So you have decided to schedule a smart contract audit for your upcoming Web3 project? Congratulations! Smart contract audits play an essential role in securing your project and protecting the funds of your users. Audits are a battle-tested approach to securing Web3 projects, both large and small. However, the success of an audit and the quality of the final audit report largely depend on the smart contract auditor you choose. With so many audit companies in the market to choose from, how should you go about selecting the best smart contract auditor?
Choosing the best smart contract auditor
Completing due diligence for choosing the right smart contract auditor can help ensure a successful and fruitful audit engagement. There are several factors you should look at when deciding on a smart contract auditor:
Past audits and audit report quality
One of the best ways to gauge a smart contract auditor's experience level and quality is to review their past audits and any subsequent security incidents that their past clients had. While it is impossible for smart contract auditors to guarantee that clients will never experience a hack, auditors with several clients who have been hacked may be a sign of a low-quality auditor.
In addition to looking over the past clients of a smart contract auditor, you should review the final audit reports. Auditors who frequently report few or no findings in their audit reports are likely not experienced enough to find nuanced issues. Additionally, the audit reports should be clear, concise, and easy to read. Remember, if you intend to showcase your audit report to your community and shareholders, it is vital that the auditor can clearly communicate the issues they found during the audit in their report.
It is also a good idea to directly contact clients who have been audited by the smart contract auditor in the past. This allows you to gain insight into the auditor's process for audit engagements, what the clients liked and disliked about the auditor, and more. Reputable smart contract audit companies should be willing and able to provide references who can attest to their quality and ability.
Supported programming languages and technologies
Not all audit companies will have the experience necessary to audit your smart contracts, especially if they are written using less common programming languages. Using off-chain components or specialized cryptography may also limit the pool of experienced auditors you may choose from. Therefore, it is important to accurately communicate the technologies and programming languages being used in your project to a prospective smart contract auditor.
If your project relies heavily on the technology of a specific blockchain, you may be able to solicit auditor recommendations directly from the blockchain's parent company or foundation.
Scheduling, scope, and cost
Audit scheduling, scope, and cost are inevitably intertwined when choosing a smart contract auditor. Ideally, you should schedule your smart contract audit well before the actual engagement start date. If not, you may be unable to work with your preferred smart contract auditor or face paying a premium for an audit slot.
The scope of your code may also impact auditor availability; for example, many audit companies can reasonably accommodate a 2-week audit if given 1-3 months notice. However, if the scope of your audit is 4 weeks or more, you should expect to have to wait for an audit slot. For a more detailed discussion on audit scheduling, see our blog post on When to Schedule Your Smart Contract Audit.
Now, let's talk briefly about audit costs. In general, the higher the audit quality, reputation, and brand recognition of the auditor, the higher the cost per audit will be. While it is possible to find a quality smart contract auditor at a good price, remember the saying, "you get what you pay for." Expecting a high-quality audit at a low price will inevitably lead to disappointment.
The audit procedure that each audit company follows is one of the most common components of an audit that gets overlooked. This makes it easy for an audit engagement to finish with little to no insight into what actually occurred. Audits should feel like a collaborative effort between the auditors and your development team. Therefore, reputable smart contract auditors should have an easy-to-understand audit procedure that is clearly communicated before an engagement begins. In addition, the auditor should notify you upon the completion of each step in the procedure. This gives you insight into the progress of your audit. A lack of communication and understanding of the audit procedure can greatly diminish the value of an audit.
Additional security services
Some smart contract audit companies now provide additional security services that can be included with an audit engagement. Monitoring recommendations, in-house monitoring solutions, smart contract fuzzing, and formal verification are some of the services offered by select audit companies. You should consider if any of these additional services would benefit your project and if you would like to pursue them during the course of your audit. Depending on the services you have in mind, this can greatly reduce the number of smart contract auditors to choose from.
What about audit contests?
With all that we have covered, there is still one more type of audit to talk about: audit contests. Audit contests have risen in popularity due to their proven track record of finding bugs, their ability to be scheduled rapidly, and the increased engagement they bring to a project and its community. However, an audit contest should not be viewed as a replacement to a smart contract audit done by an audit company. While audit contests excel at finding bugs and edge cases in your code, they are typically unable to produce a holistic security review that an audit company can provide. Therefore, audit contests should be considered a supplemental means to bolster the security of your project.
Why Arbitrary Execution is the right auditor for your needs
Arbitrary Execution is a group of experienced security professionals providing high-quality smart contract audits that suit your needs. Our extensive background in Web2 security, along with our domain expertise in Web3 security, enables us to provide audits for not only smart contracts but off-chain code as well. Our expertise has been trusted by companies such as Milkomeda and Aztec to secure their code. Check out our publications to learn more about how we helped secure Milkomeda’s bridge and Aztec’s privacy rollup processor. Interested in getting an audit? Please reach out to us at firstname.lastname@example.org to learn how we can help secure your project.