Rekt Test

The Rekt Test is a 12-question pre-audit readiness self-assessment published by Trail of Bits in 2023 and co-signed by Fireblocks, Immunefi, Anchorage Digital, Ribbit Capital, Solana Foundation, and Euler Labs. It has become the de facto industry gate for whether a smart contract project is ready for an external security audit.

The 12 questions

1. Do you have all actors, roles, and privileges documented?
2. Do you keep documentation of all the external services, contracts, and oracles you rely on?
3. Do you have a written and tested incident response plan?
4. Do you document the best ways to attack your system?
5. Do you perform identity verification and background checks on all employees?
6. Do you have a team member with security defined in their role?
7. Do you require hardware security keys for production systems?
8. Does your key management system require multiple humans and physical steps?
9. Do you define key invariants for your system and test them on every commit?
10. Do you use the best automated tools to discover security issues in your code?
11. Do you undergo external audits and maintain a vulnerability disclosure or bug bounty program?
12. Have you considered and mitigated avenues for abusing users of your system?

How firms use it

Several audit firms — Cyfrin and Nascent among them — recommend that projects unable to answer "yes" to most of these questions delay their audit until they can. A "no" on any question isn't a reason not to audit; it's a reason to know what you're walking in with. Questions 1, 2, 4, 9, and 10 map directly to the documents auditors need during scoping (roles table, external dependencies list, threat model, invariants list, static analysis output), so running the Rekt Test internally before requesting quotes is the cheapest way to reduce auditor ramp time.

Relationship to audit scoping

The Rekt Test is operational maturity, not code quality. It captures things like key management, incident response, and invariant testing discipline that increasingly affect how audit firms assess whether a team will respond competently to remediation. Projects that pass the Rekt Test typically receive faster turnaround and lower quotes because auditors can trust the team to hand over clean scope and respond to findings professionally.