Prioritise by impact: "Oracle manipulation and access control flaws cause the biggest losses after reentrancy. I use Chainlink for price feeds, TWAP for on-chain prices, and OpenZeppelin AccessControl with timelocks for admin functions."
Critical vulnerabilities: integer overflow/underflow (Solidity 0.8+ has built-in checks), front-running/MEV (commit-reveal schemes, private mempools), oracle manipulation (TWAP over multiple blocks, multiple oracle sources), access control flaws, unchecked external call return values, denial of service (unbounded loops, block gas limit), and flash loan attacks on governance. Strong candidates prioritise by real-world exploit frequency and discuss specific mitigation patterns for each.
Tests security breadth. Candidates focused only on reentrancy miss the majority of real exploits. Those who can discuss oracle manipulation, flash loan governance attacks, and front-running demonstrate production security awareness.