, I am a co-founder and security researcher from Cyfrin where we do smart contract audits. This is my opinionated take on top smart contract audit firms along with Cyfrin. The only way Web3 scales is if we increase our security, so I want to ensure that other top firms get the exposure they deserve. Auditors left off this list are not necessarily poor choices, I may have just missed them. What is a Smart Contract Audit A is a time-boxed security-based code review on your smart contract / Web3 system. An auditor’s goal is to find as many vulnerabilities as possible and educate the client on ways to improve the security of their codebase moving forward. smart contract audit Auditors use a combination of manual and automated tools to find these vulnerabilities. However, a smart contract audit does not guarantee your code is bug-free. At the end of the day, your protocol's security is yours and your auditor's responsibility, and sometimes multiple audits or another security tooling might be needed. A professional audit group can and will give you all the guidance you need to move forward on your security journey so you can feel confident deploying. You can learn more about what is a smart contract audit here. Why We Need Smart Contract Audits The image above represents the total dollar amount stolen from DeFi for the entire year of 2022, 80% of that value was exclusively in DeFi. According to , the current locked value of all DeFi is 50 billion dollars. DeFillama This means that over 6% of all DeFi value has been subject to a hack! If we want blockchain and DeFi to come to the masses, they cannot be worried that there is a 6% chance they will wake up to find their funds exploited. We have to do better than this. This is why audits are so important: Keep your protocol safe Help Web3 gain authority Educate your team on best practices That last bullet is what I call the Getting an audit and working with a group of security and smart contract experts can improve your team's skill in developing protocols. They should give you feedback on vulnerabilities educate your team on improving. They are security and developer experts, after all! hidden benefit of smart contract audits. and How to Choose a Smart Contract Auditor Understand the auditor skill set Understand your price point Understand their methodology Understand the auditor skill set You want to ensure the auditor has done work in the domain you’re looking for an audit on. If you want an audit on Solana and you work with an EVM specialist group, you’re going to have a bad time. Maybe you want a DeFi audit, and you’re working with a firm that only understands NFTs; this is also a recipe for disaster. An easy way to see what kinds of projects an auditor can do is to look at a list of their previous audits. Most auditors will have some publicly displayed audits as a showcase of work, and you can decide based on their past if they are right for you. Understand your price point Large firms will often cost more than smaller firms and independent auditors. Typically, you can find “cheaper” audits with smaller companies and independent auditors, but the quality can vary. I’ve seen a of fantastic solo auditors, though, so don’t discount a solo auditor who wants to audit your protocol. ton Pricing varies wildly depending on the auditors, so understand the next point to get the best idea for a price point. Understand their methodology https://www.youtube.com/watch?v=A-T9F0anN1E&embedable=true Before locking down any payment, you need to verify the following: Exactly which auditor(s) will conduct the audit What tools will they use (fuzzing, formal verification, etc) If they want a communication channel between your developers and the auditors are not machine auditable and often come from poor implementation of business logic. Because of this, auditors need as much context as possible in the form of: 80% of hacks Documentation Q&A Channel with Developers Code Natspec If an auditor doesn’t tell you who is doing the audit, what tools they are using, or doesn’t want to have a direct line of communication between your protocol devs and the auditors, there is a good chance they are going to do shoddy work. Additionally, I think auditors should try to improve your test suite with , but it’s not required. fuzzing/property/invariant tests How to Prepare for a Smart Contract Audit Imagine two random developers drop 5,000 lines of code you’ve never seen on your desk and tell you that the code needs to be cleaned up and spotless in two weeks. Developer A tells you what the code should do, it has a test suite, and they say, “feel free to ask me any questions you may have!” Developer B says, “Don’t talk to me till it’s done.” Your review of developer A’s code will be 100 times better than developer B. Be like developer A. To get the most out of an audit, you should: Have clear documentation Robust test suite (Ideally, including ) fuzz tests Code should be commented & readable Modern best practices followed A communication channel between developers and auditors You are prepared to do an initial video walkthrough of your code You want to think of you and your auditor as a team to get the best results out of your audit. One of the best ways to do this is to have a dedicated channel where auditors can ask questions to the developers. Additionally, the more context, documentation, and information they can read, the better. Be sure it’s easy for anyone to walk through your code and understand what it’s supposed to do. 80% of all bugs are due to business logic issues, so the auditors need to understand what the protocol should do more than they should understand the actual code! You can learn more about the . smart contract auditing process here Top Smart Contract Auditors I wanted to make sure you had all this context before giving you this list because I’ve seen protocols that want an audit for one of two reasons: Marketing Security & Marketing Be like #2. Getting “an” audit and treating all audits the same can be tempting but should be done. You want to treat an audit like you and your auditor are teaming up to secure your code. not Here it is, my list of top 7 auditors in no particular order, and why I think they are a top auditor. Cyfrin As someone who wants to see the success of Web3, I was furious with the state of security in Web3. $3.8B lost in 2022 is a horrifying statistic, so I felt compelled to jump in and help secure DeFi and blockchain. Please keep in mind I am the co-founder of . Cyfrin The Cyfrin team has some of the top engineers and auditors in the space, like: | #1 Ranked Auditor as of Writing on Code4rena Hans | Ex-Chainlink Labs Engineer in charge of $5B+ DeFi integrations Alex | Code4rena Top Finisher and Experienced FinTech Engineer 0Kage | Code4rena Top Finisher & Expert Solidity Engineer Carlos | Expert Solidity Engineer Gio | Patrick Most Watched Solidity Education Video(s) of All Time We thrive on finding as many bugs as possible and finding ways to and test suite. improve your codebase Web3 security needs a new narrative, and we are excited to push the security space forward. We are a smaller group at the time of writing as we only launched 2 months ago! You can find a , including the Beanstalk Wells integration and LinkPool. list of notable audits (and skillsets) for Cyfrin here Trail Of Bits I tell people to check out . They are one of the firms in Web3 security consistently pushing the bar in a practical sense. They don’t just give an audit, they give you all the tools you need to be successful in smart contract security as well. always Trail of Bits The Trail of Bits team builds some of the most popular and widely used tools like: Slither Manticore Echidna Properties And so many more. They are dedicated to educating the Web3 space as well with tons of free educational content and blogs. https://www.youtube.com/watch?v=3pWYvtx_sjA&embedable=true Trail of Bits is a large group consistently rated one of the top firms in Web3 for good reason, and I’d definitely classify myself as a fanboy. You can find a , like Uniswap, Yearn, and Compound. list of notable audits (and skillsets) for Trail Of Bits here OpenZeppelin is another group that constantly pushes the envelope by raising the state of Web3, which is why I’m a massive fan of their work. The is the standard library for solidity that 95% of the rest of Web3 uses and trusts to build their smart contracts. OpenZeppelin OpenZeppelin Contracts You should hold onto every report you read from the OpenZeppelin team like gold, as the information they give is some of the best in the business, and their team is constantly raising the bar for security. OpenZeppelin is a large group used by some of the top protocols in the space, like Aave, Optimism, and Compound. I really can’t speak highly enough about the skills of this team. You can find a list of notable audits (and skillsets) for OpenZeppelin here. Consensys Diligence Part of the team, one of the most well-known groups in Web3 behind projects like Metamask, Infura, and Truffle, their security team is also first-class. They are a large group with a great track record. Consensys The Diligence team is another team that values powerful fuzzing and recently came out with a product. To me, this signals that they not only understand security, but they understand trying to scale security throughout all of Web3. You can tell when a group cares when they make tooling & educational material that makes your life better instead of hoarding it all for themselves. fuzzer-as-a-service They additionally have tooling (similar to Trail of Bits) if you want to go the extra mile. formal verification You can see a , including Aragon, RocketPool, and Fei. list of Consensys Diligence audits here SpearbitDAO is a decentralized network of security experts that shakes the game up. Spearbit Unlike traditional auditing firms, which employ teams of full-time security researchers, Spearbit sources top talent from everywhere in the Web3 ecosystem to assemble the best possible team. Now you might be thinking, “wait, wouldn’t the quality vary if they have different auditors on different projects?”- however, this hasn’t stopped them from consistently being one of the best in the business. SpearbitDAO proves the decentralization ethos works, as many top auditors and researchers go solo — so periodically combining them into one group makes them all the better! You can see a list of , including SudoSwap, LooksRare, and ArtGobblers. SpearbitDAO audits here Dedaub A lesser-known group, I’ve only seen the team ship amazing reports, and it was a little confusing to me why so few people know about them. Dedaub They are another team that ships more than , with coding libraries and helpful alpha on social media. just security audits As an ex-Chainlink engineer myself (ex-DevRel technically), I’ve witnessed the good this team can do on an audit. You can see a list of projects , including Chainlink, Liquity, and Blur. they’ve worked with Trust is a solo auditor consistently at the top of the competitive audit leaderboards and has done fantastic work educating all of Web3. I especially wanted to highlight him to say you don’t always need to go with a firm! Solo auditors can often be cheaper, with as much skill or more than a massive firm. Trust He has , consistently gives , and has made a massive impact in keeping Web3 safe by himself! an auditor course beautiful write-ups I had the pleasure of interviewing him, and he gave me all the tips and tricks one would need to move forward and be a successful security engineer in Web3. https://www.youtube.com/watch?v=VRK2rLFPU0o&embedable=true You can see a list of including The Graph and Vagabond. Trust audits here, More I wanted to keep the list short because the algorithm likes it like that, but here are some more firms and solo auditors that do a fantastic job. Let me know if you think I’m missing any, and I’ll do an assessment. Firms Sigma Prime MixBytes WatchPug Halborn Code4rena Sherlock Runtime Verification Certora Paladin Dedaub Solo Pashov 0x52 obront.eth Romanboehr cccz Akshay Srivastav Kaden.eth Also published . here

Top 7 Smart Contract Auditors to Check For Your Smart Contract

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Access External Data in Solidity: A How-To Guide

100 Pieces of Programming Advice from the Book Clean Code by Robert Martin

10 Ways to Prevent and Manage Technical Debt—Tips from Developers

10 Expert Tips for Improving Code Reviews: A Guide for Developers

10 Coding Hacks to Remember in 2023

Access External Data in Solidity: A How-To Guide

100 Pieces of Programming Advice from the Book Clean Code by Robert Martin

10 Ways to Prevent and Manage Technical Debt—Tips from Developers

10 Expert Tips for Improving Code Reviews: A Guide for Developers

10 Coding Hacks to Remember in 2023

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps