Manual Deep Review

Manual deep review is the phase of a smart contract audit where a senior researcher manually walks through every function in the audited codebase, asking adversarial questions designed to surface exploit paths that automated tools cannot detect. It is the core of what makes an audit valuable, and it is the phase that distinguishes a real audit from a tool-driven scan.

What Happens During Manual Deep Review

By the time manual deep review begins, typically in the second week of an audit, the researcher has already built a complete mental model of the system from the week-one architecture read. They know how contracts call each other, where money flows, what state each function mutates, and what trust assumptions apply at each privilege level.

The deep review itself is monotonous from the outside. The researcher sits in front of a screen for eight to ten hours a day, working through functions one at a time and asking variations of the same question: what if I were trying to break this, how would I do it?

For each function, the researcher considers boundary inputs (zero, maximum integer, very small values, very large values), concurrency (what happens if two callers race), caller assumptions (what if a malicious contract calls this instead of an EOA), external dependencies (what happens if the oracle reports unexpected prices), and protocol-level interactions (what happens during a flash loan).

Most questions lead nowhere because the code handles the case correctly. But every once in a while, a question reveals a path the developer never anticipated. That path becomes a finding.

Why Tools Cannot Replace Manual Deep Review

Automated static analyzers, symbolic executors, and modern AI scanners are excellent at finding known vulnerability patterns: reentrancy, integer overflow before Solidity 0.8, missing access controls, unchecked external calls. They run quickly and surface obvious issues that any audit should catch.

What they cannot do is reason about protocol-specific business logic. A flash loan attack that drains a lending protocol typically requires chaining three or four legal-looking transactions in a sequence that exploits an economic assumption the developers did not document. There is no pattern in the code that a scanner can match against, because the bug is in the protocol's intended behavior, not in any particular line of code.

Manual deep review catches these economic exploits because the researcher is asking questions a tool does not know how to ask: does this incentive design actually align with what the protocol claims to do, does this oracle dependency assume a level of accuracy the oracle does not guarantee, does this admin role have more power than the team realizes.

What Founders Should Notice During Manual Deep Review

Manual deep review is the phase where founders should expect a flood of questions from the auditor. The questions are not a sign of incompetence, they are evidence of engagement. A researcher who is genuinely working through the code at this depth will surface assumptions that are not documented and ask the team to clarify them.

A silent auditor in the second week of an audit is a red flag. Either the researcher has disengaged from the code, or they are not deep enough yet to even know what to ask. Both outcomes mean the audit is shallower than it should be, and the resulting findings will reflect that.

The opposite warning sign is a researcher who asks no clarifying questions and still delivers a long list of findings on schedule. This often indicates the findings were generated from automated tooling without the manual layer, and the report will be filled with false positives that audit peer review would have caught if it had been done.

Time and Resource Investment

A meaningful manual deep review for a standard DeFi protocol takes one to two weeks per researcher per scope. For complex protocols, multiple researchers split the scope to cover it in the same window. The cost of this phase dominates the cost of the overall audit, which is why some firms cut corners here. Founders evaluating audit pricing should understand that low quotes often reflect reduced manual deep review time, not improved efficiency.