Updated August, 2022 – Smart contract audits are a critical part of crypto security. Diligent audits from a quality firm help catch bugs and issues, as well as demonstrate that a protocol is serious about safety. Not all audit firms are created equal, however. The best smart contract auditors have a proven track record of protecting users, and are actively involved in the safety community.
Let’s get one thing straight first – no audit firm can 100% guarantee that a protocol will never be exploited. Where there is computer code, there is risk, and bugs. That said, the best smart contract auditors employ skilled teams which conduct thorough, comprehensive reviews.
High tier firms often offer additional services for ongoing monitoring or incident response assistance. Lower quality audit firms may be inexperienced, incompetent, or not diligent enough to catch complex issues. Some firms have a history of certifying protocols which later experienced exploits.
Knowing the quality of the auditor(s) is critical to judging the safety of a project. Users should always do their due diligence before interacting with smart contracts. To help out, I’ve compiled a ranked list of audit firms based on their past history.
Read on for some bonus tools to help stay safe when dealing with micro-cap projects and memecoins which don’t have formal audits!
The Best Smart Contract Auditors
This ranking takes the history of the auditor into consideration in several ways:
- Do protocols that they certify frequently experience exploits?
- Are they working with large, serious projects handling massive amounts of funds?
- Do they engage in public incident analysis or incident response?
- Are they contributing to the safety of the whole community by building open-source security tools, contributing to public code libraries, or conducting public education?
- Are they a well-established company, or were they formed recently?
Based on this criteria, the auditors are classified into their appropriate grouping.
- A-Tier: Industry Leaders – these companies set the standard for diligence, competence, and thoroughness, but command high prices and are booked far in advance.
- B-Tier: Recommended Auditors – high-quality companies with good track records, lacking only the mystique and proven history of the top tier firms. Protocols who are serious about security but unwilling to pay the premium for an industry leader are recommended to engage a firm from this tier.
- C-Tier: Acceptable Auditors – these companies are generally okay, but can have meaningful issues. They may have blemishes on their track record, were previously well-regarded but have fallen from grace, or just produce unexceptional work. Protocols who engage firms from this tier should consider obtaining backup audits.
- D-Tier: Auditors To Avoid – companies in this tier have poor track records and major issues which make them unsuitable as a serious effort to improve security. Audits from firms in this tier may even do more harm than good due to providing a false sense of security.
A-Tier: Industry Leaders
Trail of Bits
Trail of Bits is a leading audit firm trusted by industry giants such as Yearn. Their list of reports reads like a who’s who of big name protocols.
Trail of Bits also produces a truly heroic amount of open source work. Their team recently discovered vulnerabilities in widely used encryption libraries, and they maintain the popular open source smart contract security analysis tools Slither and Echidna.
OpenZeppelin’s open source smart contract libraries are industry standard for much of the crypto world. Their security division also has a strong track record, and were recently awarded a large contract to provide ongoing security for Compound, beating out Trail of Bits and ChainSecurity.
Notably, they are capable of highly complex audits including the Solidity compiler itself, at the behest of the Ethereum Foundation.
ConsenSys Diligence is the audit and security arm of ConsenSys, a corporation containing blockchain infrastructure giants like MetaMask, Infura, and Truffle. In addition to their audit services, Consensys produces a variety of open-source and closed-source security products, including the powerful MythX product suite.
8-year veterans, the team has conducted audits for well-known protocols such as Fei, Aave, Balancer, Bancor, ENS, PoolTogether, and 1Inch. There is one notable hack of a ConsenSys-audited protcol, the exploit of Growth DeFi for $1.3 million USD. However, the exploit occurred on code that was not in scope for the ConsenSys audit, so it is not counted against them.
Runtime Verification is a security firm with a special focus on formal verification. Formal verification is a time-consuming but extremely thorough way of mathematically proving that a piece of code meets a set of exactly written standards. They also perform traditional audits.
Their list of partners is long and pedigreed. Notable audits include the ETH 2.0 Beacon Chain, Tezos, OlympusDAO, Algorand, Maker, Gnosis, and others. They are also actively publishing research articles.
Certora is a security firm exclusively providing formal verification services. Their Certora Prover tool is one of the most powerful suites available for executing formal verification. Certora has also sponsored community education events, working with the Secureum auditor bootcamp.
They have worked extensively with Sushiswap and Aave, as well as with other large protocols. Certora is often employed in the wake of an incident, to provide extra assurance that issues have been appropriately fixed.
B-Tier: Recommended Auditors
Paladin is a blockchain security firm specializing as an auditor for smaller protocols. This “small business” target demographic means they have produced a high volume of work. Many of the protocols on RugDoc feature Paladin audits.
Paladin represents a good quality audit firm, especially for their niche. Micro-cap projects are exposed to a wide array of risks. Teams may simply be malicious, or may lack the technical expertise to correctly implement audit findings. Small teams or single developers may lack the time to adequately manage their projects. Young projects can also experience front end exploits, governance attacks, or compromised admin accounts – none of which are covered by the smart contract auditors.
Two protocols audited by Paladin are known to have been exploited. VultureSwap was hit for $500k USD after developers failed to correctly implement fixes to an audit finding. Another protocol performed changes after the Paladin audit which introduced a bug leading to the exploit, which can’t be held against the auditors.
Users participating in micro-cap projects should be aware of the additional risks they are engaging in. Even a good audit is not a magic bullet, and micro-cap projects are particularly prone to use audits as a marketing tool rather than a serious risk mitigation.
Halborn is a full-service security company providing smart contract audits, penetration testing, and security consultation. They have produced a large body of work over several years. Notably, they audit contracts for alternative blockchains such as Algorand, Cosmos, Solana, Tezos, and NEAR, in addition to Ethereum.
Their publicly-available smart contract audit reports are of good quality, and there are no known exploits of Halborn audited protocols. Their blog has a series of nice articles covering general security, specific incident post-mortems, and details of unique Halborn findings, like a 0-day bug in the CosmWasm language used in Cosmos smart contracts.
ChainSecurity is a Swiss blockchain security firm that has worked extensively with Maker, Curve, and others. There are no notable exploits of their audited protocols.
There is little activity on the ChainSecurity twitter. It is difficult to find information on the activities of this firm, so this ranking is based on their past history of working with mature protocols handling billions of USD in value.
Dedaub is a smart contract audit firm that also offers continuous security monitoring. They have performed audits for large, serious entities like Chainlink, the Ethereum Foundation, Immunefi, and Lido. They also are an active participant in the on-chain security ecosystem, discovering and mitigating multiple extremely serious bugs in the wild.
Their blog contains breakdowns of some of their most notable finds, like the Billion-Dollar No-Op. Some of their audit reports are available publicly, and are of good quality.
C-Tier: Acceptable Auditors
Quantstamp is a blockchain security firm with a wide array of projects under its belt. The team has conducted audits of high profile and high complexity projects, including the Cardano, Binance, and Solana blockchains, ETH2.0 clients, Curve, and Axie Infinity, to name a few.
Three Quantstamp-certified projects (Alpha Finance, Saddle, and Rari) have experienced high profile hacks in the past, for total losses on the order of $47 million USD. While these exploits have special complicating factors which shifts some blame away from the auditing firm, that history still knocks them down to C-tier.
The Alpha Finance hack, for $37 million in losses, was an extremely complex exploit against publicly unreleased contracts, with substantial evidence pointing to an inside job. The $10 million USD Rari exploit was also an extremely complex, cross-chain exploit which involved interaction with many other protocols. The Saddle Finance exploit was an arbitrage attack on an inefficient protocol, not a smart contract bug per say.
Quantstamp serves as a reminder that even high quality audits cannot magically protect a protocol from attack. Good governance practices, trustworthy teams, and caution when interacting with other sets of money legos are all required to minimize risk.
Omniscia is a growing blockchain security firm, with around 80 protocols audited. Their clients tend to be younger protocols as well, counting OlympusDAO, Rari, KlimaDAO, and Tokemak among them. Audit reports for the firm are available publicly. The Twitter account is mostly PR, with little educational content.
In Apr. 2022, the Omniscia-audited protocol Beanstalk DAO suffered a flashloan governance exploit for total loss of protocol funds – $183 million USD. There is some controversy surrounding the attack. The Omniscia post-mortem and team statements are adamant that the code in question was not in their audit scope. Others have suggested that while some code contributing to the hack was indeed introduced post-audit, the lynchpin of the attack (the fact that the
emergencyCommit function was vulnerable to governance attack) was in scope, and not commented on by the audit team.
Coinspect is a security firm founded in 2014, offering audits, penetration testing, and security consulting. They have no high-profile exploits on their record, but do not have a large body of publicly available reports. What reports are available (example) are of decent quality.
There isn’t a lot of information available on Coinspect, and much of their work is with smaller protocols, although they have worked with some larger protocols such as Liquity.
D-Tier: Auditors To Avoid
PeckShield is a Chinese audit and security firm. They have audited a wide range of protocols, including the original OlympusDAO audit and some PancakeSwap contracts. Unfortunately, they are a frequent visitor to the Rekt leaderboard. Some authors have described the PeckShield audit badge as an attractant to hackers, rather than a deterrence.
While PeckShield’s audit team should be avoided, Their Twitter account is actually quite useful. The handle is valuable as a good public education source, and is usually on top of breaking security news. It provides a running stream of alerts including flash loan exploits, massive slippage events, rugs, and public incident post-mortems.
Certik is a 4-year-old blockchain security company, and a frequent flier on the Rekt leaderboard. They also provide on-chain investigation and security monitoring tools, in the form of the SkyTrace and SkyNet products.
The company Twitter handle puts out security alerts and hack analysis. Analysis using their SkyNet tool is also available for their partner protocols via their website. As an example, Aave audit reports and security analysis are available here.
Arcadia Group is a blockchain development and smart contract security company out of Texas. They provide audits and software development services, as well as provide security professionals to teams on a contract basis.
They have a large black mark against them for their audit of the decentralized insurance protocol Cover. Cover experienced an infinite mint exploit which lost $9.4 million in user funds. They do not have many protocol audits to their name, and no well-known ones.
Slowmist is a 3-year-old Chinese blockchain security establishment offering a large array of security services. They maintain a convenient ledger of hacks, exploits, and scams. Notably, they provide services to the EOS ecosystem as well as more common Ethereum-adjacent chains.
A Slowmist-audited protocol, Vee Finance on the Avalanche network, was hit for $34 million USD. The contracts failed to correctly check decimals when executing trades, allowing transactions which would ordinarily fail the exchange’s slippage check to pass successfully.
Solidity Finance is an older blockchain security firm that claims over 1300 audits performed. Unfortunately, they have three high-profile exploits against their name, for over $50 million USD in losses. Their publicly-available audit reports are also of very low quality, and amount to little more than a page or two of notes and an automated static analysis report.
In the spirit of fairness, I contacted this firm to gain some clarification on their high-profile exploits. They were transparent about their history, the lessons learned, and what they’ve done to improve their processes. However, talk is cheap, and processes are slow to change. With their poor track record, I would have to see a significant turnaround in their results before I could recommend them to anyone in good conscience.
As the list of auditors is continuously updated, some companies may be placed into this bin until further information about their performance is available. Currently, all the covered audit firms can be ranked.
In the spirit of decentralization, organizations are popping up to coordinate freelance auditors. This is in contrast to the typical auditor model of centralized, doxxed, professional security researchers, but is closely aligned with the cypherpunk ethos at the core of crypto. As bug bounty programs show, enlisting the community to help vastly improves security versus relying on a few companies.
Code4rena (C4) works differently from most auditors. Instead of going towards the salaries of full-time security professionals as in a traditional audit firm, the payment is placed into a prize pool. An open competition is then held over a few days or weeks, and independent security researchers submit their findings to a neutral review committee. After the judging, participants are paid out of the prize pool depending on the amount and severity of their findings.
Some of the auditors on the C4 leaderboard have racked up an impressive amount of prizes from their efforts. The top contributor has earned over a million USDC! The organization is growing rapidly, and new code reviews are starting every few days. One of the primary advantages of their model is speed, as a code review can be spun up with much less lead time than a traditional audit. Lead times for C4 reviews can be as low as 48 hours.
Spearbit is a collective of independent security researchers. The organization is currently centralized, but is working towards more decentralization as they gain traction.
Spearbit serves as a single point of contact for protocols wanting audits, and handles the coordination and compensation of the various freelancers working for them. It is a young organization, with only four audit reports available. Spearbit is also working with the Secureum bootcamp project to train new auditors.
Sherlock provides a crypto-economic approach to security. The protocol operates as a DAO, with the objective of aligning the economic incentives of the audit company and the protocol. The end result is something of a hybrid between an audit firm, a bug bounty program, and a DeFi insurance company.
Sherlock is a young organization but is already making some notable, sizeable, deals, including a $10 million USD agreement with Euler Finance. They are also working with the Secureum bootcamp.
Non-Audit Security Tools
Not everyone likes to invest in established, audited, certified projects. Even those who participate in micro-cap projects, memecoins, or young protocols which do not yet have funding for a formal audit can still benefit from security tools.
Honeypot.is – an automatic contract checker for Ethereum and Binance Smart Chain.
This simple tool simulates a transfer to check whether the token is a honeypot – meaning it contains code which allows you to buy in but not to get out. This does not mean that the token can’t become one later – just that it isn’t right now.
RugDoc provides rug alerts, honeypot checkers, security reviews, emergency tools, and more.
RugDoc is easily the most comprehensive security resource for crypto degenerates. They are not an audit firm, and do not certify their findings, but do perform security reviews to assign a risk rating.
They also offer a Know-Your-Customer service, where project owners can doxx themselves to RugDoc while remaining publicly anonymous. This signals that the founder is legitimate, as they are known and will face legal repercussions if they scam.
RugDoc also has some tools like Emergency Withdraw which help users recover their funds if a frontend is taken down as part of a rug attempt, and a honeypot checker tool. They monitor for malicious activity and notify via their Twitter if they detect that protocols are preparing to rug or actively draining funds.
All users should understand that audits are not a silver bullet. The quality matters. Even good quality audits are not all-seeing or all-knowing. Users should not assume that just because an audit has been performed, everything has been caught. If a protocol publishes their audit report, it can be worthwhile to review it.
Even non-technical users can benefit from reading through an audit report! Auditors often include clear, plaintext explanations of an issue, particularly severe ones. You do not necessarily have to know Solidity to get a feel for the project, although it doe help (See also: how to read smart contracts without learning Solidity).
I’ve written a comprehensive guide on how to read smart contract audit reports to help get you started. Some key points to look for:
- Scope of the audit – audits may not review every contract in a project ecosystem! Audits rarely cover front-end or infrastructure concerns, and offchain resources are an avenue for exploits (see the Badger frontend hack).
- Intensity of the audit – was it conducted by a single auditor over a few days, or was it multiple auditors over several weeks?
- Severity of findings – did the auditors uncover severe risks?
- Quantity of findings – audits turning up a lot of findings is not necessarily a bad thing. They are there to catch errors, after all. However, too many findings can indicate that the project developers were sloppy, unskilled, or inattentive.
- Were the audit recommendations followed up on by the project team? – this can be harder to find out sometimes depending on when the audit report was released, but is highly relevant.
- Code quality/code maturity – auditors have more freedom in this section of the report to make subjective assessments of the state of the codebase. The gut feeling of an expert can be valuable.
Take some time and read through the audit of your favorite protocol. You might be surprised, or reassured! Stay safe out there, anon.
The author has participated in Code4rena contests as an auditor, and has received compensation for vulnerabilities discovered during those contests. No compensation, tangible or intangible, has been received for the inclusion or representation of Code4rena in this article.
Since initial publication of this article, the author has developed a business relationship with Paladin. All statements regarding Paladin are reviewed by a qualified third party to avoid conflict of interest. No compensation, tangible or intangible, has been received for the inclusion, ranking, or representation of Paladin in this article.