Don't forget to audit your browser (the thing without a version number anymore and with various metatemplates and it dynamically downloads on every load) and it's implementation of ECMAScript. But everyone already knew that.
By that logic, you can't know KeePass is safe without auditing Mono, your compiler, your checksum tool, the editor you used for the audit, the logic gates of your CPU, etc. Auditing anything is impossible.
If you can't get a copy of Firefox that you trust hasn't been altered as part of a conspiracy to make you believe OneShallPass is a legit password manager, you've got bigger problems.
Really, auditing this is impossible.