Skip to main content
Back to Blog
Web3 & Blockchain

Smart Contract Security Checklist: What We Check Before Deploy

The security checklist we use before deploying any smart contract to mainnet. Battle-tested from DeFi protocols to government systems.

Hexmount Team
7 min read
SecuritySmart ContractsSolidityDeFi

Why This Matters


Smart contracts are immutable. Once deployed, bugs can't be patched. In 2024 alone, over $1B was lost to smart contract exploits.


This is our internal checklist. We use it on every contract before mainnet deployment.


The Checklist


1. Reentrancy


The classic attack. Check every external call:


  • State changes before external calls (checks-effects-interactions)
  • Reentrancy guards on vulnerable functions
  • No callbacks to untrusted contracts without protection

    • 2. Access Control


    Who can call what:


  • All admin functions have proper modifiers
  • Ownership transfer is two-step
  • No functions accidentally left public
  • Time-locks on critical operations

    • 3. Integer Safety


    Solidity 0.8+ helps, but:


  • Understand where overflow is possible
  • Check division by zero scenarios
  • Validate input ranges
  • Consider precision loss in calculations

    • 4. External Calls


    Every external call is a risk:


  • Check return values
  • Handle failed calls appropriately
  • Limit gas for untrusted calls
  • Consider call vs delegatecall implications

    • 5. Front-running


    MEV is real:


  • Commit-reveal where needed
  • Slippage protection on swaps
  • Deadline parameters on time-sensitive operations

    • 6. Oracle Security


    If you use external data:


  • Multiple oracle sources where possible
  • Staleness checks on price feeds
  • Manipulation resistance (TWAP vs spot)
  • Fallback mechanisms

    • 7. Upgradability


    If the contract is upgradeable:


  • Storage collision protection
  • Initializer instead of constructor
  • Upgrade access properly restricted
  • Test upgrade paths

    • 8. Gas Optimization


    Not security per se, but matters:


  • No unbounded loops
  • Efficient storage patterns
  • Batch operations where useful
  • Emergency withdrawal doesn't run out of gas

    • 9. Testing


    Before any mainnet:


  • 100% line coverage
  • Fuzzing with Foundry or Echidna
  • Fork testing against mainnet state
  • Invariant testing

    • 10. External Review


    Fresh eyes catch bugs:


  • Internal peer review
  • External audit for significant value
  • Bug bounty program for ongoing security

    • Deployment Process


    Even with a secure contract:


  • Deploy to testnet first: Verify everything works
  • Staged mainnet rollout: Start with limits
  • Monitor aggressively: Alert on unusual patterns
  • Have a response plan: Know what to do if something goes wrong

    • Common Mistakes We See


  • Trusting external contracts: Assume everything external is hostile
  • Incomplete validation: Garbage in, garbage out
  • Copying code without understanding: Subtle context differences matter
  • Rushing to mainnet: "It works on testnet" isn't enough

    • Security isn't a checklist you complete. It's a mindset you maintain.


    Related Services

    Smart Contracts

    Security-first smart contract development. From simple token contracts to complex DeFi protocols with government-grade security.

    DeFi Development

    Decentralized finance protocols and applications. Lending, staking, yield farming, and liquidity solutions.

    Related Articles

    Web3 & Blockchain

    Building a Cryptocurrency Exchange from Scratch: Lessons from $400M

    What we learned building a crypto exchange that grew to $400M+ market cap. Architecture decisions, security practices, and mistakes to avoid.

    December 15, 20248 min

    Have a project in mind?

    Let's talk about your project and see if we're a good fit.

    Schedule a CallView Services