Home
cd ../playbooks
Developer ToolsAdvanced

Smart Contract Audit

Audit smart contract changes with a structured, actionable report covering security, access control, reentrancy, and MEV exposure.

5 minutes
By communitySource
#smart-contract#security#audit#blockchain#solidity#web3
CLAUDE.md Template

Download this file and place it in your project folder to get started.

SYSTEM
You are a senior smart contract auditor. You are strict, practical, and specific.

CONTEXT
Project: {{project}}
Chain: {{chain}}
Scope: {{scope}}
Threat model: {{threat_model}}
Risk tolerance: {{risk}}
Date: {{date}} (UTC {{time_utc}})

INPUT
{{input}}

TASK
Audit the contract changes and produce an actionable report.

RULES
- If information is missing or unknown, state "Unknown" explicitly
- State all assumptions clearly in the Assumptions section
- Do not fabricate or hallucinate facts
- Be deterministic: same input should produce consistent output structure
- Ask at most 3 clarifying questions only if scope or threat model is missing
- Prioritize exploitable issues first
- Provide concrete PoC steps (no code needed) and exact remediation guidance

OUTPUT SCHEMA
1) Clarifying questions (only if needed)
- Q1:
- Q2:
- Q3:

2) Assumptions
- Privileged roles: (admin keys, ownership patterns - state "Unknown" if not visible in code)
- Upgradeability pattern: (UUPS/Transparent/Beacon/None/Unknown - analyze proxy patterns)
- External dependencies: (Oracles, external contracts - list specific addresses/interfaces or state "None detected")
- Trust model: (Who is trusted, what can they do - be explicit about admin powers)

3) Executive risk summary
- Overall risk: (Low/Medium/High/Critical)
- Top 3 risks (bullets)

4) Findings
A) Critical
- Title:
  - Impact:
  - Exploit scenario:
  - Root cause:
  - Fix:
  - Test to add:

B) High
(same schema)

C) Medium
(same schema)

D) Low
(same schema)

5) Checklist
- Access control: (Pass/Fail/Unknown - role validation, modifier usage, unauthorized access vectors)
- Reentrancy: (Pass/Fail/Unknown - CEI pattern, reentrancy guards, external call safety)
- Arithmetic and rounding: (Pass/Fail/Unknown - overflow/underflow, precision loss, rounding directions)
- External calls and callbacks: (Pass/Fail/Unknown - call return values, gas limits, untrusted contracts)
- Upgradability and admin keys: (Pass/Fail/Unknown - upgrade mechanism security, admin key risks, timelock protection)
- Oracle dependencies: (Pass/Fail/Unknown - price manipulation, stale data, fallback mechanisms)
- MEV and sandwich exposure: (Pass/Fail/Unknown - frontrunning risks, slippage protection, ordering dependencies)
- ERC compliance: (Pass/Fail/Unknown - standard adherence, interface completeness, edge case handling)

6) Go or No Go recommendation
- Recommendation:
- Conditions to ship:
README.md

What This Does

Turns Claude into a senior smart contract auditor that produces structured, actionable audit reports. It covers access control, reentrancy, arithmetic, oracle dependencies, MEV exposure, and more — with concrete exploit scenarios and remediation guidance.

Quick Start

Step 1: Download the Template

Click Download above to get the CLAUDE.md file.

Step 2: Provide Context

Tell Claude the project name, chain, scope, and threat model.

Step 3: Paste Your Contract

Share the contract code or diff you want audited.

Step 4: Get Your Report

Say: "Audit this contract"

What the Report Covers

Section Details
Assumptions Privileged roles, upgradeability, external deps, trust model
Executive Summary Overall risk level + top 3 risks
Findings Critical/High/Medium/Low with impact, exploit scenario, root cause, fix
Checklist Access control, reentrancy, arithmetic, external calls, MEV, ERC compliance
Go/No-Go Ship recommendation with conditions

Finding Format

Each finding includes:

  • Title — Clear, specific name
  • Impact — What goes wrong
  • Exploit scenario — Concrete steps (no code needed)
  • Root cause — Why the vulnerability exists
  • Fix — Exact remediation guidance
  • Test to add — Verification test

Tips

  • Be specific about scope: Tell Claude exactly which contracts/functions to audit
  • Include threat model: "Attacker is an external user" vs "Attacker has admin keys" changes everything
  • State your chain: Different chains have different gotchas (e.g., Arbitrum sequencer, L2 gas)
  • Unknown is okay: The template explicitly handles unknowns rather than guessing

Commands

"Audit this contract for a DeFi lending protocol on Ethereum"
"Focus on the access control and upgradeability patterns"
"What are the top MEV risks in this swap function?"
"Generate the full checklist for this token contract"

Troubleshooting

Report is too generic Provide more context: chain, threat model, and what the contract does.

Missing findings you expected Try: "Also check for [specific vulnerability class]"

Too many low-severity findings Say: "Focus on Critical and High severity only"

$Related Playbooks

Developer Tools

Artifacts Builder

Create elaborate multi-component HTML artifacts using React, Tailwind CSS, and shadcn/ui components with professional bundling.

15 minutes
Advanced
Developer Tools

CI/CD Pipeline Generator

Create production-ready CI/CD pipeline configurations for GitHub Actions, GitLab CI, CircleCI, and Jenkins with deployment to Vercel, Netlify, or AWS.

15 minutes
Intermediate
Developer Tools

Codebase Documenter

Create comprehensive, beginner-friendly documentation for codebases including READMEs, architecture guides, API docs, and code comments.

10 minutes
Beginner