Smart contracts handle billions in digital assets, yet many developers deploying them have never undergone a serious security audit or demonstrated expertise in threat modeling. Asking the right vetting questions now prevents costly exploits, rug pulls, and regulatory headaches later. This guide covers the specific questions that separate security-conscious developers from those flying blind.
Understand Their Audit History
Start by asking: "What smart contracts have you audited or had audited?" A legitimate candidate should name specific projects, blockchain networks, and the security firms involved. If they mention audits but can't provide verifiable details—or worse, claim their code needs no third-party review—move on. Look for audits from firms like Trail of Bits, Certik, Consensys Diligence, or OpenZeppelin. Budget $5,000–$50,000+ for professional audits depending on contract complexity; developers who skip this step are cutting corners on your security.
Ask: "Can you share redacted audit reports or references?" Top-tier developers won't hide their audit trails. They'll provide anonymized reports or direct you to public blockchains where their audited contracts live (Etherscan, for example).
Probe Their Testing Methodology
Smart contract security isn't about writing code—it's about proving the code won't break. Ask: "What testing framework do you use, and what's your code coverage percentage?"
Expect answers like:
- Hardhat or Foundry with unit and integration tests
- Coverage targets of 90%+ for production contracts
- Fuzz testing for edge cases
- Gas optimization verification
If they mention only manual testing or lack a formalized testing pipeline, they're not operating at Web3 standards. A developer comfortable discussing test suites, assertions, and coverage reports understands the rigor required.
Assess Their Knowledge of Common Vulnerabilities
Ask: "Walk me through how you'd prevent reentrancy attacks in an ERC-20 token contract." Their response should mention the Checks-Effects-Interactions pattern or OpenZeppelin's guard implementations—not vague statements like "I'm careful with my code."
Follow up with: "What's the difference between integer overflow and unchecked arithmetic in Solidity 0.8+?" This confirms they grasp the evolution of the language itself.
A developer worth hiring should be able to name and explain at least five common vulnerabilities:
- Reentrancy
- Integer overflow/underflow
- Unchecked external calls
- Front-running exposure
- Flash loan attacks
Check Their Upgrade and Governance Strategy
Ask: "How would you structure this contract if we need to upgrade it later?" Their answer reveals whether they understand proxy patterns, storage layouts, and upgrade safety—critical for production systems.
Also ask: "What governance mechanisms would you recommend for controlling contract upgrades?" Answers should reference timelock delays (48–72 hours is common), multi-signature wallets, and community voting if applicable.
Verify Blockchain-Specific Experience
Don't assume Ethereum expertise transfers cleanly to other chains. Ask: "Which blockchains have you deployed production contracts on?" and "What were the key differences in your approach?"
Different networks have different gas models, transaction finality, and validator structures. A developer experienced only with Ethereum mainnet may stumble on Polygon's higher throughput or Solana's parallel processing. For scaling solutions like Arbitrum or Optimism, they should understand state compression and message-passing security.
Request a Technical Reference
Ask for contact information from a past client, preferably one whose contract handled $1M+ in value. When you call them, ask directly: "Did the developer identify vulnerabilities before deployment? Did you experience any incidents post-launch?" Honest references reveal whether theoretical knowledge translates to real-world protection.
Check Their Continuous Learning
Web3 security evolves monthly. Ask: "What security research or new vulnerabilities have you studied in the last three months?" Their answer should mention specific CVEs, newly discovered attack vectors, or protocol improvements.
Frequently Asked Questions
Q: What should I expect to pay for a smart contract security audit? Professional audits range from $10,000–$100,000+ depending on contract complexity and the firm's reputation. Smaller contracts or educational projects might cost less, while high-value DeFi protocols command premium rates.
Q: How long does a typical smart contract audit take? Most audits take 2–4 weeks for standard ERC-20 or staking contracts, though complex protocols with multiple interacting systems may require 6–12 weeks.
Q: Can I use Mercoly to compare blockchain developers with specific security credentials? Yes—Mercoly helps you find and compare trusted blockchain & Web3 development providers in one place, filtering by expertise area, audit experience, and client references.
Use these questions to identify developers who treat security as non-negotiable, not optional.