
Blockchains and smart contracts need to be perfect.
Otherwise, upwards of billions of dollars could be lost to bugs and hacks.
Thus, it is best practice for developers to undergo crypto audits in order to ensure their code is functioning properly.
This becomes even more important for immutable code (that which cannot be changed once deployed).
What is a Crypto Audit?
A crypto audit is a process of reviewing the source code of a cryptocurrency project or smart contract to identify any potential security vulnerabilities or flaws. It involves a thorough analysis of the codebase to ensure that it is written correctly and does not contain any errors that could be exploited by attackers.
During a crypto audit, auditors examine the code for potential security risks, such as buffer overflows, race conditions, or other vulnerabilities that could lead to a loss of funds or data. They also verify that the code adheres to best practices and industry standards
Note: Another popular definition is crypto audits for tax accounting. Every time you sell crypto for fiat at a profit, there’s either income or capital gains tax on it. While rates and rules change by country, those that tax it consider any sale, whether it comes from trading, airdrops, staking, lending, or yield farming. Crypto tax audits are beyond the scope of this post, as it focuses on cyber-security crypto audits.
Ever since the first Bitcoin bubble, crypto has cost investors a lot of money. Thankfully many uptrends followed, but not many projects made it that far. So many tokens appeared in 2017, and by 2018, most of them were unlisted, abandoned, or insolvent. It’s still happening today.
From bug exploits to fraudulent schemes, this downfall motivated the rise of the first crypto audit companies. Their objective is to spot vulnerabilities so that core teams can correct them—or if they can’t, at least warn investors of the risk. Ideally, every major cryptocurrency should be audited and prove high security, especially if it hosts an important dApp ecosystem (e.g., Ethereum).
Most projects aren’t audited or don’t make reports public. They don’t either because the teams don’t request them, don’t need them (e.g., Bitcoin), or don’t want to share bad reports. Typically, projects that have audits but don’t show them are centralized (e.g., Solana, Tron, Ripple).
Types of Crypto Audits
Not all crypto audits are the same. The scope, methodology, and deliverables vary significantly depending on what is being reviewed. Here are the main types:
Smart Contract Audit (Most Common)
A line-by-line review of on-chain code. For Ethereum-based projects this means Solidity or Vyper. For Solana it means Rust. For Aptos and Sui it means Move. This is the audit type most DeFi projects commission before launch.
Protocol and Security Architecture Review
A broader threat model of the overall system design, including consensus mechanisms, data flows, oracle dependencies, and upgrade paths. This goes beyond code to assess whether the system design itself creates risk.
Formal Verification
Mathematical proofs that specific safety properties hold under all possible conditions. Reserved for the most critical components such as vaults, multi-sig wallets, and price oracles. More expensive and time-intensive but the highest confidence level available.
Fuzzing and Dynamic Testing
Automated tools generate thousands of random or edge-case inputs to find unexpected behavior. Tools like Echidna and Foundry are commonly used. This catches issues that static code review misses.
Governance and Treasury Audit
Reviews voting mechanisms, upgrade controls, access permissions, and treasury management. Increasingly important as DAO governance has become a primary attack surface.
Compliance and Operational Audit
Covers KYC/AML controls, asset custody, key management, and incident response procedures. More relevant for centralized exchanges and custodians than pure DeFi protocols.
Post-Incident Retrospective Audit
Commissioned after a security breach to identify root cause, validate fixes, and prevent recurrence. The Ronin Bridge audit after the Axie Infinity hack is a well-known example.
How a Crypto Audit Works: The 7 Phases
Most people imagine a crypto audit as a single expert reading through code and writing a report. The reality is a structured multi-phase process. Here is what a professional audit actually looks like:
Phase 1: Scoping and Agreement
The project team and audit firm define exactly what is in scope: which contracts, which chains, which modules. Success criteria, deliverables, and timelines are agreed upfront. Skipping this phase is one of the most common reasons audits miss critical components.
Phase 2: Threat Modeling and Architecture Review
Before touching a single line of code, auditors map data flows, identify trust assumptions (especially for oracles and bridges), and review upgrade paths and access controls. This is where systemic design risks are caught.
Phase 3: Static Code Review
Auditors inspect code for known vulnerability patterns: reentrancy, integer overflows, access control gaps, timestamp dependencies, and gas griefing vectors. This is the phase most people associate with an audit.
Phase 4: Manual Security Review
Deeper examination of business logic, edge cases, and how contracts interact with each other. This is where subtle logical flaws are found that automated tools miss entirely.
Phase 5: Automated Analysis
Static analyzers (Slither, MythX, Mythril), fuzzers (Echidna, Foundry), and linters run across the codebase. These tools surface issues at scale but require human judgment to triage.
Phase 6: Remediation and Re-Audit
Developers fix reported issues. The audit firm reviews the fixes and may run targeted re-tests. This phase is frequently skipped by teams under launch pressure, which is a significant risk.
Phase 7: Final Report and Disclosure
A comprehensive report is issued with all findings, severity ratings, remediation status, and residual risk. The team decides whether to publish the report publicly. Reports with unresolved critical or high-severity issues are typically kept private.
What Auditors Are Actually Looking For: Common Vulnerabilities
Understanding what auditors check helps you evaluate whether a report is thorough. Here are the most critical vulnerability categories in any smart contract audit:
Reentrancy Attacks
The most famous smart contract vulnerability. An attacker calls a function that sends funds before updating the contract’s internal state, then calls it again before the first call completes. The DAO hack in 2016 drained $60M this way and led to the Ethereum hard fork.
Unauthorized Privileged Access
Admin keys or owner functions that allow a single address to drain funds, pause the protocol, or upgrade contracts without governance approval. This was the root cause of the Paid Network incident where compromised admin keys allowed minting and dumping of 60M tokens.
Oracle and Price-Feed Manipulation
Attackers manipulate the price data a protocol relies on to calculate collateral ratios or execute trades. Flash loan attacks frequently exploit oracle vulnerabilities. The Monox Finance $31M exploit involved an attacker repeatedly overwriting the MONO token price.
Arithmetic Overflows and Underflows
Integer math errors where values wrap around their maximum or minimum bounds. Solidity 0.8+ includes built-in overflow checks, but older contracts and unchecked math blocks remain vulnerable.
Upgradeability and Proxy Flaws**
Contracts designed to be upgradeable introduce risks if the upgrade mechanism itself is insecure. An attacker who controls the upgrade path controls the entire protocol.
Cross-Contract Reentrancy and External Calls
Similar to standard reentrancy but triggered through interactions between multiple contracts. Harder to detect because the vulnerability spans contract boundaries.
Denial-of-Service Conditions
Gas griefing attacks or logic that allows an attacker to block essential protocol functions, such as preventing liquidations or withdrawals.
Best Crypto Audit Companies
These are the leading crypto audit firms, compared across the dimensions that matter most for project teams and investors evaluating audit quality.
Top Crypto Audit Firms: Side-by-Side Comparison
👉 Quick takeaway: CertiK leads on audit volume and public visibility; ConsenSys Diligence is the deepest choice for Ethereum-native protocols; Halborn is strongest for penetration testing alongside code review.
| Firm | Founded | Notable Clients | Specialization | Audit Volume | Best For |
|---|---|---|---|---|---|
| CertiK | 2018 | Polygon, Aave, BNB Chain, Terra Classic | Smart contracts, formal verification, SkyNet monitoring | 🏆 Largest public portfolio | Projects wanting maximum public visibility and on-chain monitoring |
| Hacken | 2017 | KuCoin, Huobi, Solana ecosystem | Smart contracts, pen testing, proof-of-reserves | 1,000+ projects |
Projects needing all-around security including exchange-level audits 🏆 Best all-around coverage |
| Halborn | 2019 | Multiple Layer-1 and DeFi protocols | Penetration testing, SDLC consulting, blockchain security | Enterprise-focused |
Teams wanting penetration testing alongside code review 🏆 Best for pen testing |
| ConsenSys Diligence | 2017 | Aave, Uniswap, Balancer, Paxos | Ethereum-native smart contracts | ~100 public audits |
Ethereum and EVM-based protocols wanting deep ecosystem expertise 🏆 Best for Ethereum-native protocols |
| Quantstamp | 2017 | Ethereum (Prysmatic), Maker, Solana | Multi-language contracts, DeFi protocols | Growing portfolio |
Blue-chip DeFi projects wanting a second or third opinion 🏆 Best for secondary audit |
| SlowMist | 2018 | Binance, OKEx, PancakeSwap, Crypto.com | Smart contracts, exchange security | Thousands of contracts |
Asian-market projects and centralized exchange audits 🏆 Best for Asian-market CEX projects |
| Chainsulting | 2017 | Apecoin, NFT and DeFi micro-projects | Smart contract audits, NFTs, bridges | 250+ reports |
Smaller projects needing focused smart contract review 🏆 Best for smaller projects |
| Fairyproof | 2021 | Tether (Oct 2021), BNB and ETH micro-caps | Smart contracts |
Limited public reports ⚠️ Newer entrant |
Secondary opinion for micro-cap projects |
How to Choose: A Decision Framework
- If you are launching a DeFi protocol on Ethereum: Start with CertiK or ConsenSys Diligence for depth, add Hacken for a second opinion.
- If you need penetration testing alongside code review: Halborn is the primary choice.
- If you are building on Solana, Aptos, or non-EVM chains: Verify the firm has audited your specific language (Rust, Move) before engaging.
- If you are a centralized exchange or custody provider: Hacken (proof-of-reserves) or SlowMist are best positioned.
- If budget is limited: Chainsulting or Fairyproof for initial review, then a top-tier firm before mainnet launch.
- Always commission at least two independent audits for any protocol holding significant user funds.
How to Read a Crypto Audit Report
Most investors never read audit reports because they assume technical knowledge is required. It is not. Here is what to look for in under 10 minutes:
Step 1: Check the Severity Breakdown
Every professional audit report categorizes findings as Critical, High, Medium, Low, or Informational. Focus exclusively on Critical and High findings first. If there are unresolved Critical issues, treat the project as unaudited for practical purposes.
Step 2: Check Remediation Status
Next to each finding, auditors list the status: Resolved, Acknowledged, Mitigated, or No Action. Resolved means the code was fixed and the fix was verified. Acknowledged means the team is aware but has not fixed it. Mitigated means a partial workaround was applied. No Action means the team chose to ignore it.
Any Critical or High finding with a status other than Resolved is a live risk.
Step 3: Check the Audit Date
Audits are point-in-time assessments. An audit from 2021 on a protocol that has undergone 12 governance upgrades since then provides limited assurance. Look for audits conducted within the last 6-12 months, or post-upgrade audits that cover the current deployed version.
Step 4: Check Scope Limitations
Every audit report includes a scope section. If the audit only covered three of eight contracts, or excluded the bridge module, those excluded components carry unaudited risk. The Ronin Bridge hack occurred on infrastructure that had no prior audit.
Step 5: Cross-Reference with Multiple Firms
A project audited by only one firm offers less assurance than one audited by three independent firms. Compare findings across reports. If one firm found issues that another missed, that tells you something about audit quality and thoroughness.
Examples of Audits That Didn’t Stop Cyber-Attacks

Security isn’t just code but how we interact with it. And due to many factors outside the reports’ scope, tokens can still crash anytime:
- Monox Finance (MONO) passed three audits from Halborn and PeckShield, the latest one from May 2021. In December 2021, it lost $31M on an inflation bug related to an unintended feature. Auditors didn’t expect an attacker to swap the same token, which repeatedly overwrote and inflated the MONO price.
- Voyager (VGX) passed the Quantstamp audit in April 2021. And while the code was secure, the token price wasn’t so much. Voyager had lent tokens to companies like Three Arrows Capital. Voyager was liquidated and bankrupt by July 2022. The token was safe, but the custodial platform wasn’t (worth $1.4B).
- Harmony (ONE) passed the Quantstamp audit in June 2021 with some low-risk issues unsolved. Exactly next year, attackers stole $97M from the Harmony Horizon Bridge. This dApp used a multisig wallet that required only 2 of 5 confirmations to approve transactions. Attackers didn’t break the app but decrypted two private keys, accessed wallets, and transferred the tokens.
- Axie Infinity (AXS) had private audits from Verichains in November 2021 before the Ronin Bridge attack in March 2022. The hack resulted in approximately $625M in losses, making it one of the largest crypto exploits on record. The attack did not exploit a smart contract vulnerability but instead compromised private keys for validator nodes, bypassing the code entirely. Post-incident, the Ronin Bridge passed a new audit from Verichains with no severe issues, but the underlying centralization risk (only 9 validators, with 5 controlled by Sky Mavis) remained the core systemic problem.
- Terra (UST) passed its latest audit (by Certik) in October 2020. But the billion-dollar crash came from misdesign, not code. The “attackers” dumped a lot of tokens to de-peg the UST stablecoin, which then inflated the LUNA supply (now LUNC) and crashed the token price.
- FTX Token (FTT) passed a Certik audit in April 2022. As with all exchange tokens, danger came from centralization. The prolonged bear market exposed the lack of liquidity and asset mismanagement. FTX goes bankrupt with ~$2B missing in November 2022, and FTT falls +90%.
- Paid Network (PAID) passed audits from Certik and Hacken in February 2021 and July 2022. The $3M “attack” occurred in March 2021 after the generation and dump of 60M PAID tokens. The cause was a compromised admin key (so it might have been a rug pull).
This should make clear how limited crypto audits are for financial security. Some exploits occurred because of undetected bugs, but most were because of mismanagement (AKA centralization). Are crypto audits really that important?
Pros and Cons Of Crypto Audits: Are They Effective?
There’s no reason not to audit a project, whether it’s a dApp, smart-contract group, or blockchain. Crypto audits do work, but not all of them do, and they can’t detect every single risk related to the token.
Cons Of Crypto Audits
Developers should be careful with how and who reviews the project. Crypto audits aren’t just a nice-to-have. They can do more harm than good:
- Audits create a dangerous sense of security.
You won’t believe the amount of hacked projects that had “no issues” according to audits. Total cyber-security is either impractical or unattainable. There’s always a way to break it, and the best way to approach “perfect” security is to always question it.
Let’s say the audit team fails to detect a critical risk, and the report says you passed the test. Not only is the bug undetected, but the positive audit dissuades you from looking any further. Until someone exploits it.
Maybe the problem is risk analysis. Core developers usually solve the most critical issues but leave the low-risk ones unsolved. Maybe the agency mislabeled a threat as low-level when it’s actually high, and now you’re dealing with those consequences.
- Audits can influence investor decisions.
It’s common practice to buy the news and sell the bad ones. This can be a problem for the previous reason. What if people decide to invest long-term in something that isn’t as safe as the audit shows (e.g., Terra & Luna)?
The opposite happens too. A barrage of bad news can scare many token holders. The team loses most of its liquidity, and if the bull market doesn’t return on time, they’re liquidated and bankrupt. Speaking of FTX.
- Crypto audits become outdated very quickly.
Crypto audits serve more as credibility markers for potential investors than actual security analyses. If your project has an ambitious roadmap and an active core team, its security is going to change with every update. Crypto auditors can’t see the future, including:
a. The governance’s decisions about project upgrades and smart-contract changes.
b. Forks and upgrades of the underlying blockchain (e.g., Ethereum versions change almost every year).
c. The security level of any new blockchains that the dApp supports in the future (e.g., Uniswap extended from Ethereum to Polygon).
- Many crypto audits are systematic and generic.
Have you ever tried contacting customer support in a large crypto exchange? Unless you phoned them, chances are that the response was copied from the Help blog. For someone to actually solve your problem, you need the persistence to message and “escalate the case.
If you’ve read a few audits from the same agency, you’ll find something similar. Reports use the exact same sentences for similar problems and suggestions as if all tokens were the same. We assume that the teams get a more specific description from the agency, but for the person reading the public report, it’s not.
One solution for this is to get reports from different auditors, just like oracles do (see Tellor). Audit agencies do this by having different developers review the code and compare it with each other. But because all reports follow the same format, it’s better to have audits from Hacken, Consensys, and Certik than just one company.
Pros Of Crypto Audits
Now, none of these cons should discourage teams from running crypto audits. But rather the opposite. Once you recognize and plan for limitations, crypto audits are well worth the benefits:
- Crypto audits can discourage hackers from attacking.
Many blockchains seem secure, not because hackers can’t attack them, but because they’re not worth the risk-reward. If a project has multiple positive, recent audits, it’s telling potential attackers that the chance of finding an exploit is minimal or very expensive. Whether the audit is right or wrong, the effect is the same.
Attackers want big rewards for low effort, so (most of them) will look somewhere else. That’s another reason why core teams don’t solve many low-threat-level bugs. Potential losses are tiny.
Luckily for developers, it seems hackers don’t like attacking the same platform. And one easy way to limit how much to lose is using multiple multisig wallets.
- Teams can learn from attacks without risking any tokens.
Many audit agencies also do penetration testing. Essentially, you pay white hat hackers to break your platform through any means they know. There’s a wide range of tactics including exploit tools, DDoS attacks, spear-phishing messages (which is how RoninChain was hacked)…
Attackers are unpredictable, and many problems aren’t obvious until you put theory into practice. That’s why penetration testing works. And the longer it takes to break things, the less likely anyone is to put in the effort.
There’s always the risk that these ethical hackers aren’t so ethical. Thankfully in crypto, such cases have never occurred (and definitely not with the top 5 audit agencies). What’s more, an anonymous hacker once stole $600M from PolyNetwork “as a warning” and then returned it (check out the story of Mr. White Hat). That would have been the second most expensive hack in DeFi and seventh in all crypto.
- Audited projects are less biased.
Decentralized or not, users overestimate how much control they have over the project. In Ethereum, for example, there’s a core team of developers gating every proposal. They decide whether or not to publish drafts as proposals, include them on forks, or remove them on later versions.
These developers have the same freedom when working with crypto auditors. The difference is that audit reports have more visibility than improvement proposals. It’s on the agency’s database, then on the news, and pages like CoinMarketCap or Messari.
Everyone will know about the project’s vulnerabilities, whether the team corrects or ignores them.
Maybe developers think they don’t need to audit the token because they can solve any issues through governance or improvement proposals. Maybe it’s because it’s a centralized network that they can halt anytime. Neither should replace crypto audits, as they bring expert feedback from outside the organization.
- Crypto audits save successful projects from tragedies.
While success is desirable, it also scales the consequences and difficulty of unsolved problems. And no matter how big a network becomes, one bad day can wipe out its market value (Luna being the clearest example). Bitcoin and Ethereum will likely remain, but should anything similar happen to them, hundreds of smaller projects could “break.”
For good or bad, small networks are less centralized. There’s less to lose, and changes are easier to make. Assuming it decentralizes as it grows, crypto audits can help to build the right foundations— not just to become but stay successful.
The same can’t be said about many top cryptocurrencies. Some stablecoins trade more volume than Bitcoin and Ethereum, but their audits are outdated, unreliable, or non-existent. Many are wondering when they will collapse.
After the Audit: Maintaining Security Over Time
A published audit report is the beginning of a security program, not the end. Here is what responsible projects do after the initial audit:
Patch and Document All Findings
Every resolved finding should be documented with the specific code change made and verified by the auditor. This creates an audit trail that supports future re-audits and governance reviews.
Schedule Re-Audits After Major Changes
Any significant code change, governance upgrade, or new chain deployment should trigger a targeted re-audit of the affected components. The original audit no longer covers modified code.
Implement Continuous Monitoring
Tools like CertiK Skynet provide ongoing on-chain monitoring for anomalous behavior. Automated alerting for unusual transaction volumes, access control changes, or large fund movements provides an early warning layer between audits.
Launch a Bug Bounty Program
Bug bounty programs incentivize external security researchers to responsibly disclose vulnerabilities. Platforms like Immunefi are the standard for DeFi protocols. A well-funded bug bounty (often 5-10% of TVL as maximum payout) signals that the team takes security seriously and creates a continuous external review layer.
Prepare an Incident Response Plan
Every protocol should have a documented plan for what happens if an exploit occurs: who has authority to pause contracts, how to communicate with users, what the recovery path looks like, and how to engage law enforcement or blockchain analytics firms if needed.
FAQ
Why are blockchain bridges attacked so often?
Every blockchain has different security, scalability, decentralization, coding language, and ecosystem. Trying to link these networks under the same rules is like trying to rule all worldwide countries from one government. It can work in theory, but one government can’t tell another how to run their country.
For blockchains, that would mean centralization, which is a security risk too. But if it’s decentralized, then blockchains have different cyber-security, and one’s vulnerabilities can affect the others. While this is true for every cross-chain platform, bridge hacks are more popular because of their trading volume.
Where can I find crypto audits for other cryptocurrencies?
Most crypto audits don’t appear on sites like CoinMarketCap. Unfortunately, there aren’t any explorers to find them all in one place. Instead, you have to check every list from the most popular audit platforms: Certik, FairyProof, Hacken, Quantstamp, and Slowmist.
Each one has different audit templates. Maybe someday there will be decentralized audit platforms the same way that there are oracles like Tellor.
What matters the most in a blockchain audit?
What matters the most is the number of critical issues found as well as the actions taken. You don’t have to understand the bug descriptions as long as you know their threat level and status. Almost every crypto auditor rates the severity of the problem and then reports the core team’s response.
Ideally, all issues are solved. But if they’re not, it’s only a matter of time before someone exploits them. If for example, an issue is “CRITICAL” or “HIGH” and appears as Acknowledged or Mitigated, it’s still a risk. If it’s low-risk and unsolved, not so much.
How much does a crypto audit cost?
Crypto audit costs vary widely based on codebase size, complexity, and the firm’s reputation. A basic smart contract audit from a mid-tier firm typically ranges from $5,000 to $20,000. Comprehensive audits from top-tier firms like CertiK, Halborn, or ConsenSys Diligence for complex DeFi protocols can range from $30,000 to $150,000 or more. Formal verification for critical components adds significant cost. Avoid firms offering audits for a few hundred dollars; these are typically automated scans with minimal human review.
How long does a crypto audit take?
A standard smart contract audit takes 1 to 4 weeks depending on codebase size. Larger protocol audits with formal verification can take 6 to 12 weeks. Remediation and re-audit add additional time. Projects should budget at least 6 weeks from initial engagement to final report publication if they intend to address all findings.
What does it mean if a project has no audit?
An unaudited project carries significantly higher risk than an audited one, particularly for DeFi protocols holding user funds. While an audit is not a guarantee of security, its absence means no independent expert has reviewed the code for known vulnerabilities. Treat unaudited projects as high-risk by default, regardless of team reputation or token market cap.
