

What is a Smart Contract Audit | Everything you need to know
What is a Smart Contract Audit | Everything you need to know
Author:
Patrick Collins
Apr 4, 2023
Request an Audit
Cyfrin is the leading smart contracts auditing firm securing the biggest companies in web3.
Request an audit
Write for us
Are you a Blockchain security researcher or technical writer? Get your articles published on Cyfrin.io!
Get your articles published
Request an Audit
Cyfrin is the leading smart contracts auditing firm securing the biggest companies in web3.
Request an audit
Write for us
Are you a Blockchain security researcher or technical writer? Get your articles published on Cyfrin.io!
Get your articles published
A smart contract audit is a time-boxed security-based code review on your smart contract/web3 system. An auditor's goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward.
Auditors use a combination of manual and automated tools to find these vulnerabilities.
Why are smart contract audits so important?

According to a research study by Chainalysis, 2022 was the year the most value ever was stolen from smart contracts.
Due to the immutability of the blockchain, once a smart contract is deployed, you can't change it, so you'd better get it right. The blockchain is an adversarial environment, and your protocol needs to be prepared for malicious users.
But even more so than just saving your protocol from hacks, an audit can improve your developer's understanding of code, improving their speed and effectiveness of features moving forward.
Additionally, there is an entire website dedicated to how many hacks happen, and we need to do our best to prevent that list from growing as a community.
Smart Contract Audit Benefits
Find vulnerabilities
Level-up developers
Teach best practices and the most modern tooling
Often, one audit isn't enough. Many protocols go on a security journey that includes multiple audits and services like:
Formal Verification
Competitive Audits
Bug Bounty Programs
We'll break these down in a future video.
Smart Contract Auditors
There are a lot of companies that offer smart contract auditing services, like:
Cyfrin <- This is us!
Additionally, there are a lot of independent auditors that do great work as well.
Smart Contract Audit Process

A typical audit looks like this:
Price & Timeline
A protocol can reach out before or after their code is finished. Ideally, they reach out some time before so the auditor can have enough time to schedule them.
Once they reach out, the teams will discuss how long the audit will take based on the scope and code complexity.
How long the audit will take depends on how many lines of code.A very rough approximation of how long an audit takes depending on how many source lines of code you have can be found here:
The duration sets the price, and at the time of recording, prices can range widely based on the different auditors. At the time of recording, a one-week-long audit can go anywhere from:
Duration: Price
1 week: $5,000 - $100,000
Commit Hash, Down payment, Start Date
Auditors need to know exactly what code they are auditing and use the commit hash of your repo to do so. Once you have a commit hash, you can reach a start date and finalize the price.
Audit Begins
Then the audit starts! Your auditors will use every tool in their arsenal to find vulnerabilities in your code.
Initial Report
After the period ends, the auditors will give you an initial report that looks like this.
All their findings are listed by severity, usually in formatted into:
High
Medium
Low
Informational / Non-critical / Gas
Mitigation Begins
The protocol's team will then have an agreed-upon time to fix the vulnerabilities found in the initial audit report. Sometimes, depending on the severity of the findings, this may be long but is often much shorter than the audit itself.
Final Report
After the protocol makes the changes, the audit team will do a final audit report exclusively on the fixes made to address the issues brought up in the initial report.

And then, hopefully, the auditors and protocols have had a great experience and will work together to stay secure in the future!
How to get the most out of a smart contract audit
To get the most out of an audit, you should:
Have clear documentation
Robust test suite
Ideally, including fuzz tests
Code should be commented & readable
Modern best practices followed
A communication channel between developers and auditors
Do an initial video walkthrough of the code
The most important part of the process, though is during the audit.
You want to think of you and your auditor as a team to get the best results out of your audit. One of the best ways to do this is to have a dedicated channel where auditors can ask questions to the developers.
Additionally, the more context, documentation, and information they can read, the better. Be sure it's easy for anyone to walk through your code and understand what it's supposed to do.
80% of all bugs are due to business logic issues, so the auditors need to understand what the protocol should do more than they should understand the actual code!
Having a modern test suite & tooling can also make it so auditors spend less time fidgeting with your tooling and more time finding issues.
A high-level video walkthrough of your code should be the first thing you and the auditors do together.
After the Audit
We highly encourage you to act on the recommendations of an audit report, we've seen too many protocols not take warnings seriously, and that be the attack vector that gets exploited.
Additionally, if you change your codebase, that is now unaudited code, and should not be pushed, no matter how small the change may be. If you change your code, you should highly consider getting that piece of code audited.
And often, depending on how much money your protocol will secure, you should consider getting another audit anyway!
What an audit isn't
Now here is the thing, an audit does not mean your code is bug-free. It's a security journey where your team should level up on security.
No matter how experienced an auditor or audit firm is, people at all levels of experience will miss something. On the sad day that happens, get together on an emergency communication channel with your auditors and figure out to remedy the situation quickly.
Insurance is often a good idea for even the most audited protocols.
So with that, now you have a good idea of the smart contract audit process end to end and what to expect. A smart contract audit is more of a security journey between the protocol and the auditors, and having a security-focused mindset doesn't end even after the audit.
If you're looking for an audit, be sure to contact the Cyfrin team. And as always, stay safe out there!
According to a research study by Chainalysis, 2022 was the year the most value ever was stolen from smart contracts.
Due to the immutability of the blockchain, once a smart contract is deployed, you can't change it, so you'd better get it right. The blockchain is an adversarial environment, and your protocol needs to be prepared for malicious users.
But even more so than just saving your protocol from hacks, an audit can improve your developer's understanding of code, improving their speed and effectiveness of features moving forward.
Additionally, there is an entire website dedicated to how many hacks happen, and we need to do our best to prevent that list from growing as a community.
A smart contract audit is a time-boxed security-based code review on your smart contract/web3 system. An auditor's goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward.
Auditors use a combination of manual and automated tools to find these vulnerabilities.
Why are smart contract audits so important?

According to a research study by Chainalysis, 2022 was the year the most value ever was stolen from smart contracts.
Due to the immutability of the blockchain, once a smart contract is deployed, you can't change it, so you'd better get it right. The blockchain is an adversarial environment, and your protocol needs to be prepared for malicious users.
But even more so than just saving your protocol from hacks, an audit can improve your developer's understanding of code, improving their speed and effectiveness of features moving forward.
Additionally, there is an entire website dedicated to how many hacks happen, and we need to do our best to prevent that list from growing as a community.
Smart Contract Audit Benefits
Find vulnerabilities
Level-up developers
Teach best practices and the most modern tooling
Often, one audit isn't enough. Many protocols go on a security journey that includes multiple audits and services like:
Formal Verification
Competitive Audits
Bug Bounty Programs
We'll break these down in a future video.
Smart Contract Auditors
There are a lot of companies that offer smart contract auditing services, like:
Cyfrin <- This is us!
Additionally, there are a lot of independent auditors that do great work as well.
Smart Contract Audit Process

A typical audit looks like this:
Price & Timeline
A protocol can reach out before or after their code is finished. Ideally, they reach out some time before so the auditor can have enough time to schedule them.
Once they reach out, the teams will discuss how long the audit will take based on the scope and code complexity.
How long the audit will take depends on how many lines of code.A very rough approximation of how long an audit takes depending on how many source lines of code you have can be found here:
The duration sets the price, and at the time of recording, prices can range widely based on the different auditors. At the time of recording, a one-week-long audit can go anywhere from:
Duration: Price
1 week: $5,000 - $100,000
Commit Hash, Down payment, Start Date
Auditors need to know exactly what code they are auditing and use the commit hash of your repo to do so. Once you have a commit hash, you can reach a start date and finalize the price.
Audit Begins
Then the audit starts! Your auditors will use every tool in their arsenal to find vulnerabilities in your code.
Initial Report
After the period ends, the auditors will give you an initial report that looks like this.
All their findings are listed by severity, usually in formatted into:
High
Medium
Low
Informational / Non-critical / Gas
Mitigation Begins
The protocol's team will then have an agreed-upon time to fix the vulnerabilities found in the initial audit report. Sometimes, depending on the severity of the findings, this may be long but is often much shorter than the audit itself.
Final Report
After the protocol makes the changes, the audit team will do a final audit report exclusively on the fixes made to address the issues brought up in the initial report.

And then, hopefully, the auditors and protocols have had a great experience and will work together to stay secure in the future!
How to get the most out of a smart contract audit
To get the most out of an audit, you should:
Have clear documentation
Robust test suite
Ideally, including fuzz tests
Code should be commented & readable
Modern best practices followed
A communication channel between developers and auditors
Do an initial video walkthrough of the code
The most important part of the process, though is during the audit.
You want to think of you and your auditor as a team to get the best results out of your audit. One of the best ways to do this is to have a dedicated channel where auditors can ask questions to the developers.
Additionally, the more context, documentation, and information they can read, the better. Be sure it's easy for anyone to walk through your code and understand what it's supposed to do.
80% of all bugs are due to business logic issues, so the auditors need to understand what the protocol should do more than they should understand the actual code!
Having a modern test suite & tooling can also make it so auditors spend less time fidgeting with your tooling and more time finding issues.
A high-level video walkthrough of your code should be the first thing you and the auditors do together.
After the Audit
We highly encourage you to act on the recommendations of an audit report, we've seen too many protocols not take warnings seriously, and that be the attack vector that gets exploited.
Additionally, if you change your codebase, that is now unaudited code, and should not be pushed, no matter how small the change may be. If you change your code, you should highly consider getting that piece of code audited.
And often, depending on how much money your protocol will secure, you should consider getting another audit anyway!
What an audit isn't
Now here is the thing, an audit does not mean your code is bug-free. It's a security journey where your team should level up on security.
No matter how experienced an auditor or audit firm is, people at all levels of experience will miss something. On the sad day that happens, get together on an emergency communication channel with your auditors and figure out to remedy the situation quickly.
Insurance is often a good idea for even the most audited protocols.
So with that, now you have a good idea of the smart contract audit process end to end and what to expect. A smart contract audit is more of a security journey between the protocol and the auditors, and having a security-focused mindset doesn't end even after the audit.
If you're looking for an audit, be sure to contact the Cyfrin team. And as always, stay safe out there!
According to a research study by Chainalysis, 2022 was the year the most value ever was stolen from smart contracts.
Due to the immutability of the blockchain, once a smart contract is deployed, you can't change it, so you'd better get it right. The blockchain is an adversarial environment, and your protocol needs to be prepared for malicious users.
But even more so than just saving your protocol from hacks, an audit can improve your developer's understanding of code, improving their speed and effectiveness of features moving forward.
Additionally, there is an entire website dedicated to how many hacks happen, and we need to do our best to prevent that list from growing as a community.
Join the newsletter!
Join the newsletter!
Sign up to stay informed about the newest trends in smart contract safety.
Sign up to stay informed about the newest trends in smart contract safety.
Sign up to stay informed about the newest trends in smart contract safety.
Enter your email
Enter your email
Enter your email
Other popular articles
Other popular articles


13 Industry Standard Smart Contract Auditing Tools 2023
13 Industry Standard Smart Contract Auditing Tools 2023


Top 10 smart contract auditing companies and services
Top 10 smart contract auditing companies and services
There are many smart contract auditing companies and services that can provide the best solutions for your audit. Find the best smart contract security auditors this year.


Formal Verification & Symbolic Execution
Formal Verification & Symbolic Execution
We look at formal verification & symbolic execution with two Trail of Bits Web3 security team members.


Fuzz & Invariant Tests
Fuzz & Invariant Tests
Smart contracts have been tested and audited, but are they truly bulletproof? Just when you think your code is secure, an attacker might exploit


What is a Smart Contract Audit | Everything you need to know
What is a Smart Contract Audit | Everything you need to know
A smart contract audit is a time-boxed security-based code review on your smart contract/web3 system.


Invariant Testing — Enter The Matrix
Invariant Testing — Enter The Matrix
The Invariant test suite we created for the security audit mentioned in this article is available on GitHub.