CreatorFetch logo
Back to Articles

Post-Mortem Analysis Template: Documenting Smart Contract Incidents for Industry-Wide Learning

Post-Mortem Analysis Template: Documenting Smart Contract Incidents for Industry-Wide Learning

Why most smart contract post-mortems are useless

An exploit hits. Funds move. The team posts a thread on X, maybe a Medium article a week later, and then the whole thing evaporates into the general noise of crypto. Six months on, someone deploys a contract with the exact same reentrancy pattern and loses the exact same way.

That's the real cost of bad incident documentation. Not the immediate loss, which is bad enough, but the fact that nobody downstream learns anything. A post-mortem that reads like a PR statement teaches you nothing about the root cause, the timeline, or how to avoid it. And the industry keeps paying for the same mistakes.

So here's a template. It's opinionated, it's structured for reuse, and it assumes you actually want other people to learn from what happened to you.

The five sections that actually matter

Forget the corporate incident-report format. For smart contract failures, you need these, in roughly this order.

The one-line summary. Not a paragraph. One sentence a security analyst can scan in three seconds. "Attacker drained X token via an unchecked delegatecall in the staking module, losing roughly $Y." If you can't compress it that far, you don't understand your own incident yet.

The timeline. Block numbers and timestamps, not vibes. When was the vulnerable contract deployed. When did the first suspicious transaction land. When did the team notice. When did you pause, patch, or migrate. The gap between "first attack transaction" and "team noticed" is often the most damning number in the whole document, and it's the one people try hardest to fudge.

Root cause, in code. This is where most post-mortems chicken out. Show the actual function. Show the vulnerable line. Explain the assumption the code made that turned out to be wrong. "A logic error" is not a root cause. "The withdraw function updated the balance after the external call instead of before" is a root cause.

Impact and fund flow. How much, in which assets, moving to which addresses. If funds were bridged or mixed, say so. If you recovered anything, say how. Vague impact numbers make the whole document look like a cover-up even when it isn't.

What changes now. The part everyone skips. New test coverage, a re-audit, a bug bounty, a monitoring rule that would have caught this earlier. If your answer is "we'll be more careful," you've learned nothing and neither has anyone reading.

Root cause is where you earn credibility

I've read a lot of these. The teams that come out of an incident with their reputation intact are almost always the ones that were brutally specific about what broke. The ones that hedge, that blame "an unforeseen edge case," that never quite name the vulnerability class, those teams tend to get hit again.

Be honest about which category the bug fell into. Reentrancy, integer issues, access control gaps, oracle manipulation, signature replay, upgradeability mistakes. Name it. When you name the class, you let every other developer working with a similar pattern go check their own code. That's the entire point of writing the thing.

And attach the audit history. Was this contract audited? By whom? Did the audit cover the vulnerable function? Sometimes the honest answer is "yes, it was audited, and the auditor missed it," which is uncomfortable but useful. Auditors are not infallible, and pretending otherwise helps nobody. The firms in this space, CertiK, OpenZeppelin, Trail of Bits, Quantstamp, SlowMist, Hacken, ConsenSys Diligence, all have public findings that got exploited later. It happens. Documenting it is how the tooling improves.

Where the template meets live monitoring

A post-mortem is reactive by definition. You're writing it after the money's gone. But the timeline section gets a lot easier to fill out honestly when you already have monitoring data to pull from, instead of reconstructing events from block explorers at 3am.

This is roughly where a platform like BlockVet fits into the workflow. The intelligence dashboard tracks security scoring and risk assessment across more than 3,000 live projects, so when you're documenting an incident you've got context on the project's vetting status going in, not just the wreckage coming out. The watchlist and real-time monitoring mean the "when did we notice" gap can shrink from days to something a lot less embarrassing.

None of that replaces a proper audit, and I wouldn't pretend it does. Automated scoring catches patterns; it doesn't catch every novel logic flaw a determined attacker will find. But having a security intelligence layer running alongside your deployment gives your post-mortem a factual spine instead of a guessed timeline.

Make it public, make it structured, make it searchable

The last mile is distribution. A post-mortem locked in a private Notion doc helps your team and nobody else. Publish it. Use consistent headers so people can scan across incidents. Tag the vulnerability class so the next developer searching "delegatecall exploit staking" actually finds your write-up.

Industry-wide learning only works if the documents are findable and comparable. If every team uses its own freeform format, we're stuck reading prose and guessing. If enough teams adopt something close to the structure above, you can start seeing patterns across incidents, which classes recur, which contract types get hit most, where audits consistently fall short.

Write the ugly version. The one with the real timestamps and the function that broke. Frankly, that's the only kind worth publishing, and it's the kind that stops someone else from repeating your bad week.

Written by the CreatorFetch.com editorial team.