How to Prepare for a Smart Contract Audit

Zach Rosen
4 min readFeb 15, 2022

--

Initial Reddit post linked here.

I’m the founder of a cross-chain staking protocol called Brydge. We knew that we’d need a smart contract audit at some point, but had no idea what that entailed, how much it’d cost, or what we actually needed to do before. Put together the below guide helps you budding buidlers avoid some of our mistakes!

Do I need an audit?

No. Should you get one? Yes. We ran a proof of concept for months that was unaudited. Was it risky? Absolutely. You’re dealing with real people’s $$ here. Shipping unaudited code means betting your personal + company’s reputation that you’re a perfect developer. Perfect developers don’t exist. My two cents — ship your proof of concept, get some validation. If your idea is a hit, set up an audit yesterday. Bonus — audit report makes your protocol look more legitimate.

How much do audits cost?

Depends on the auditor, your code length + readability, and current demand. Our 560-line protocol was quoted $8k by Pessimistic, $40k by Certik (negotiated down to $15k), and ~$25k by Peckshield.

How long does it take to get started?

Depends on demand. Shortest was 2–3 weeks, longest 6 weeks. You can pay extra with most auditors to skip the line. Above quotes reflect standard wait time / cost.

What do I need to do before being audit ready?

First step is to finalize your repo. The more readable your code is, the less time the auditor spends going through it, and the less $$ you pay. You want as close to 100% test coverage as possible and continuous integration set up. Then, write up documentation. Consensys has a good breakdown here. In short, you need an essay explanation explaining what your code is SUPPOSED to do in each module / function. More detail = lower bill to pay.

Are some auditors better than others?

Up for debate. Some (Consensys, Trail of Bits, Certik) have audited more blue chip protocols, and charge more because of it. At the end of the day, you’re relying on the 1–2 developers going through your code, as well as the rigor of the auditor’s formal process. Recommendation: offset risk by planning for a second audit with another firm.

How should I view our auditor? The Solidity police, a consultant, or a final security guarantee?

As just checking a box. Auditors are experienced Solidity developers who have read and written a lot of lines of code. They’ll (hopefully) catch some things you won’t. But, just like the benefits stemming from if your protocol takes off, if your protocol is hacked the blame does not fall to your auditor. It’s on your core team. Your team is your internal auditing service. Hiring a third party is just getting an extra set of eyes on it. Auditing ≠ security guarantee. Wormhole was audited thoroughly, and was still sniped for $330mm.

What do auditors actually look at?

Generally, just smart contracts. If you’re building a relayer system that has a ton of trigger logic off-chain, talk to your auditor about taking a look through this too. They’ll likely do this for you, but it’ll be an extra charge.

Do auditors charge for imported libraries?

No. Your OpenZeppelin SafeMath lib will not incur an extra auditing charge. Please use as many external (audited) libraries as possible.

How does an audit work?

  1. You present your repo to the auditor
  2. The auditor returns a quote, estimated start time, and estimated finish time
  3. You negotiate this quote and agree to a start date
  4. You pay an upfront deposit to lock in the date
  5. Once the date rolls around, you turn over your most recent commit hashes and documentation
  6. The auditor goes through your protocol and returns to you a list of vulnerabilities
  7. You fix these vulnerabilities and return the final commit hash to the auditor
  8. The auditor verifies fixes and presents you a final PDF report outlining the audit results

What shows up in an audit report?

The good, the bad, and the ugly. If you have a gaping security flaw that’s caught and fixed, your report will show this. This is standard practice across the industry.

Do I need to open source my contracts for them to be auditable?

No. It’s more common to open source your contracts, but not required. Your audit report will just specify that your repo is private.

Tips:

Negotiate your audit cost

Customer acquisition is EXPENSIVE for auditors. They sell the same service. Pit quotes against each other

Budget for more than expected

Stuff runs over, be prepared.

Plan for a second audit

Logic explained previously

Don’t rush to hit a deadline, push back your audit

Auditors HIGHLY prefer this and will 100% be willing to work with you. They’re devs too. They will not send you to the back of the line if you push back your start date by a bit. Be upfront if you need to do this, they will understand.

About Brydge:

Brydge enables dApps to accept any token from any network. Fractionalized liquidity is a huge hurdle for dApps to launch on smaller chains. Brydge solves this by instantly enabling cross-chain interoperability with a simple drop-in SDK.

Brydge’s team previously worked in machine learning, AI, and data science at Google Cloud, Amazon, and UC Berkeley.

Learn more about Brydge and follow us at:

Website | Twitter | Reddit | Discord

--

--