Skip to main content
Smart Contract Security Audits

Upstate’s Smart Contract Audit Pitfalls: 5 Mistakes to Avoid with Expert Insights

Smart contract audits are a critical step in deploying secure protocols, yet many teams repeat the same costly mistakes. We've seen projects lose significant value not because the auditors were incompetent, but because the audit process itself was mishandled. This guide identifies five common pitfalls we've observed in the field and offers practical ways to avoid them. 1. The Field Context: Where Audit Pitfalls Show Up in Real Work Audit pitfalls aren't abstract—they emerge in specific phases of a project. The most common context is the period between completing development and the planned mainnet launch. Teams are under pressure to ship, and the audit feels like a final hurdle rather than an integral part of security. We've seen a DeFi lending protocol that had its code audited by a reputable firm, but the team had not done any internal threat modeling beforehand.

Smart contract audits are a critical step in deploying secure protocols, yet many teams repeat the same costly mistakes. We've seen projects lose significant value not because the auditors were incompetent, but because the audit process itself was mishandled. This guide identifies five common pitfalls we've observed in the field and offers practical ways to avoid them.

1. The Field Context: Where Audit Pitfalls Show Up in Real Work

Audit pitfalls aren't abstract—they emerge in specific phases of a project. The most common context is the period between completing development and the planned mainnet launch. Teams are under pressure to ship, and the audit feels like a final hurdle rather than an integral part of security.

We've seen a DeFi lending protocol that had its code audited by a reputable firm, but the team had not done any internal threat modeling beforehand. The auditors found a critical reentrancy vulnerability in a flash loan function, but because the team had no prior risk assessment, they didn't understand the severity and delayed the fix. The result: a last-minute scramble that pushed the launch back by two weeks and cost the team in developer hours and lost market timing.

Another scenario involved a gaming NFT project that treated the audit as a one-time event. After the initial audit, they made several updates to accommodate new features—without re-auditing the changed code. A bug in the new minting logic was exploited within a week of deployment, leading to a 200 ETH loss. The team had assumed the audit covered everything, but it only covered the snapshot of code at the time of review.

These examples illustrate that pitfalls are not just technical errors—they are process errors. The field context is often one of compressed timelines, incomplete risk understanding, and misaligned expectations between developers and auditors. Recognizing this helps teams approach audits with the right mindset: as a collaborative security exercise, not a rubber stamp.

Why Context Matters

Auditors can only evaluate what they see. If the code is incomplete, undocumented, or the team hasn't articulated the intended security model, the audit's effectiveness drops sharply. The field context—the project's stage, the team's experience, and the complexity of the protocol—determines which pitfalls are most likely to occur.

2. Foundations Readers Confuse: Threat Modeling vs. Code Review

A persistent confusion we encounter is the belief that a code review alone constitutes a complete audit. In reality, a thorough audit includes threat modeling, which is a separate and earlier step. Threat modeling identifies what could go wrong at a high level—what assets are at risk, who the attackers might be, and what attack surfaces exist. Code review then checks whether the implementation prevents those specific threats.

Many teams skip threat modeling because they think it's unnecessary or they don't know how to do it. They hand the code to an auditor and expect a list of bugs. But without a threat model, the auditor may miss systemic issues that aren't obvious from isolated code snippets. For example, a protocol might have individually secure functions, but the interaction between them could create a governance attack that no single function review would catch.

We've seen a case where a team built a multi-signature wallet with a daily withdrawal limit. Each function was reviewed and passed. But the threat model would have revealed that an attacker who compromised one key could drain funds over multiple days—a simple but effective attack that the code review alone missed because it didn't consider the cumulative effect over time.

How to Build a Simple Threat Model

Start by listing your protocol's assets (tokens, governance power, user data) and potential attackers (external hackers, malicious insiders, compromised oracles). Then, for each asset, imagine how an attacker could gain unauthorized control. Document these scenarios and share them with your auditor before they start. This alignment ensures the audit focuses on what matters most.

3. Patterns That Usually Work: Effective Audit Practices

Despite the pitfalls, many teams do audits well. The patterns that work are consistent across successful projects. First, they treat the audit as a multi-phase process: an initial scoping call, a preliminary review of the architecture, the detailed code audit, a fix period, and a final re-audit of changes. This structure prevents the chaos of last-minute surprises.

Second, they involve the auditor early. Some teams invite the auditor to review the architecture document before any code is written. This catches design flaws at the cheapest possible stage—a change in a diagram costs nothing compared to rewriting deployed code. We've seen a derivatives protocol that shared its economic model with the auditor before implementation; the auditor identified a potential oracle manipulation path that would have been expensive to fix later.

Third, successful teams maintain open communication. They assign a technical lead to answer auditor questions promptly and provide context for unusual code patterns. This reduces the auditor's guesswork and increases the depth of the review. One team we worked with set up a dedicated chat channel for the audit, where developers and auditors could discuss findings in real time. The audit completed faster and uncovered more subtle issues because the auditor could ask clarifying questions immediately.

Checklist for an Effective Audit

  • Complete threat modeling before engaging an auditor.
  • Share architecture documents and design rationale.
  • Ensure code is well-commented and uses standard patterns where possible.
  • Plan for at least two rounds of review: initial audit and fix verification.
  • Assign a point person to handle auditor inquiries.

4. Anti-Patterns and Why Teams Revert to Them

While good patterns exist, many teams fall back into anti-patterns under pressure. The most common is scope creep: adding features or changes during the audit period. We've observed a project that decided to add a new staking mechanism while the audit was ongoing. The developers patched in the code, the auditor reviewed it hastily, and a critical bug in the staking reward calculation went unnoticed. The team reverted to the bad habit of treating the audit as a moving target.

Another anti-pattern is the single-auditor reliance. Some teams hire one firm and accept their report as gospel. But every auditor has blind spots—different firms specialize in different areas (e.g., DeFi, NFTs, governance). Relying on one perspective can miss issues that another firm would catch. We've seen a cross-chain bridge that passed a single audit but was later exploited due to a vulnerability in a less common Solidity pattern that the auditor had not seen before. A second audit from a different firm would have increased the chances of detection.

Why do teams revert to these anti-patterns? Usually because of cost and time constraints. A second audit costs money and delays launch. Adding features during an audit feels like efficiency. But the long-term cost of a post-deployment exploit far outweighs the short-term savings. The key is to build a culture that prioritizes security over speed, even when the market is moving fast.

When the Anti-Pattern Becomes the Norm

In competitive ecosystems like DeFi, the pressure to be first-to-market is immense. Teams often rationalize that a partial audit is better than none, or that they can fix bugs after launch. This thinking leads to a cycle of patching and re-auditing that drains resources. The most successful teams we've seen resist this pressure by sticking to a clear audit timeline and resisting scope changes.

5. Maintenance, Drift, and Long-Term Costs

Even after a successful audit and launch, the work isn't done. Smart contracts evolve: new features are added, dependencies are upgraded, and the threat landscape changes. A common mistake is to treat the audit as a one-time event and never revisit security. This leads to drift—the codebase moves away from the audited state, and vulnerabilities accumulate silently.

We've seen a DAO that had a clean audit at launch, but over two years, the team added several governance tweaks and a new treasury module without re-auditing. A bug in the treasury's withdrawal logic was eventually exploited, draining funds that had been accumulating for months. The cost of the exploit was orders of magnitude higher than the cost of periodic re-audits.

Long-term maintenance also involves monitoring for new attack vectors. For example, the rise of cross-chain bridges has created new categories of vulnerabilities that didn't exist when many protocols were first audited. Teams need to periodically reassess their threat model and update their security posture. Some projects schedule quarterly or biannual security reviews, even when no code changes are planned, just to check for new risks.

Building a Maintenance Plan

  • Schedule re-audits after any significant code change (e.g., new feature, dependency upgrade).
  • Monitor security advisories for vulnerabilities in your dependencies.
  • Consider a bug bounty program to crowdsource ongoing security research.
  • Keep an internal log of security decisions and assumptions for future reference.

6. When Not to Use This Approach

The audit process we've described—with threat modeling, multi-phase reviews, and re-audits—is not always appropriate. For very small projects with low value at risk, the cost of a full audit may outweigh the benefit. A simple token launch with a small market cap might be better served by a single automated scan and a manual review from a trusted developer, rather than a formal audit by a major firm.

Similarly, projects in the earliest stage of development (e.g., a proof of concept) should not invest in a full audit. The code will change drastically before launch, and auditing an unstable codebase is wasteful. Instead, focus on internal testing and maybe a lightweight review of the architecture. Save the formal audit for when the code is near-final.

Another case is when the team itself has deep security expertise. If your developers have years of experience in smart contract security and have audited multiple protocols, you might be able to skip some of the formal steps. But be honest about your team's expertise—overconfidence is itself a common pitfall. We've seen teams with strong developers miss subtle economic attacks because they were focused on code correctness rather than incentive alignment.

Finally, if your project is a fork of an audited protocol, you might be tempted to skip a full audit. But forks often introduce subtle changes that break security assumptions. A minimal review of the changes is still necessary. The rule of thumb: if you change even one line of code, re-audit that change and its interactions.

7. Open Questions and FAQ

Below are answers to common questions we hear from teams preparing for audits.

How long should an audit take?

It depends on code complexity, but a typical audit of a medium-sized DeFi protocol takes 2-4 weeks for the initial review, plus 1-2 weeks for fix verification. Larger protocols may take 6-8 weeks. Rushing an audit is a mistake—most serious vulnerabilities are found in the later stages of review.

Should I choose a specialized audit firm or a generalist?

Specialized firms that focus on your protocol's domain (e.g., DeFi, NFTs, or layer-2 solutions) often have deeper knowledge of common attack patterns in that space. Generalist firms may have broader experience but might miss domain-specific nuances. Ideally, use a mix: a specialized firm for the main audit and a generalist for a second opinion.

What if the auditor finds no issues?

That can happen with well-written code, but it should raise a question: did the auditor look deeply enough? Request a detailed report of what was tested and what assumptions were made. A clean audit with no findings is not a guarantee of security—it's a statement that no issues were found within the scope of the review. Always supplement with other security measures like testing and bug bounties.

How do I verify that fixes are correctly implemented?

Do not rely solely on the auditor's re-review. Your team should write unit tests that specifically test the fix and its edge cases. Then, the auditor should verify that the fix addresses the original finding and does not introduce new issues. Some teams ask the auditor to write a short re-audit report focusing only on the changed code.

8. Summary and Next Steps

Avoiding audit pitfalls comes down to process discipline. Start with threat modeling, choose the right auditor, resist scope changes during the audit, verify fixes thoroughly, and plan for ongoing security maintenance. These steps may seem obvious, but in practice, teams often skip them under pressure.

Here are three specific actions you can take today:

  1. Draft a one-page threat model for your protocol, listing assets, attackers, and attack scenarios.
  2. Interview at least two audit firms before selecting one; ask how they handle scope changes and re-audits.
  3. Schedule a follow-up audit for six months after launch, regardless of whether you plan code changes.

By treating the audit as a collaborative, ongoing process rather than a checkbox, you'll reduce the risk of post-deployment exploits and build a more resilient protocol.

Share this article:

Comments (0)

No comments yet. Be the first to comment!