Smart Contract Audit | What it is, and what to expect

April 7th, 2023

A smart contract audit is a time-boxed security-based code review on your smart contract/web3 system. An auditor’s goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward.

What is a Smart Contract Audit?

A smart contract audit is a time-boxed security-based code review on your smart contract/web3 system. An auditor’s goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward.

Auditors use a combination of manual and automated tools to find these vulnerabilities.

Why are smart contract audits so important?

According to a research study by Chainalysis, 2022 was the year the most value was stolen from smart contracts.

Due to the immutability of the blockchain, once a smart contract is deployed, you can’t change it, so you’d better get it right. The blockchain is an adversarial environment, and your protocol needs to be prepared for malicious users.

But even more than just saving your protocol from hacks, an audit can improve your developer’s understanding of code, improving their speed and effectiveness of features moving forward.

Additionally, there is an entire website dedicated to how many hacks happen, and we need to do our best to prevent that list from growing as a community.

Smart Contract Audit Benefits

Find vulnerabilities
Level-up developers
Teach best practices and the most modern tooling

Often, one audit isn’t enough. Many protocols go on a security journey that includes multiple audits and services like:

Formal Verification
Competitive Audits
Bug Bounty Programs

We’ll break these down in a future post.

Smart Contract Auditors

There are a lot of companies that offer smart contract auditing services, like

You can see a more detailed list of the top 7 smart contract auditors here.

Additionally, there are a lot of independent auditors that do great work as well.

Smart Contract Audit Process

A typical audit looks like this:

1. Price & Timeline

A protocol can reach out before or after their code is finished. Ideally, they reach out some time before so the auditor can have enough time to schedule them.

Once they reach out, the teams will discuss how long the audit will take based on the scope and code complexity.

How long the audit will take depends on how many lines of code.
A very rough approximation of how long an audit takes depending on how many source lines of code you have can be found here:

The duration sets the price, and prices can range widely based on the different auditors at the time of writing. At the time of recording, a one-week-long audit can go anywhere from

Duration: Price

- 1 week: $5,000 - $100,000

The range is massive, but I have seen pricing anywhere in this range.

2. Commit Hash, Down payment, Start Date

Auditors need to know exactly what code they are auditing and use the commit hash of your repo to do so.
Once you have a commit hash, you can reach a start date and finalize the price.

3. Audit Begins

Then the audit starts! Your auditors will use every tool in their arsenal to find vulnerabilities in your code.

4. Initial Report

After the period ends, the auditors will give you an initial report that looks like this.

All their findings are listed by severity, usually in formatted into:

High
Medium
Low
Informational / Non-critical / Gas

High, medium, and low represent the severity of the impact and likelihood of each vulnerability.
Informational, Gas, and Non-Critical are findings to improve the efficiency of your code, code structure, and best practice improvement suggestions are not vulnerabilities but ways to improve your code.

5. Mitigation Begins

The protocol’s team will then have an agreed-upon time to fix the vulnerabilities found in the initial audit report. Sometimes, depending on the severity of the findings, this may be long but is often much shorter than the audit itself.

6. Final Report

After the protocol makes the changes, the audit team will do a final audit report exclusively on the fixes made to address the issues brought up in the initial report.

And then, hopefully, the auditors and protocols have had a great experience and will work together to stay secure in the future!

How to get the most out of a smart contract audit

To get the most out of an audit, you should:

Have clear documentation

Robust test suite
Ideally, including fuzz tests
Code should be commented & readable
Modern best practices followed
Communication channel between developer and auditors
Do an initial video walkthrough of the code

However, the most important part of the process is during the audit.

You want to think of you and your auditor as a team to get the best results out of your audit. One of the best ways to do this is to have a dedicated channel where auditors can ask questions to the developers.

Additionally, the more context, documentation, and information they can read, the better. Be sure it’s easy for anyone to walk through your code and understand what it’s supposed to do.

80% of all bugs are due to business logic issues, so the auditors need to understand what the protocol should do more than they should understand the actual code!

Breakdown of bugs between machine auditable and unauditable

Having a modern test suite & tooling can also make it so auditors spend less time fidgeting with your tooling and more time finding issues.

A high-level video walkthrough of your code should be the first thing you and the auditors do together.

After the Audit

We highly encourage you to act on the recommendations of an audit report, we’ve seen too many protocols not take warnings seriously, and that be the attack vector that gets exploited.

Additionally, if you change your codebase, that is now unaudited code, and should not be pushed, no matter how small the change may be. If you change your code, consider getting that piece of code audited.

And often, depending on how much money your protocol will secure, you should consider getting another audit anyway!

What an audit isn’t

One audit does not mean your code is bug-free.

Now here is the thing, an audit does not mean your code is bug-free. It’s a security journey where your team should level up on security.

No matter how experienced an auditor or audit firm is, people at all levels of experience will miss something. On the sad day that happens, get together on an emergency communication channel with your auditors and figure out to remedy the situation quickly.

Insurance is often a good idea for even the most audited protocols.

So with that, now you have a good idea of the smart contract audit process end to end and what to expect. A smart contract audit is more of a security journey between the protocol and the auditors, and having a security-focused mindset doesn’t end even after the audit.

If you’re looking for an audit, be sure to contact the Cyfrin team.

And as always, stay safe out there!