Crypto
2 min read

Smart Contract Audit

A formal review of a smart contract’s code by security specialists to identify vulnerabilities before launch. Audits reduce but do not eliminate risk; even audited contracts have been exploited.

What audits cover

A typical audit includes:

  • Code review — line-by-line examination by experienced engineers.
  • Architectural analysis — design-level vulnerabilities.
  • Common-vulnerability checks — known patterns (reentrancy, integer overflow, etc.).
  • Economic-security analysis — game-theoretic and oracle considerations.
  • Test-suite review — quality of the project's own testing.
  • Sometimes formal verification — mathematical proofs of correctness.

Output is typically a report identifying issues by severity.

Major audit firms

A few:

  • OpenZeppelin — major auditing firm; also maintains popular libraries.
  • Trail of Bits — security-focused.
  • Halborn — broad crypto coverage.
  • Consensys Diligence.
  • Spearbit — distributed network of auditors.
  • Various others.

Different firms have different specialties and styles.

Why audits matter

Several reasons:

  • Find specific bugs before deployment.
  • Demonstrate diligence to users.
  • Insurance products sometimes require audits.
  • Prevent reputation damage from exploits.
  • Common standard for production-grade DeFi.

For meaningful protocols, audits are essentially required for legitimacy.

Limitations of audits

Several important caveats:

  • Don't guarantee security. Audited protocols still get exploited.
  • Snapshot in time. Code changes after audit aren't covered.
  • Specific scope. Audits cover specific code; system-level issues may be missed.
  • Quality varies across firms.
  • Time-bounded engagement — auditors don't have unlimited time.
  • Subsequent updates can introduce new vulnerabilities.

The 2022 Ronin Bridge hack ($625M) involved code that had been audited.

Cost of audits

Approximate ranges:

  • Small protocols — $20-50K.
  • Mid-size — $50-200K.
  • Major DeFi protocols — $200K-$1M+.
  • Multiple audits for high-stakes protocols.

These costs are significant but small relative to potential exploit losses.

When audits are most needed

Higher importance for:

  • Novel protocol designs.
  • Large amounts of TVL planned.
  • Public-facing user funds.
  • Complex economic mechanisms.
  • Cross-chain interactions.

Lower importance for:

  • Simple, well-tested patterns.
  • Forks of audited protocols (with thoughtful changes).
  • Internal-use contracts.

Bug bounties

A complement to audits:

  • Ongoing rewards for finding vulnerabilities.
  • Crowd-sourced security beyond the audit period.
  • Major protocols offer substantial bounties.
  • Immunefi is a major bug-bounty platform.

The combination of audits + bug bounties + battle-testing produces stronger security than any single approach.

What individuals should know

For users:

  • Audit history is one signal of protocol quality.
  • Multiple audits from different firms is a strong signal.
  • Recent major changes without re-audit is a yellow flag.
  • No audit is generally a strong negative signal.

For developers:

  • Get audits before mainnet for serious protocols.
  • Multiple audits improve coverage.
  • Bug bounties for ongoing security.
  • Don't rely solely on audits — defense in depth.

Audits are an essential but imperfect part of crypto security infrastructure. They reduce risk significantly but don't eliminate it. Treating audited protocols as more trustworthy than unaudited is reasonable; treating them as unhackable isn't.