.
RPC/Indexer: Multiple providers; fallback mechanisms; monitor for manipulation.
Monitoring: Logs (no sensitive data); alerts for anomalies.

Best Practices:

Zero-trust model.
Regular dependency scans (Dependabot/Snyk).
Container security if using Docker/K8s.

Testing:

API pentest (Burp Suite/ZAP).
Load testing.
Chaos engineering for failures.