We look across the industry at the top smart contract auditors in Web3. Smart contract audits are the lifeblood of the Web3 security space and are crucial to ensuring we stay safe.
I am a co-founder and security researcher from Cyfrin, where we do smart contract audits. This is my opinionated take on top smart contract audit firms along with Cyfrin. The only way Web3 scales is if we increase our security, so I want to ensure that other top firms get the exposure they deserve. Auditors left off this list are not necessarily poor choices, I may have just missed them.
What is a Smart Contract Audit
A smart contract audit is a time-boxed security-based code review on your smart contract / Web3 system. An auditor’s goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward.
Auditors use a combination of manual and automated tools to find these vulnerabilities.
However, a smart contract audit does not guarantee your code is bug-free. At the end of the day, your protocol's security is yours and your auditor's responsibility, and sometimes multiple audits or another security tooling might be needed.
A professional audit group can and will give you all the guidance you need to move forward on your security journey so you can feel confident deploying.
Why We Need Smart Contract Audits
Image from Chainalysis
The image above represents the total dollar amount stolen from DeFi for the entire year of 2022, 80% of that value was exclusively in DeFi. According to DeFillama, the current locked value of all DeFi is 50 billion dollars.
This means that over 6% of all DeFi value has been subject to a hack!
If we want blockchain and DeFi to come to the masses, they cannot be worried that there is a 6% chance they will wake up to find their funds exploited. We have to do better than this.
This is why audits are so important:
-
Keep your protocol safe
-
Help Web3 gain authority
-
Educate your team on best practices
That last bullet is what I call the **hidden benefit of smart contract audits. **Getting an audit and working with a group of security and smart contract experts can improve your team's skill in developing protocols. They should give you feedback on vulnerabilities and educate your team on improving. They are security and developer experts, after all!
How to Choose a Smart Contract Auditor
-
Understand the auditor skill set
-
Understand your price point
-
Understand their methodology
Understand the auditor skill set
You want to ensure the auditor has done work in the domain you’re looking for an audit on. If you want an audit on Solana and you work with an EVM specialist group, you’re going to have a bad time.
Maybe you want a DeFi audit, and you’re working with a firm that only understands NFTs; this is also a recipe for disaster.
You having a bad time if you don’t know their skill set
An easy way to see what kinds of projects an auditor can do is to look at a list of their previous audits. Most auditors will have some publicly displayed audits as a showcase of work, and you can decide based on their past if they are right for you.
Understand your price point
Large firms will often cost more than smaller firms and independent auditors. Typically, you can find “cheaper” audits with smaller companies and independent auditors, but the quality can vary.
I’ve seen a **ton **of fantastic solo auditors, though, so don’t discount a solo auditor who wants to audit your protocol.
Pricing varies wildly depending on the auditors, so understand the next point to get the best idea for a price point.
Understand their methodology
Security researcher Tincho walks through his audit methodology
Before locking down any payment, you need to verify the following:
-
Exactly which auditor(s) will conduct the audit
-
What tools will they use (fuzzing, formal verification, etc)
-
If they want a communication channel between your developers and the auditors
80% of hacks are not machine auditable and often come from poor implementation of business logic. Because of this, auditors need as much context as possible in the form of:
-
Documentation
-
Q&A Channel with Developers
-
Code Natspec
If an auditor doesn’t tell you who is doing the audit, what tools they are using, or doesn’t want to have a direct line of communication between your protocol devs and the auditors, there is a good chance they are going to do shoddy work.
Additionally, I think auditors should try to improve your test suite with fuzzing/property/invariant tests, but it’s not required.
How to Prepare for a Smart Contract Audit
How to prepare for a smart contract audit
Imagine two random developers drop 5,000 lines of code you’ve never seen on your desk and tell you that the code needs to be cleaned up and spotless in two weeks.
Developer A tells you what the code should do, it has a test suite, and they say, “feel free to ask me any questions you may have!”
Developer B says, “Don’t talk to me till it’s done.”
Your review of developer A’s code will be 100 times better than developer B. Be like developer A.
To get the most out of an audit, you should:
-
Have clear documentation
-
Robust test suite (Ideally, including fuzz tests)
-
Code should be commented & readable
-
Modern best practices followed
-
A communication channel between developers and auditors
-
You are prepared to do an initial video walkthrough of your code
You want to think of you and your auditor as a team to get the best results out of your audit. One of the best ways to do this is to have a dedicated channel where auditors can ask questions to the developers.
Additionally, the more context, documentation, and information they can read, the better. Be sure it’s easy for anyone to walk through your code and understand what it’s supposed to do. 80% of all bugs are due to business logic issues, so the auditors need to understand what the protocol should do more than they should understand the actual code!
You can learn more about the smart contract auditing process here.
Top Smart Contract Auditors
Finally!
I wanted to make sure you had all this context before giving you this list because I’ve seen protocols that want an audit for one of two reasons:
-
Marketing
-
Security & Marketing
Be like #2. Getting “an” audit and treating all audits the same can be tempting but should **not **be done. You want to treat an audit like you, and your auditor are teaming up to secure your code.
Here it is, my list of top 7 auditors in no particular order, and why I think they are a top auditor.
Cyfrin
Please keep in mind I am the co-founder of Cyfrin.
As someone who wants to see the success of Web3, I was furious with the state of security in Web3. $3.8B lost in 2022 is a horrifying statistic, so I felt compelled to jump in and help secure DeFi and blockchain.
The Cyfrin team has some of the top engineers and auditors in the space, like:
-
Hans | #1 Ranked Auditor as of Writing on Code4rena
-
Alex | Ex-Chainlink Labs Engineer in charge of $5B+ DeFi integrations
-
0Kage | Code4rena Top Finisher and Experienced FinTech Engineer
-
Carlos | Code4rena Top Finisher & Expert Solidity Engineer
-
Gio | Expert Solidity Engineer
-
Patrick | Most Watched Solidity Education Video(s) of All Time
We thrive on finding as many bugs as possible and finding ways to improve your codebase and test suite.
Web3 security needs a new narrative, and we are excited to push the security space forward. We are a smaller group at the time of writing as we only launched 2 months ago!
You can find a list of notable audits (and skillsets) for Cyfrin here, including the Beanstalk Wells integration and LinkPool.
Trail Of Bits
I *always *tell people to check out Trail of Bits. They are one of the firms in Web3 security consistently pushing the bar in a practical sense. They don’t just give an audit, they give you all the tools you need to be successful in smart contract security as well.
The Trail of Bits team builds some of the most popular and widely used tools like:
And so many more. They are dedicated to educating the Web3 space as well with tons of free educational content and blogs.
Interview I did with Head of Blockchain Engineering Josselin
Trail of Bits is a large group consistently rated one of the top firms in Web3 for good reason, and I’d definitely classify myself as a fanboy.
You can find a list of notable audits (and skillsets) for Trail Of Bits here, like Uniswap, Yearn, and Compound.
OpenZeppelin
OpenZeppelin is another group that constantly pushes the envelope by raising the state of Web3, which is why I’m a massive fan of their work. The OpenZeppelin Contracts is the standard library for solidity that 95% of the rest of Web3 uses and trusts to build their smart contracts.
You should hold onto every report you read from the OpenZeppelin team like gold, as the information they give is some of the best in the business, and their team is constantly raising the bar for security.
OpenZeppelin is a large group used by some of the top protocols in the space, like Aave, Optimism, and Compound.
I really can’t speak highly enough about the skills of this team.
You can find a list of notable audits (and skillsets) for OpenZeppelin here.
Part of the Consensys team, one of the most well-known groups in Web3 behind projects like Metamask, Infura, and Truffle, their security team is also first-class. They are a large group with a great track record.
The Diligence team is another team that values powerful fuzzing and recently came out with a fuzzer-as-a-service product. To me, this signals that they not only understand security, but they understand trying to scale security throughout all of Web3. You can tell when a group cares when they make tooling & educational material that makes your life better instead of hoarding it all for themselves.
They additionally have formal verification tooling (similar to Trail of Bits) if you want to go the extra mile.
You can see a list of Consensys Diligence audits here, including Aragon, RocketPool, and Fei.
Spearbit is a decentralized network of security experts that shakes the game up.
Unlike traditional auditing firms, which employ teams of full-time security researchers, Spearbit sources top talent from everywhere in the Web3 ecosystem to assemble the best possible team.
Now you might be thinking, “wait, wouldn’t the quality vary if they have different auditors on different projects?”- however, this hasn’t stopped them from consistently being one of the best in the business.
SpearbitDAO proves the decentralization ethos works, as many top auditors and researchers go solo — so periodically combining them into one group makes them all the better!
You can see a list of SpearbitDAO audits here, including SudoSwap, LooksRare, and ArtGobblers.
A lesser-known group, I’ve only seen the Dedaub team ship amazing reports, and it was a little confusing to me why so few people know about them.
They are another team that ships more than just security audits, with coding libraries and helpful alpha on social media.
As an ex-Chainlink engineer myself (ex-DevRel technically), I’ve witnessed the good this team can do on an audit.
You can see a list of projects they’ve worked with, including Chainlink, Liquity, and Blur.
Trust is a solo auditor consistently at the top of the competitive audit leaderboards and has done fantastic work educating all of Web3. I especially wanted to highlight him to say you don’t always need to go with a firm! Solo auditors can often be cheaper, with as much skill or more than a massive firm.
He has an auditor course, consistently gives beautiful write-ups, and has made a massive impact in keeping Web3 safe by himself!
I had the pleasure of interviewing him, and he gave me all the tips and tricks one would need to move forward and be a successful security engineer in Web3.
Interview with Trust (Or)
You can see a list of Trust audits here, including The Graph and Vagabond.
More
I wanted to keep the list short because the algorithm likes it like that, but here are some more firms and solo auditors that do a fantastic job. If you think I’m missing any, let me know, and I’ll do an assessment.
Firms
Solo
🐸🐸Follow Patrick!🐸🐸
Book a smart contract audit: Cyfrin