Arbitrary Execution performs a variety of services, one of which is smart contract audits. We receive a lot of questions from potential clients, but one of the most common questions we receive is “When should we schedule our audit?” In this post, we hope to answer that question and provide some resources in case you aren't thinking about scheduling just yet.
Hopefully, you are already convinced of the critical importance of auditing smart contracts, and you’re looking to gain more insight into how to integrate auditing into your software development process. If you’re not convinced of the importance, let’s take a moment to talk about smart contract security before we dive into scheduling.
Smart contract audits are an essential part of the process of designing professional decentralized applications. The term “software audit” may be new to you, but the concept of software audits is not new, and not at all unique to smart contracts. In the traditional software world, independent software auditors may be brought onto a project to achieve various goals such as examining software products to probe for potential bugs and other quality issues with the code, ensuring the code meets the design requirements, and verifying compliance with specific standards. In the traditional software world, auditing is more likely to be encountered with large-scale and mission-critical projects, where the consequences of a bug can be catastrophic, and there is potential for significant permanent loss. Sound familiar?
There are no do-overs if your plane crashes due to unaudited flight control software, just like there are no do-overs if hackers steal millions of dollars from your unaudited DeFi contract. The immutability of the code and the irreversible nature of smart contract transactions make auditing an essential step prior to deployment.
Keep in mind that hackers will perform security audits of your code on their own. They will go through much of the same process that professional auditors do, looking for weaknesses in the code that can be exploited for their personal gain.
Okay, now back to the topic of scheduling.
How far ahead should you schedule your smart contract audit?
The sooner you begin to engage with auditing firms the better. Professional security auditors are in high demand, and top-tier audit companies typically book new audits several months in the future. Start talking to companies early to get an idea of the size of their respective backlogs, and also to work together to estimate how many weeks your audit might take. These early conversations are important to help you establish confidence in your chosen audit team well in advance of when your code is ready for an audit.
There are several steps in the audit process from beginning to end that you should be aware of so that you can plan for them:
- Initial scoping and negotiating: Before the audit can be scheduled, the auditors need to determine how many weeks will be required to examine every line of your code. Typically, the contract code is shared privately with the auditors under a non-disclosure agreement signed by both parties. The code doesn’t necessarily have to be finished at this point; if it’s not quite done, you should be able to work out an agreement that no more than X lines of additional code will be added prior to the start of the audit. To determine the amount of time required for a proper audit, the auditors will look at the number of lines of code, the code complexity, and the code quality (e.g., are there docstrings?), and will make recommendations on which contracts should be in-scope for the audit, and which can be safely excluded. Audits are typically scoped and scheduled in integer multiples of weeks. Here at Arbitrary Execution, we send clients a pre-audit checklist that outlines steps that can be taken to minimize auditor spin-up time and get you the most value out of the engagement.
- The audit: This typically takes 1 to 4 weeks, depending on the amount of code being audited. A reputable firm will assign two or more auditors to focus solely on your codebase during this entire period. At the end of the audit period, the auditors will deliver a draft report with their findings and recommendations.
- The fix period and fix review: After your team receives the draft audit report, your developers will need some time to digest it, decide which recommendations to implement, and then implement the suggested fixes. Ideally, you can turn these changes around in a week or so, while the auditors still have your project fresh in their minds. Once the updated code is handed back to the auditors, they will review the implementation of the changes (aka the “fix review”) to ensure existing issues have been addressed and no new issues have been introduced. The turnaround time for this process typically takes anywhere from a few days to a week, but if the fixes aren’t done in a timely manner, there may be an additional delay of a week or so in getting back on the auditor’s schedule for the fix review.
- Release of final audit report: After the fix review, the draft report will be updated to show the resolution of each issue, i.e., the issue was completely fixed, partially fixed, or not fixed at all. The final report will be delivered back to you and it’s up to you whether or not to release it publicly, but for transparency, this is strongly recommended. The auditing firm may request a joint public release of the audit report, which benefits both parties from a marketing perspective—you build public trust in your protocol by demonstrating that it has undergone a professional audit, and the auditors can highlight their work with your project to the community.
To get the most value out of the audit engagement, your audit should not start until the code has been fully implemented and thoroughly tested. The auditors will request a fixed commit to audit, ideally in a branch that remains frozen during the audit period with no additional commits. You might be able to squeeze in a tiny last-minute change at the start of the audit, but after that point, the code needs to be frozen because a moving target cannot be properly audited.
To summarize, depending on the size of your smart contract code, plan to add around 2 to 8 weeks at the end of your release schedule to account for auditing. Expect to schedule the audit several months in advance of your code freeze date.
At what point in the process should you get an audit?
It is highly recommended to obtain an audit prior to every deployment of new smart contract code.
Before the initial launch of your project, you’ll certainly want to have a full security assessment of the smart contract code. But if your codebase is under active development, you shouldn’t consider the security audit a “one and done” activity. Once your team has launched the initial version, you will likely want to add new features as your project grows. Continuous auditing of every release is highly recommended—even a seemingly innocuous single-line change to a contract could introduce a new bug, so it’s important to have auditors look over any code changes prior to deploying a new contract version.
The cost and aforementioned time constraints associated with smart contract auditing are at odds with making small incremental changes to contract code, so some extra effort may be required to plan the release of new features in batches that are right-sized to fit into available audit slots. For a project that is actively developing new releases, you may want to schedule several audits far in advance so that you’ll have a slot booked when the time comes, even if you don’t yet know exactly what code will be shipped.
Security audits are an essential part of the software development process for any smart contract that puts significant value or your reputation at risk. Scheduling a smart contract audit requires careful planning to avoid delays and to ensure that you keep your initial and subsequent product launches on schedule. Having insight into the auditing process is key, and hopefully, after reading this article you’ve got a better understanding of what to expect. If you have any questions about smart contract auditing or are ready to schedule an audit, please reach out to us at firstname.lastname@example.org.