Pre-Audit Hardening Checklist

Go beyond line coverage. Ensure all logical branches (if/else, match) in your instruction handlers are executed in tests.

Use Trident's Manually Guided Fuzzing (MGF) to test sequences of instructions, ensuring the program state remains valid through complex transaction flows.

Test interactions between multiple programs and accounts. Verify cross-program invocations (CPI) work correctly.

Test that unauthorized actions fail gracefully. Verify all access control mechanisms reject invalid requests.

Define and test properties like: 'Pool Assets + Pending Rewards = Total Vault Balance' under all conditions.

Ensure that 'locked' accounts cannot be closed and that 'authority' fields can never be set to the Zero Address.

Explicitly verify that total token supply matches account sums and that account ownership cannot be altered by unauthorized instructions.

Ensure calculations are overflow-safe, division handles zero correctly, and rounding doesn't accumulate errors.

Verify all state transitions are valid. Document allowed transitions and ensure code enforces them.

Ensure no reentrancy vulnerabilities exist. Use checks-effects-interactions pattern where applicable.

Delete unused functions, commented-out code, and obsolete imports. Keep codebase clean and minimal.

Use descriptive names for variables, functions, and accounts. Avoid single letters except for loops.

Document complex logic, explain WHY (not just what), and add NatSpec-style comments to all public functions.

Provide clear, specific error messages. Each error should indicate what failed and why.

While Solana has runtime re-entrancy protection, verify that your program handles 'same-account-multiple-pass' logic correctly.

Verify all privileged operations check proper authority. Use Anchor's has_one and constraint macros.

Validate all account inputs: check ownership, verify PDAs, ensure accounts are initialized correctly.

Use checked arithmetic everywhere. Never allow unchecked additions, multiplications, or subtractions.

Always verify signers before executing privileged operations. Check is_signer flag on accounts.

Provide clear build and deployment instructions. Include all dependencies and environment setup.

Document program architecture, account structures, and instruction flow. Include diagrams if complex.

Document any known limitations, assumptions, or areas of concern. Transparency helps auditors focus.

Provide automated deployment scripts. Include initialization sequences and migration procedures.

If using upgradeable programs, document upgrade authority and procedures. Plan for emergency upgrades.