Manual Review

Auditors manually trace the control flow and state transitions of a contract to identify flaws in business logic, such as incorrect fee calculations, improper access control, or flawed reward distribution. This examines the intended behavior versus the actual implementation, catching complex bugs like reentrancy or incorrect oracle usage that require semantic understanding.

Experts review the code for adherence to secure development standards and gas optimization. This includes checking for:

• Use of deprecated or unsafe functions (e.g., tx.origin).
• Proper error handling and use of require/revert statements.
• Compliance with standards like ERC-20 or ERC-721.
• Code readability and maintainability issues.

This high-level assessment evaluates the system's design patterns, upgradeability mechanisms, and external dependency management. Auditors analyze the security of proxy patterns, the risks of centralized admin keys, the integration of oracles and cross-chain bridges, and the overall resilience of the system's architecture against attacks.

Manual review is not a replacement for but a critical complement to automated analysis. While tools like static analyzers and fuzzers excel at finding common bug patterns at scale, human auditors provide the contextual reasoning and creative exploit thinking needed to discover novel vulnerabilities, complex economic attacks, and subtle logic errors.

A high-level analysis of the system's design, data flows, and component interactions. Auditors create architecture diagrams to understand the protocol's trust boundaries, privileged roles (e.g., owners, admins), and upgrade mechanisms. This step identifies systemic risks like centralization, improper access control, and flawed economic incentives before diving into the code.

The meticulous, sequential examination of every line of source code. Auditors look for:

• Business logic errors and incorrect assumptions.
• Vulnerability patterns like reentrancy, integer over/underflows, and improper input validation.
• Gas inefficiencies and optimization opportunities.
• Deviations from established standards and best practices. This is the most time-intensive but thorough method.

Focusing review on discrete, logical units of code. Auditors isolate and analyze specific functions (e.g., a swap, a mint, a liquidation) or modules (e.g., a staking contract, an oracle adapter). This allows for deep dives into critical pathways, ensuring each component correctly handles its state changes, access controls, and error conditions in isolation before evaluating integration.

Proactively hypothesizing how an attacker would exploit the system. Using frameworks like STRIDE, auditors model threats by identifying potential attack vectors, malicious actors, and their capabilities. They then trace these scenarios through the code to validate mitigations or discover vulnerabilities. This shifts the focus from "what the code does" to "what an adversary can do."

Comparing the target codebase against known, audited implementations or previous versions. Auditors look for deviations in forked code (e.g., Uniswap v2 fork) that may introduce bugs. They also compare the current audit scope with past reports to ensure previously identified issues are resolved and no regressions have occurred. This leverages existing security knowledge.

Verifying that the implemented code correctly fulfills its documented specifications and requirements. Auditors map each functional requirement and invariant described in whitepapers or documentation to its actual code implementation. This uncovers gaps where the code behaves differently than intended, a common source of critical vulnerabilities.

Experts analyze the design patterns and code quality of a protocol's core contracts. This includes reviewing:

• Upgradeability mechanisms and admin key risks
• Centralization vectors in governance or treasury management
• Economic logic flaws in tokenomics or fee distribution
• Gas optimization and potential denial-of-service vulnerabilities

This review assesses the operational security and decision-making track record of the project team and DAO. Key focuses are:

• Team anonymity and associated risks
• Governance proposal history and voter participation
• Treasury management transparency and multisig configurations
• Response history to past incidents or exploits

Manual review maps a protocol's external dependencies, which are critical failure points. Analysts examine:

• Oracle integrations (e.g., Chainlink, Pyth) and their configuration
• Bridge or cross-chain dependencies for asset security
• Reliance on other DeFi protocols (e.g., AMMs, lending markets)
• Libraries and forked code from unaudited repositories

The quality and transparency of a project's public documentation is a key trust signal. Reviewers evaluate:

• Technical documentation completeness and accuracy
• Audit report availability, scope, and severity of findings
• Incident response plans and bug bounty programs
• Clarity and frequency of community communications

This analysis looks at the economic health and real-world usage of the protocol, beyond on-chain metrics. It covers:

• Liquidity concentration and reliance on incentives
• Token distribution and vesting schedules for insiders
• Revenue sustainability and fee model
• Competitive positioning within its sector (e.g., DeFi, NFTs, Gaming)

Experts assess potential off-chain risks related to compliance and legal structure. This includes:

• Entity jurisdiction and regulatory clarity for its operations
• Token classification risk (security vs. utility)
• Geographic restrictions for users or services
• Terms of Service and liability disclosures