FP
FIREPAN

DeFi Protocol Pre-Launch Security Checklist: 15 Steps Before Mainnet

Firepan Security TeamApril 1, 2026

Definition: A DeFi protocol pre-launch security checklist is a systematic list of security validations, testing steps, and operational preparations required before deploying to mainnet. Items span code auditing, access control configuration, oracle integration, liquidity seeding, and continuous monitoring setup. A complete checklist reduces launch-day risk and ensures no critical security steps are skipped. Firepan provides automated scanning as part of this checklist.

Introduction

Luna collapsed in 48 hours. Celsius defaulted without warning. Terra's UST peg broke overnight. These weren't primarily code vulnerabilities—they were operational and architectural failures that pre-launch checklists should have caught. Yet protocols continue to launch with incomplete security prep. This article provides a 15-step checklist that covers code security, operational setup, monitoring configuration, and governance safety nets. Use this before any mainnet deployment.

15-Step Pre-Launch Security Checklist

1. Complete Internal Code Review and Testing

Before any external audit, your team must review the code:

  • Code follows Solidity best practices (checks-effects-interactions, no unsafe patterns)
  • All state-changing functions have appropriate access controls
  • Test coverage exceeds 90% (branches, not just lines)
  • Fuzzing and property-based testing are run (Echidna, Foundry)
  • No hardcoded addresses, keys, or debugging code remains

Owner: Development team Timeline: Before audit engagement Firepan input: Use Firepan's free scan early to catch obvious patterns

2. Engage Professional Audit

Hire a Tier-1 audit firm (CertiK, Spearbit, Trail of Bits):

  • Clear scope definition with the audit team
  • Sufficient time allocation (6–12 weeks for complex protocols)
  • Budget for follow-up re-audit after fixes
  • Ensure auditors review governance contracts, oracle integration, and bridge contracts separately

Owner: Protocol lead or Head of Security Timeline: 8–16 weeks before launch (includes audit + remediation) Cost: $50K–$500K depending on complexity

3. Verify Test Coverage and Unit Tests

Ensure comprehensive test coverage across all edge cases:

  • Happy-path tests for normal operation
  • Edge-case tests (zero amounts, maximum values, rounding errors)
  • Access control tests (unauthorized addresses should fail)
  • Reentrancy tests (if applicable)
  • Use tools: Hardhat, Foundry, Ganache
  • Achieve >95% code coverage

Owner: QA Engineer / Dev Timeline: Ongoing; final verification 2 weeks before launch

4. Run Formal Verification (if applicable)

For protocols managing >$100M, formal verification proves contract correctness mathematically:

  • Tools: Mythril, Certora, K Framework
  • Verify invariants: "No user can withdraw more than they deposited"
  • Verify state transitions are atomic and correct
  • Cost: $20K–$100K; requires 2–4 weeks

Owner: Security lead Timeline: 4–6 weeks before launch (if running)

5. Establish Oracle Integrations Safely

Oracles are a common attack vector. Verify integration carefully:

  • Using battle-tested oracle (Chainlink preferred for most assets)
  • Price feeds have sufficient redundancy (multiple sources, fallback)
  • Oracle updates are time-windowed (reject prices older than X minutes)
  • Circuit breakers halt trading if price movements exceed thresholds
  • Test oracle failure scenarios (oracle goes offline, price spikes)

Owner: Smart contract lead Timeline: 4 weeks before launch; oracle testing should be part of audit

6. Configure Access Controls and Multi-Sig

Establish governance and emergency controls:

  • Deployer address for initial setup
  • Multi-sig wallet (2-of-3 or 3-of-5 minimum) for admin functions
  • Timelock delay for parameter changes (minimum 48 hours)
  • Emergency pause function controlled by multi-sig
  • Test multi-sig execution on testnet thoroughly

Owner: Protocol lead, Governance team Timeline: 3 weeks before launch

7. Set Up Continuous Monitoring (Firepan)

Establish monitoring before launch, not after:

  • Create Firepan account and connect GitHub repo
  • Run baseline scan on all contracts
  • Configure GitHub Actions webhook for CI/CD integration
  • Set up alerts for critical/high severity findings
  • Review Firepan dashboard weekly pre-launch

Owner: DevOps / Security team Timeline: 4 weeks before launch

8. Deploy to Testnet and Run Extended Testnet Campaign

Extended testnet operation is crucial:

  • Deploy all contracts to a public testnet (Sepolia)
  • Run for 2–4 weeks with real user interaction (not just internal testing)
  • Verify gas costs, transaction speed, state growth
  • Have security researchers test mainnet-like conditions
  • Capture testnet deployment addresses and ABI versions

Owner: DevOps / Release Manager Timeline: 6–8 weeks before launch

9. Audit Dependencies and Supply Chain

Third-party libraries can introduce risk:

  • List all external dependencies (OpenZeppelin, Uniswap, etc.)
  • Verify versions are up-to-date (no deprecated or vulnerable versions)
  • Audit code paths that interact with external contracts
  • Review upgrade mechanisms for external dependencies
  • Consider forking critical dependencies if necessary

Owner: Development lead Timeline: 4 weeks before launch

10. Create and Test Deployment Procedures

Operational security is as important as code security:

  • Document exact deployment sequence (which contract first, constructor args, etc.)
  • Automate deployment with scripts (Hardhat, Foundry) to avoid manual errors
  • Test deployment on testnet 5+ times independently
  • Prepare deployment runbook with rollback procedures
  • Ensure deployment keys are secure (hardware wallet, multi-sig)

Owner: DevOps / Protocol lead Timeline: 3 weeks before launch

11. Establish Emergency Pause and Upgrade Procedures

Be prepared for the worst case:

  • Implement pause function that stops all critical operations
  • Define who can trigger pause (multi-sig? governance?)
  • Test pause procedure on testnet
  • Have UUPS or proxy upgrade paths ready if needed
  • Publish upgrade governance procedures pre-launch

Owner: Protocol lead, Governance Timeline: 3 weeks before launch

12. Verify Fee Structure and Withdrawal Mechanisms

Operational details matter:

  • Ensure fee calculation is correct and audited separately
  • Verify withdrawal mechanisms work (no stuck funds)
  • Test partial withdrawals, full withdrawals, batch withdrawals
  • Confirm fee recipient addresses are correct
  • Simulate fee withdrawal under various market conditions

Owner: Product / Financial team Timeline: 2 weeks before launch

13. Conduct Internal Security Drills

Run security incident response drills:

  • Simulate a critical vulnerability discovery post-launch
  • Practice communication with exchanges, liquidity providers, validators
  • Test multi-sig wallet execution under pressure
  • Verify backup communication channels work
  • Ensure on-call security team coverage is 24/7

Owner: Security lead, Ops team Timeline: 2 weeks before launch

14. Secure Private Keys and Deployment Credentials

Operational security is foundational:

  • Use hardware wallets for deployer private keys (Ledger, Trezor)
  • Store private keys with multi-sig (2-of-3 signing minimum)
  • Use secure key management (AWS KMS, HashiCorp Vault for operational keys)
  • Document recovery procedures for lost keys
  • Limit who has access to deployment credentials

Owner: DevOps / Security lead Timeline: 2 weeks before launch

15. Prepare Post-Launch Monitoring and Response Plan

Plan for the first 7 days post-launch:

  • Designate on-call security team (24/7 coverage)
  • Have Firepan monitoring dashboard open continuously
  • Set up automated alerts (Slack, PagerDuty)
  • Prepare communication templates for various scenarios
  • Have list of exchanges, liquidators, and other stakeholders with emergency contacts

Owner: CEO / Operations lead Timeline: 1 week before launch

Pre-Launch Security Checklist: Summary Table

| # | Item | Owner | Timeline | Priority | |----|------|-------|----------|----------| | 1 | Internal code review | Dev team | Before audit | CRITICAL | | 2 | Professional audit | Security | 8–16 weeks | CRITICAL | | 3 | Test coverage >95% | QA | Ongoing | CRITICAL | | 4 | Formal verification | Security | 4–6 weeks | HIGH (if >$100M TVL) | | 5 | Oracle integration verify | Smart contract lead | 4 weeks | CRITICAL | | 6 | Access controls + multi-sig | Governance | 3 weeks | CRITICAL | | 7 | Firepan monitoring setup | DevOps | 4 weeks | HIGH | | 8 | Extended testnet campaign | DevOps | 6–8 weeks | CRITICAL | | 9 | Dependency audit | Dev lead | 4 weeks | HIGH | | 10 | Deployment procedure test | DevOps | 3 weeks | CRITICAL | | 11 | Pause/upgrade procedures | Protocol lead | 3 weeks | HIGH | | 12 | Fee structure verify | Product | 2 weeks | HIGH | | 13 | Security incident drills | Security | 2 weeks | HIGH | | 14 | Private key security | DevOps | 2 weeks | CRITICAL | | 15 | Post-launch monitoring plan | Ops | 1 week | CRITICAL |

Frequently Asked Questions

Q: What happens if I skip the professional audit?

A: Risk of launching with subtle vulnerabilities undetected. Open-source tools catch common patterns but miss logic flaws. For any protocol managing >$10M, a professional audit is essential. Firepan monitoring complements but doesn't replace a pre-launch audit.

Q: Can I launch faster by skipping some checklist items?

A: Not the CRITICAL items (1–3, 5–6, 8, 10, 14–15). Launching faster with incomplete security guarantees a more expensive exploit later. The 15-step process takes 8–16 weeks; most critical exploits occur within the first 30 days post-launch. Speed without security is expensive.

Q: What's the cost of completing this checklist?

A: Audit ($50K–$500K) + Firepan monitoring ($299–$2,999/month) + internal labor (~2 FTE-months). Total: $100K–$700K depending on protocol complexity. A single critical exploit costs 10–100x this amount.

Q: How do I know if my protocol is ready to launch?

A: All 15 items are complete, CRITICAL items are verified by independent reviewers, multi-sig is tested end-to-end, and Firepan shows no critical/high vulnerabilities. If any CRITICAL item is incomplete, delay launch.

Q: How does Firepan fit into this checklist?

A: Step 7 and the continuous monitoring plan (step 15). Firepan provides the automated scanning and alert infrastructure that enables 24/7 security monitoring post-launch. Run Firepan on testnet during step 8, configure alerts during step 7, and maintain dashboard monitoring during step 15. Start scanning at https://app.firepan.com/

Conclusion

Launching a DeFi protocol is a security marathon, not a sprint. This 15-step checklist covers code, operations, and governance. Follow it, and you significantly reduce exploit risk. Shortcuts create expensive exploits. Every item serves a purpose.

Start scanning at https://app.firepan.com/.

Firepan

Scan Your Contracts Now

12,453 contracts secured. 2,851 vulnerabilities blocked. 236 exploits prevented. Run a free surface scan — results in minutes, no credit card required.

Run Free Scan →
← Vulnerability Database← Security Blog← Compare Platforms