Mainnet Deployment Checklist
Deploying to mainnet with real money at stake is a high-stakes operation. This comprehensive checklist represents industry best practices compiled from post-mortems of every major DeFi hack.
Pre-Deployment Checklist
The golden rule: if you're not confident enough to sign your name on an audit report, it's not ready for mainnet.
Phase 1 — Code Quality (2-4 weeks before mainnet):
[ ] 100% test coverage (line + branch)
[ ] All Slither findings resolved or documented
[ ] Gas report reviewed, no obvious inefficiencies
[ ] NatSpec documentation for all public functions
[ ] Architecture diagram updated
[ ] Threat model documented (who can do what damage if compromised)
Phase 2 — Security Review (1-4 weeks):
[ ] Internal security review completed
[ ] At least one external auditor completed review
[ ] All HIGH/CRITICAL findings resolved
[ ] MEDIUM findings resolved or acknowledged with rationale
[ ] Formal verification for critical invariants (optional but ideal)
Phase 3 — Testnet Validation (1-2 weeks):
[ ] Deployed to Sepolia with identical parameters as mainnet
[ ] All deployment scripts tested (repeatable, produce identical config)
[ ] Integration tests against mainnet fork passed
[ ] Frontend tested against Sepolia deployment
[ ] Frontend handles all error states gracefully
Phase 4 — Access Control & Keys:
[ ] Admin/owner transferred to Gnosis Safe 3-of-5 minimum
[ ] Safe signers distributed (different people, hardware wallets)
[ ] Timelock delay configured (24h minimum for protocol changes)
[ ] Emergency pause mechanisms tested
Phase 5 — Launch:
[ ] Soft launch with TVL caps ($1M initially, then $10M, then uncapped)
[ ] Bug bounty program published (Immunefi.com) BEFORE launch
[ ] Monitoring alerts configured (Tenderly, OZ Defender)
[ ] Incident response plan documentedCommon Mistakes
- Skipping the TVL cap soft launch — launching at unlimited TVL with an unproven protocol exposes users to catastrophic loss if a bug exists. Cap at $1M first, grow gradually.
- No bug bounty before launch — Immunefi bug bounties incentivize white-hat hackers to report vulnerabilities rather than exploit them. Launch without one and you get exploits, not reports.
- Deploying without a post-mortem plan — when (not if) something goes wrong, you need to know: who to call, how to pause, how to communicate to users, how to refund. Document this before launch.
Tip
Tip
Practice Mainnet Deployment Checklist in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
Once deployed, smart contracts are immutable — code is law
Practice Task
Note
Practice Task — (1) Write a working example of Mainnet Deployment Checklist from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with Mainnet Deployment Checklist is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready web3 code.
Key Takeaways
- Deploying to mainnet with real money at stake is a high-stakes operation.
- Skipping the TVL cap soft launch — launching at unlimited TVL with an unproven protocol exposes users to catastrophic loss if a bug exists. Cap at $1M first, grow gradually.
- No bug bounty before launch — Immunefi bug bounties incentivize white-hat hackers to report vulnerabilities rather than exploit them. Launch without one and you get exploits, not reports.
- Deploying without a post-mortem plan — when (not if) something goes wrong, you need to know: who to call, how to pause, how to communicate to users, how to refund. Document this before launch.