Smart Contract Audits Explained
Let's cover DeFi security. It is only one part, but it is a core and crucial one. This is about the on-chain part, smart contract security, and its auditing. Having worked at two reputable Web3 security companies, Mixbytes and Pessimistic, I have insights to share.
So, why do you need an audit in the first place? You have a great team of highly skilled expert programmers. They have already found some bugs and everything is working fine, and the tests run smoothly. But the approaches programmers and auditors take are different, and what an auditor has in mind is something a programmer does not have.
There is a key difference between a good programmer and an auditor. Auditors know how to code, but they also think more about risks overall and in different scenarios, not just about bug-free code.
There are different approaches to auditing. The first split is between manual and automated auditing. Manual auditing, as the name says, is when one or more auditors, usually two or three, inspect the code using their own knowledge and spend time looking at the lines. Automated auditing uses tools that scan the code, check for known vulnerabilities, and search for exact patterns. The best case is to use both approaches.
It is also important to note that automated auditing now often includes AI tools. As of July 2025, their quality is much better, and studies show that many findings in a test code base are now detected by AI. Still, the best approach is to combine both manual and automated checks.
How do reputable companies do it? First they run many automated tools to remove common mistakes and obvious issues. Once suspicious parts are highlighted, human auditors start to analyse the code.
The next difference in approach is who performs the audit. The most common option is an auditing company. This is a studio or firm with many auditors and clear processes. There are already over 100 companies in the field, and new ones appear. This option is usually more expensive, but you can expect a predictable outcome, a solid report, and good customer service.
Another option is a solo auditor. Sometimes this is the same expert who works at a company but takes jobs alone. A solo audit is cheaper. Some well-known names work this way. Service quality may be lower because one person handles everything, but it can be fine if you want a specific expert or if you are at an early stage with limited funds.
The next form is a crowd auditing platform like Code4rena. Many solo auditors, teams, and even companies take part. The business model is different. You post your code and a budget and ask participants to do their best. The size of the budget determines how many people decide to study the code.
Last are bug bounty platforms like Immunefi. You set rewards for bugs of different severity grades. When someone finds a bug, they receive the reward that matches its severity. The size of your rewards and your protocol’s TVL affect how much interest you get.
These are the main ways to audit a smart contract.
Now let's take a closer look at the process. The most common question is the cost of an audit, and that depends on the approach we choose, which I described above. The price differs for a company and for a solo auditor. The company option is most popular, and to my knowledge the pricing structure is as follows.
First, the performance of the auditing team is limited by how many lines per day one auditor can read. For Solidity code, this can be around 200 lines per day. Therefore the number of days needed depends on whether the code base has one hundred, or five, or five thousand lines of code, or SLOC.
Next, complexity matters. If the code is a fork of a well-known protocol the team can quickly spot the differences and rely on previous audits, especially if the source protocol is well audited. If the code is written from scratch with unusual logic, the work slows down and needs more time.
The day rate also varies from company to company and depends on their process. In general, a small group of auditors works on the code. Usually one or two are senior, and sometimes mid-level or junior auditors join for practice. It is better to have more than one senior so they can cross-check each other's findings.
As for price, the market rate ranges widely. It can start at about 1,000 USD per working day and can go to 10,000 USD or more, depending on brand name and workload. Many companies also set a minimum budget. Some will not start work for less than 20,000 USD. Professional auditing is costly.
Depending on the maturity of the auditing company, besides service level and quality, you can expect more checks during the audit. Well-known companies keep an internal checklist and an updated knowledge base of past hacks and known vulnerabilities. Depending on the protocol type, network, blockchain, libraries, dependencies, and programming language, they run a specific set of checks during the audit.
What does a typical service set consist of? First, once you reach out to a security company, you are asked to provide the code base. Any company giving you even a quote before starting the audit has to get repository access to study the code. The most important thing for a security company is its brand, reputation, and trust, but you can still get an NDA signed before, just in case. As described above, pricing varies a lot based on the amount of code and its complexity.
Once you receive a quote, which can differ a little from final invoice, but is mostly accurate in experienced companies, you get an offer that sets the dates for the initial report, pricing, scope, and other important details, including the team assigned to the project.
Then the first stage begins. You have an interview with the team working on the code. They ask questions and will likely request a business logic explanation to understand why everything is designed this way. Once all is clear, the auditors start their work. They run some preferred automated checks, but then work mostly manually.
After the planned time, they come back with a preliminary report that is private and shared only with the client. The client then gets time to fix, acknowledge, or dispute the findings.
When everything is settled, the final report is delivered. It can become public if the client wants that, or it can stay between the client and the auditing company.
If you want to get a quote for a smart contract audit from Pessimistic, a notable Web3 security company, just let me know at [email protected]
There is a key difference between a good programmer and an auditor. Auditors know how to code, but they also think more about risks overall and in different scenarios, not just about bug-free code.
There are different approaches to auditing. The first split is between manual and automated auditing. Manual auditing, as the name says, is when one or more auditors, usually two or three, inspect the code using their own knowledge and spend time looking at the lines. Automated auditing uses tools that scan the code, check for known vulnerabilities, and search for exact patterns. The best case is to use both approaches.
It is also important to note that automated auditing now often includes AI tools. As of July 2025, their quality is much better, and studies show that many findings in a test code base are now detected by AI. Still, the best approach is to combine both manual and automated checks.
How do reputable companies do it? First they run many automated tools to remove common mistakes and obvious issues. Once suspicious parts are highlighted, human auditors start to analyse the code.
The next difference in approach is who performs the audit. The most common option is an auditing company. This is a studio or firm with many auditors and clear processes. There are already over 100 companies in the field, and new ones appear. This option is usually more expensive, but you can expect a predictable outcome, a solid report, and good customer service.
Another option is a solo auditor. Sometimes this is the same expert who works at a company but takes jobs alone. A solo audit is cheaper. Some well-known names work this way. Service quality may be lower because one person handles everything, but it can be fine if you want a specific expert or if you are at an early stage with limited funds.
The next form is a crowd auditing platform like Code4rena. Many solo auditors, teams, and even companies take part. The business model is different. You post your code and a budget and ask participants to do their best. The size of the budget determines how many people decide to study the code.
Last are bug bounty platforms like Immunefi. You set rewards for bugs of different severity grades. When someone finds a bug, they receive the reward that matches its severity. The size of your rewards and your protocol’s TVL affect how much interest you get.
These are the main ways to audit a smart contract.
Now let's take a closer look at the process. The most common question is the cost of an audit, and that depends on the approach we choose, which I described above. The price differs for a company and for a solo auditor. The company option is most popular, and to my knowledge the pricing structure is as follows.
First, the performance of the auditing team is limited by how many lines per day one auditor can read. For Solidity code, this can be around 200 lines per day. Therefore the number of days needed depends on whether the code base has one hundred, or five, or five thousand lines of code, or SLOC.
Next, complexity matters. If the code is a fork of a well-known protocol the team can quickly spot the differences and rely on previous audits, especially if the source protocol is well audited. If the code is written from scratch with unusual logic, the work slows down and needs more time.
The day rate also varies from company to company and depends on their process. In general, a small group of auditors works on the code. Usually one or two are senior, and sometimes mid-level or junior auditors join for practice. It is better to have more than one senior so they can cross-check each other's findings.
As for price, the market rate ranges widely. It can start at about 1,000 USD per working day and can go to 10,000 USD or more, depending on brand name and workload. Many companies also set a minimum budget. Some will not start work for less than 20,000 USD. Professional auditing is costly.
Depending on the maturity of the auditing company, besides service level and quality, you can expect more checks during the audit. Well-known companies keep an internal checklist and an updated knowledge base of past hacks and known vulnerabilities. Depending on the protocol type, network, blockchain, libraries, dependencies, and programming language, they run a specific set of checks during the audit.
What does a typical service set consist of? First, once you reach out to a security company, you are asked to provide the code base. Any company giving you even a quote before starting the audit has to get repository access to study the code. The most important thing for a security company is its brand, reputation, and trust, but you can still get an NDA signed before, just in case. As described above, pricing varies a lot based on the amount of code and its complexity.
Once you receive a quote, which can differ a little from final invoice, but is mostly accurate in experienced companies, you get an offer that sets the dates for the initial report, pricing, scope, and other important details, including the team assigned to the project.
Then the first stage begins. You have an interview with the team working on the code. They ask questions and will likely request a business logic explanation to understand why everything is designed this way. Once all is clear, the auditors start their work. They run some preferred automated checks, but then work mostly manually.
After the planned time, they come back with a preliminary report that is private and shared only with the client. The client then gets time to fix, acknowledge, or dispute the findings.
When everything is settled, the final report is delivered. It can become public if the client wants that, or it can stay between the client and the auditing company.
If you want to get a quote for a smart contract audit from Pessimistic, a notable Web3 security company, just let me know at [email protected]
Share this post
Sovernance is a Web3 product consulting company
Feel free to contact me with feedback, business requests, or partnership proposals
[email protected]
Feel free to contact me with feedback, business requests, or partnership proposals
[email protected]