aitbc/docs/12_issues/audit-gap-checklist.md

# Smart Contract Audit Gap Checklist

## Status
- **Coverage**: 4% (insufficient for mainnet)
- **Critical Gap**: No formal verification or audit for escrow, GPU rental payments, DAO governance

## Immediate Actions (Blockers for Mainnet)

### 1. Static Analysis
- [ ] Run Slither on all contracts (`npm run slither`)
- [ ] Review and remediate all high/medium findings

### 2. Fuzz Testing
- [ ] Add Foundry invariant fuzz tests for critical contracts
- [ ] Target contracts: AIPowerRental, EscrowService, DynamicPricing, DAO Governor
- [ ] Achieve >1000 runs per invariant with no failures

### 3. Formal Verification (Optional but Recommended)
- [ ] Specify key invariants (e.g., escrow balance never exceeds total deposits)
- [ ] Use SMT solvers or formal verification tools

### 4. External Audit
- [ ] Engage a reputable audit firm
- [ ] Provide full spec and threat model
- [ ] Address all audit findings before mainnet

## CI Integration
- Slither step added to `.github/workflows/contracts-ci.yml`
- Fuzz tests added in `contracts/test/fuzz/`
- Foundry config in `contracts/foundry.toml`

## Documentation
- Document all assumptions and invariants
- Maintain audit trail of fixes
- Update security policy post-audit

## Risk Until Complete
- **High**: Escrow and payment flows unaudited
- **Medium**: DAO governance unaudited
- **Medium**: Dynamic pricing logic unaudited

## Next Steps
1. Run CI and review Slither findings
2. Add more invariant tests
3. Schedule external audit