James Bachini

Assessing Smart Contract Security Auditors

security auditors

A smart contract audit can cost anything from $5,000-$250,000 USD. Within this range there is a wide range of services, some offer better value for money than others.

In this article I will go through the options for founders looking to hire an auditor and some of the checks you can do to ensure you are working with the right team or individual.

  1. Smart Contract Auditing Options
  2. Assessing Previous Audits
  3. Top Smart Contract Auditing Firms
  4. Getting The Most From Your Audit
  5. Conclusion

Smart Contract Auditing Options

Auditing service come in many different forms all with the same objective to look for bugs and help ensure your contracts are secure.

Full Service Company

This is the most expensive option but also the most extensive. A auditing company will have multiple engineers and systems in place to provide a comprehensive service.

Auditing companies generally price their services on a per engineer per week basis. i.e. you’ll need 2 engineer weeks (note that this may mean the audit takes one week with two engineers).

You will need to provide the contracts and scope (what should be included in the assessment) to the auditors and they will provide a quote for the work.

Quantstamp
Individual Auditor

An individual auditor will be a single person who has experience with Solidity and smart contract security. Individual auditors will normally compete for bug bounties for a period of time before going solo and offering their services directly to clients.

With individual auditors you are reliant on a single person so assessing their strengths and weaknesses is key. Individual auditors offer value for money but it may not be the most extensive option because you only get a single set of eyes looking at the contracts.

Bug Bounty Programs

The two main bug bounty programs for smart contracts are:

The benefit of using these services is that you only pay if there is a bug in your code. Be careful defining the scope and structure of your bug bounty program to avoid getting inundated with useless low value copy and paste reports.

Bug bounty programs take more time and effort to setup and coordinate but they can offer incredible value for money because you set up a competitive arena for multiple whitehat hackers.

Code4rena Smart Contract Audit

Assessing Previous Audits

Before agreeing terms with an auditor you should have a read through their previous audits.

  1. Did they find critical and severe bugs in the code?
  2. Did they offer useful recommendations for fixes?
  3. Is the report clearly laid out and easy to comprehend?
  4. If the protocol was audited by multiple auditors did anyone else find anything they missed?
  5. Are there false positives and insignificant bugs used to fill the space?

Past audit reports provide the best way to assess how competent an auditor is and what to expect if you employ their services.


Top Smart Contract Auditing Firms

I’ve only worked with a handful of auditors in the past but here are my top picks, alongside @0xWeisss & @Mudit__Gupta

  1. Consensys Diligence – expensive but perhaps the best
  2. @Quantstamp – always very professional
  3. @code4rena – best for bug bounties IMO
  4. @SpearbitDAO – impressive and decentralized
  5. @OpenZeppelin – wrote most of the code they’ll be auditing

For independent auditors I would literally recommend going through the leaderboard of the most recent Paradigm CTF and finding someone capable on there.

From 0xWeiss (Security Researcher):

“After reading tons and tons of reports and speaking from my experience in the auditing space, I strongly believe that the most reliable firms out there are:

Super interesting (recent) firms with top auditors too:

From Mudit Gupta (CISO @ Polygon):

“People keep asking me so here are my current top 5 (value for money) auditors that we’re using at Polygon (alphabetical order)


Getting The Most From Your Audit

Once you’ve selected an auditor to work with you need to get your code and docs in shape so they can start work.

You’ll need to provide a specific commit from which to work with as most auditors require fixed immutable code, updates will not be considered or will be charged extra.

By providing comprehensive documentation it will give the auditors a head start at understanding how the protocol works. Auditors will always read the docs first, if only users would do the same…

Make sure you have something in the readme which explains how to deploy the contracts on a local testnet and how to run unit tests. This again saves time making it easier for auditors to get the basics setup and start looking for bugs.

Throughout the audit your lead solidity developer should be available to answer questions and assist in a prompt and timely manner. When you are paying $20k per engineer week make sure they have notifications turned on so the auditor can ask questions and get immediate replies.


Conclusion

For simple tokens security audits probably aren’t required but for more complex protocols with unique code that handle users funds they are borderline essential.

Developers make mistakes, things get overlooked and we don’t consider things from the point of view of an attacker when writing the code. Having a 3rd party come in and take a fresh look at the contracts from a security perspective is priceless.

However not all auditing services offer value for money and there are definitely good and bad firms operating in the industry. Be careful with who you choose to work with as it could have far reaching consequences for the future of your project.



Get The Blockchain Sector Newsletter, binge the YouTube channel and connect with me on Twitter

The Blockchain Sector newsletter goes out a few times a month when there is breaking news or interesting developments to discuss. All the content I produce is free, if you’d like to help please share this content on social media.

Thank you.

James Bachini

Disclaimer: Not a financial advisor, not financial advice. The content I create is to document my journey and for educational and entertainment purposes only. It is not under any circumstances investment advice. I am not an investment or trading professional and am learning myself while still making plenty of mistakes along the way. Any code published is experimental and not production ready to be used for financial transactions. Do your own research and do not play with funds you do not want to lose.