This article was brought to you in collaboration with Hacken.
With regular exploits in the highly competitive world of DeFi, smart contract audits are a critical component of crypto security as most protocols run on an intricate set of smart contracts. In a smart contract audit, third-party entities will review the code, testing it to check for any security vulnerabilities or other potential issues. The auditor will then share a report that covers detected issues and their level of severity.
Why is Smart Contract Auditing Important?
A good smart contract audit accomplishes two key objectives: security and trust.
Quality smart contract assurance helps identify potential issues, and ensures that the protocol is taking the necessary steps to address any bugs or flaws that could put its users’ funds at risk. Although there are no guarantees that a protocol will be secure after an audit, a good smart contract auditor can still perform comprehensive reviews to uncover potential issues, potentially preventing catastrophic vulnerabilities after launch.
Secondly, a good audit helps the project gain a certain level of confidence and trust with the crypto community, as well as with potential VC investors, that a baseline level of security has been established. This is important not just for new projects which are launching into the market, but also for existing projects deploying a major upgrade. Instead of “testing in prod”, having an audit conducted by a third-party auditor is fast becoming standard practice before any major changes to smart contracts are deployed to production. In addition, there is now cer.live which actively tracks and rates the cybersecurity of cryptos and platforms, and at CoinGecko we incorporate these ratings into our own TrustScore.
Finally, beyond just smart contract audits, certain security firms have also branched out into offering other cybersecurity services such as penetration testing, running bug bounty programs, vulnerability assessments, and threat modeling. All these are additional services a project can engage in should they require further assistance or support.
If you’re on a project looking for a good auditor, below are some of the factors to consider, and we also list down some of the most reputable firms out there.
How to Choose a Smart Contract Auditor
One of the first steps in finding the right smart contract auditor is to check the portfolios of projects/platforms they have audited in the past. Doing so will allow you to see the number of audits they have worked on, and perhaps more importantly if any of the projects/platforms they have worked on have been exploited. Also, the size/popularity of the projects they have audited will help determine whether the auditor is worth hiring as larger projects will tend to attract more attention from hackers.
While most auditors will offer Ethereum contract audits, only some will have the expertise to audit projects on altchains such as Solana, Polygon, Avalanche, Fantom, and BNB. This is because even EVM-compatible chains have different underlying architectures, not to mention certain altchains such as Solana and NEAR use a completely different programming language altogether, e.g. Rust. Different firms are going to have different areas of expertise in auditing protocols built on different blockchains, so it would be wise to assess their level of competency before engaging them for an audit. At a minimum, you should look at an audit firm’s portfolio to see if it has conducted any past audits on your chain of choice. For example, If you are opting for a Solana-based Contract Audit, check the company's past audits for Solana-based projects.
One thing to bear in mind when looking at past audit reports is the methodology and approach taken by the audit firm. In many instances, the scope of an audit varies across different projects, and audit firms undertake jobs of varying complexity based on their agreement with their clients. Obviously a more detailed and thorough audit the better, but it also means a longer time for completion and more costs for the project. A thorough audit also takes into account the quality of the code, as while it may not be an issue now, poorly-written code could cause problems in the future when the protocol needs to be upgraded.
Finally, the quality of audit reports is another factor to look for in a good auditor. A good report should include a detailed description of all the issues that were found during the course of the investigation. It’s also very important to note if the findings of the audit have been addressed by the project. While you would expect a smart contract audit report to be quite technical, having a report which is well structured, and written concisely in a manner understandable by most people is also a good sign to look out for.
Hacken
# of projects onboarded: 700+
Total MCAP of portfolio: $100B+
Major clients: Avalanche, VeChain, Huobi, Kyber, The Sandbox, Kucoin, WhiteBit
Chains supported: Ethereum, EVM chains, Solana, Polygon, Avalanche, NEAR, Fantom, BNB
# of audited projects on Rektboard: 2
Total amount rekt: $8.5M
Hacken is a leading cybersecurity consulting company founded by security specialists and white hat hackers with a focus on blockchain security. Since its inception in 2017, Hacken has been educating and growing the ethical hacker community, making them an eminent player in the industry. Hacken has made efforts to continually nurture and build the blockchain security ecosystem with a $1.5M investment in Cer.live, and launched products such as the Hackenproof BugBounty platform with 10000+ ethical hackers, Hacken.ai, hVPN, hPass, etc. Currently, it has over 700 projects in its portfolio and secured over $100B in market cap. The company has worked with over 80 projects, including renowned names like Avalanche, VeChain, Huobi, Kyber, and more. Aside from being a blockchain security consulting company, Hacken provides a wide range of security services to its clients, such as web/mobile penetration testing, vulnerability assessments, and coordination of bug bounty programs.
In Hacken’s auditing history, two of its audited protocols, Warp Finance and Merlin Labs, were hit with a combined loss of $8.5M. The more notable attack was Warp Finance’s flash loan exploit that resulted in the hacker being able to withdraw a $7.8M loan. However, the team was able to secure the loan's collateral, which allowed them to return 75% of the user's deposited funds. After the incident, major changes were introduced to Hacken's audit methodology focused on preventing flash loan exploits.
CertiK
# of projects onboarded: 3,700+
Total MCAP of portfolio: $364B+
Major clients: Aave, BNB Smart Chain, Terra, Yearn, Polygon Chiliz
Chains supported: All chains
# of audited projects on Rektboard: 3
Total amount rekt: $12.2M
CertiK is a pioneer in blockchain security, leveraging leading AI technology to protect and monitor blockchain protocols and smart contracts. Founded in 2018 by professors from Yale University and Columbia University, CertiK’s mission is to secure the web3 world. CertiK applies cutting-edge innovations from academia to enterprise, enabling mission-critical applications to scale with safety and accuracy.
To date, CertiK has worked with over 3,700 Enterprise clients, securing over $364 billion worth of digital assets. CertiK is regarded for its end-to-end security, which include security audits, on-chain analytics, bug bounties, KYC, and penetration testing services. CertiK’s clients include leading projects such as Aave, Polygon, BNB Smart Chain, Terra, Yearn, and Chiliz.
Three CertiK audited projects have appeared on the Rekt Leaderboard (Saddle Finance, Akropolis, Arbix Finance), having suffered a total loss of $12.2M. Arbix Finance is the latest exploit with a loss of around $10M.
Slowmist
# of projects onboarded: 1000+
Total MCAP of portfolio: $150B+
Major clients: Binance, OKX, Huobi, Pancakeswap, Crypto.com
Chains supported: Ethereum (All EVM chains), EOS, Fabric, Solana, VeChain, ONT
# of audited projects on Rektboard: 1
Total amount rekt: $34M
Founded in 2018, SlowMist is a blockchain security firm specializing in providing protection for the blockchain ecosystem. The team at SlowMist has over 10 years of experience in network security and has worked with various projects such as Binance, OKX, Huobi, Pancakeswap, and Crypto.com. Aside from providing security audits and other related services, SlowMist also offers a variety of other security-related products and services. Some of these include MistTrack, Anti-money laundering (AML) software, Vulpush (Vulnerability monitoring), and SlowMist Hacked (Crypto hack archives). The firm has partnered with various international and domestic security firms such as Akamai, Cloudflare, FireEye, BitDefender, and IPIP to provide additional value to its services. One notable SlowMist service is MistTrack, a system that tracks the movement of stolen funds. Since its launch, it has served over 60 customers and recovered close to $1B in stolen funds.
A Slowmist-audited protocol on Avalanche, Vee Finance, was hit for $34M due to failed contracts. According to Slowmist, the issue occurred when the attacker then used this to manipulate the price of the Pangolin pool which serves as the source of the price oracle for Vee Finance, resulting in the pre-swap slippage check to not function as intended.
Quantstamp
# of projects onboarded: 200+
Total MCAP of portfolio: $200B+
Major clients: Maker, Curve, OpenSea
Chains supported: Every Chain
# of audited projects on Rektboard: 3
Total amount rekt: $48M
Quantstamp is one of the most recognized smart contract auditing companies in the blockchain sector. Since its founding, it has performed over 200 audits and helped secure over $200B in value. Their team consists of PhDs and security professionals with experience in the largest technology companies such as Google, Facebook, Apple, and Ethereum Foundation. Quantstamp has a strong team of security experts to provide its auditing services in any language, including languages specifically designed for use in blockchain applications. The company has audited numerous blockchain systems, this includes Ethereum 2.0, Solana, BNB Chain, Cardano, and protocols such as Maker, Curve, and OpenSea. Its services include auditing Layer 1 blockchains, smart contract-powered NFT and DeFi applications, and developing financial primitives for Layer 1 blockchain ecosystems.
Three projects audited by Quantstamp have experienced high-profile breaches in the past, resulting in total losses of almost $48 million. The Alpha Finance Hack is one of the largest in the DeFi sector, with losses of $37.5M. The exploit is notably complex against publicly unreleased contracts, with strong evidence pointing to an inside job. Rari Capital is another victim of a smart contract hack, with ~$11M worth of tokens stolen from the project. The Rari exploit was also an extremely complex cross-chain hack that involved interaction with many other protocols. Finally, the Saddle Finance exploit resulted from an arbitrage attack on an inefficient protocol, and not a smart contract issue.
Halborn
# of projects onboarded: 150+
Total MCAP of portfolio: $75B+
Major clients: BlockFi, ApeCoin, Avalanche, THORChain, Polygon
Chains supported: Ethereum, Terra, Cosmos Tendermint, Algorand
# of audited projects on Rektboard: 1
Total amount rekt: $31M
Halborn was founded in 2019 by Rob Behnke and Steven Walbroehl, two prominent ethical hackers. Since then, the organization has grown to over 80 highly skilled security engineers. Halborn specializes in analyzing and testing blockchain applications for security vulnerabilities and design issues. By performing both manual and automated testing, they ensure that the smart contract application is ready for mainnet. The firm specializes in protocols such as Ethereum, Substrate, Solana, CosmWasm, Terra, Cosmos Tendermint, and Algorand. Their clients include BlockFi, ApeCoin, Avalanche, THORChain, and Polygon. Besides smart contract audits, the firm also provides cybersecurity consulting (Security Advisory As A Service), Advanced Penetration Testing, DevOps & Automation.
The $31M MonoX protocol hack audited by Halborn is another multi-million dollar hack in the DeFi sector, ranked as the 22nd largest hack in DeFi. According to SlowMist, the leading cause of the attack was the swap contract’s failure to check whether the incoming and outgoing tokens in the pool were the same. Through this, the attacker was able to take advantage of the price update function, which allowed the hacker to inflate the price of the MONO tokens artificially.
OpenZeppelin
# of projects onboarded: Not Stated
Total MCAP of portfolio: $10B
Major clients: Ethereum Foundation, Coinbase, Compound, Aave, The Graph
Chains supported: Ethereum
# of audited projects on Rektboard: 1
Total amount rekt: $275K
“The standard for secure blockchain applications” is what OpenZeppelin calls itself. OpenZeppelin is a cybersecurity technology and services company known for developing its Solidity libraries known as OpenZeppelin Contracts. Developers can easily integrate these libraries into their applications through OpenZeppelin's native SDK. Since 2015, the company has helped protect assets worth over $10B in some of the most prominent organizations in the crypto sector, including but not limited to Ethereum Foundation, Coinbase, Compound, Aave, and The Graph. Besides this, OpenZeppelin was the first cybersecurity company to introduce gamification to identify security vulnerabilities in smart contracts. OpenZeppelin’s “Ethernaut” is a game that challenges gamers to find and exploit security weaknesses in smart contracts to move to the next level. The company also provides free services such as “Defender,” which helps projects automate their smart contract administration, offering a secure and private transaction infrastructure, create automated scripts, and more.
Trail of Bits
# of projects onboarded: 500+ (Only For Blockchain Security Audits)
Total MCAP of portfolio: $25B+
Major clients: yearn.finance, LooksRare, Acala, Balancer, Nervos
Chains supported: Ethereum, Tezos, Polkadot, Arbitrum, Polygon, etc. (view the full list here)
# of audited projects on Rektboard: 0
Total amount rekt: 0
Founded in 2012, Trail of Bits is a cybersecurity industry giant with an extensive list of big-name customers such as Adobe, Microsoft, Stripe, Reddit, Zoom, Airbnb, etc. The firm has three main services: Software Assurance, Security Engineering, and Research and Development. Under its Software Assurance umbrella, the company provides security audits for blockchain, software hardening, infrastructure security, threat modeling, and cryptographic review. So far, the company has conducted smart contract audits for industry giants such as yearn.finance, LooksRare, Acala, Balancer, Nervos, and more. The team at Trail of Bits doesn't just focus on blockchain security; they also develop tools that help developers and researchers find and fix critical vulnerabilities. One of these is Manticore, a multi-contract and multi-transaction emulator. Its other tools include Ethersplay, Slither, and Echidna. Besides fixing bugs and software, the firm also provides a large library of open source work and expert training courses to educate and deepen people's understanding of reverse engineering, program analysis, penetration testing, etc.
Consensys Diligence
# of projects onboarded: 100+
Total MCAP of portfolio: $11B+
Major clients: 0x exchange, Aave, Balancer, Uniswap
Chains supported: Ethereum
# of audited projects on Rektboard: 1
Total amount rekt: $1.3M
Consensys focuses on developing cutting-edge blockchain applications and software for the Ethereum ecosystem unlike other firms on this list. However, its flagship cybersecurity product, ConsenSys Diligence, is a comprehensive security analysis tool that's designed to perform a deep analysis of smart contracts. With ConsenSys Diligence, projects can ensure that their Ethereum application is ready and secure. This is achieved through a combination of blockchain security analysis tools and a team of experienced smart contract auditors. Over the years, the company has successfully protected over 100 blockchain companies and uncovered over 200 issues. 0x exchange, Aave, Balancer, and Uniswap are some of the projects that the firm has audited. Aside from security auditing, the company provides two other services known as Fuzzing, a service that enables users to find bugs immediately after writing their first specification, and Scribble, a specification language and runtime verification tool that translates high-level specifications into Solidity code.
One of Consensys’ clients, The Big Combo (Growth DeFi) was a victim of an exploit. The attacker exploited a bug to make the staker contract accept a liquidity pair containing a fake token, and was able to remove $1.3M in liquidity.
Kudelski Security
# of projects onboarded: 200+
Total MCAP of portfolio: $230B
Major clients: Binance, Solana, Crypto.com, Input Output, Monero, Zcash
Chains supported: Ethereum, BNB Chain, Solana, Cardano, Cosmos Tendermint
# of audited projects on Rektboard: 0
Total amount rekt: 0
Kudelski Security is a Swiss-based cybersecurity firm that provides innovative solutions and consulting services to help organizations improve their cyber confidence. Although it was founded two years ago, Kudelski has already worked with some of the most prominent names in the cryptocurrency sector. Its clients include Binance, Solana, Crypto.com, Input Output, Monero, and Zcash. To date, the company has completed over 200 security audits, secured over $230B in market cap, and audited more than 500,000 lines of code. Aside from its blockchain security services, the company provides advisory services, technology optimization, managed security, managed detection and response, and incident response.
ChainSecurity
# of projects onboarded: 85+
Total MCAP of portfolio: $17B
Major clients: yearn.finance, Maker, Compound, Rarible, Curve, Kyber network
Chains supported: Ethereum
# of audited projects on Rektboard: 0
Total amount rekt: 0
ChainSecurity is led by security experts from the renowned university ETH Zurich. The company has worked with more than 85 crypto organizations and established corporations, including yearn.finance, Maker, Compound, Rarible, Curve, Kyber network, and have helped PwC Switzerland improve its smart contract audit capabilities. To date, the company has secured more than $17B worth of assets. ChainSecurity also developed an automated audit platform that enables projects to analyze smart contracts and protect their assets. The company’s platform performs security assessments by identifying security vulnerabilities and verifying the functional correctness of smart contracts and blockchain projects. Besides that, ChainSecurity also offers automated security analysis of Ethereum smart contracts.
PeckShield
# of projects onboarded: 50+
Total MCAP of portfolio: $26B+
Major clients: EOS, Aave, Tron, Nervos, Harmony, Neo, Maker, OlympusDAO, Pancakeswap
Chains supported: Ethereum, BNB Chain, EOS, Tron, Harmony, NEO
# of audited projects on Rektboard: 8
Total amount rekt: $132M
PeckShield is a Chinese-based audit and security firm founded in 2018. Its team members are scattered across the globe with an extensive background in security and in various areas of the blockchain ecosystem. The company began to gain traction since they discovered issues such as the Ethereum smart contract BatchOverflow loophole. Currently, PeckShield is ranked Top 3 globally in the Ethereum Bounty Program. The firm is a leader in providing complete security solutions for blockchain users and has audited big names in the industry such as Aave, EOS, Tron, and more. Through its various services such as penetration testing, threat monitoring, DAppTotal, and CoinHolmes, the company seeks to provide end-to-end protection for all blockchain users. The company also provides education to the public through frequent updates on its Twitter account with the latest news on loan exploits, massive slippage events, rugs, etc.
PeckShield has a total of 8 appearances on the Rekt Leaderboard with a combined loss of over $132M. One of PeckShield’s audited protocols, Popsicle Finance, was a victim of a $20M hack. The attacker managed to exploit this vulnerability by tricking a liquidity pool on Popsicle Finance into believing that the fees owed to them were equal to the total TVL to the entire pool. Some of its other exploits include Alpha Finance (Co-audited with Quantstamp), MonoX (Co-audited with Halborn), Harvest Finance (Co-audited with Haechi), XToken, Superfluid, and Value DeFi.
Conclusion
Although smart contract audits are important, they shouldn’t be viewed as a magical solution to avert all forms of hacks. Instead, they should be viewed as part of a process that involves continuous improvement. Once a project has had an audit, developers should still put in the legwork to ensure that the findings are addressed, and they put in the right security practices to ensure that the possibility of future vulnerabilities is minimized. Before smart contracts can be trusted by users, the developers still need to ensure that they perform as intended. This also means carrying out security tests that are specific to the protocol.
Having an active Bug Bounty program after a security audit is also important. Rather than relying on a single security professional, Bug Bounty programs attract security experts around the globe with diverse backgrounds and varying degrees of expertise to improve the underlying security. Incentivizing a global network of experts to comb through your smart contracts for bugs ensures that all assets in scope are reviewed thoroughly.
Overall, having a security audit is still certainly very helpful to weed out any potential issues and help a project gain a certain level of confidence, and it is always recommended for users to select an auditor with a good reputation and proven track record.
Related
CoinGecko's editorial team comprises writers, editors, research analysts and cryptocurrency industry experts. We produce and update our articles regularly to provide the most complete, accurate and helpful information on all things cryptocurrencies. Follow the author on Twitter @coingecko
Or check it out in the app stores
