Why Crypto Audits are Essential (Especially for Immutable Products)

TABLE OF CONTENTS
User profile photo
By Max
Estimated reading: 18mins
Crypto Audit

Blockchains and smart contracts need to be perfect.

Otherwise, upwards of billions of dollars could be lost to bugs and hacks.

Thus, it is best practice for developers to undergo crypto audits in order to ensure their code is functioning properly.

This becomes even more important for immutable code (that which cannot be changed once deployed).

Quick Takes:

  • Crypto audits diagnose the security of smart contract code and functionality— both on the dApp and network levels.
  • Crypto auditors can simulate attacks and suggest security properties to prevent cyber-attacks. But there are many other risks beyond their control that can send the token to $0 (e.g., low liquidity, insider fraud, smart-contract blacklisting).
  • Successful crypto audits don't guarantee that new vulnerabilities can't appear in the future. Any improvement proposal or fork can reintroduce these risks. Audits are essential but far from enough to justify investment decisions.

What is a Crypto Audit?

A crypto audit is a process of reviewing the source code of a cryptocurrency project or smart contract to identify any potential security vulnerabilities or flaws. It involves a thorough analysis of the codebase to ensure that it is written correctly and does not contain any errors that could be exploited by attackers.

During a crypto audit, auditors examine the code for potential security risks, such as buffer overflows, race conditions, or other vulnerabilities that could lead to a loss of funds or data. They also verify that the code adheres to best practices and industry standards

Note: Another popular definition is crypto audits for tax accounting. Every time you sell crypto for fiat at a profit, there's either income or capital gains tax on it. While rates and rules change by country, those that tax it consider any sale, whether it comes from trading, airdrops, staking, lending, or yield farming. Crypto tax audits are beyond the scope of this post, as it focuses on cyber-security crypto audits.

Ever since the first Bitcoin bubble, crypto has cost investors a lot of money. Thankfully many uptrends followed, but not many projects made it that far. So many tokens appeared in 2017, and by 2018, most of them were unlisted, abandoned, or insolvent. It's still happening today.

From bug exploits to fraudulent schemes, this downfall motivated the rise of the first crypto audit companies. Their objective is to spot vulnerabilities so that core teams can correct them—or if they can't, at least warn investors of the risk. Ideally, every major cryptocurrency should be audited and prove high security, especially if it hosts an important dApp ecosystem (e.g., Ethereum).

Most projects aren't audited or don't make reports public. They don't either because the teams don't request them, don't need them (e.g., Bitcoin), or don't want to share bad reports. Typically, projects that have audits but don't show them are centralized (e.g., Solana, Tron, Ripple).

How Do Audits Work?

There's a connotation that crypto audits make blockchain projects almost invulnerable. You might think that because several experts have reviewed it, and some tokens have passed multiple audits. If you read any report, however, you'll find the same disclaimer. 

Crypto Audit Disclaimer 1
Crypto Audit Disclaimer 2
Crypto Audit Disclaimer 3

Positive crypto audits cannot guarantee that projects won’t be attacked.

They only evaluate security up to that version and time. Both blockchains and dApps undergo many forks and upgrades based on community proposals. In fact, the way crypto audits work is very similar to developer improvement proposals (better known as EIPs for Ethereum):

Ethereum Improvement Proposal
  • Create a proposal based on open-source code. This can include suggestions for better performance, lower costs, or newer features. If we think of audits as improvement proposals, they'd be about risk prevention/troubleshooting/bug detection.
  • Community developers create and discuss those proposals. On Ethereum, the author has to follow a specific EIP template before it reaches the core team (which is over a hundred Ethereum Foundation members and most active moderators). On crypto audits, the agency and dev team communicate directly.
  • After some follow-up changes, the team makes a decision: to accept, reject, postpone, or suspend. On audit reports, the team can "accept" by solving whatever issues the auditor found, postpone, or ignore them ("reject"). Typically, this first audit is private: it only becomes public once the team solves most of the critical issues.

This makes sense. If you publish an audit with unsolved, revealed problems, not only can that scare investors, but also attract cyber-attackers.

  • If accepted, the team will update the code (or if it's a public blockchain, add them to the next fork).

Not every bug requires changing the code, and not every problem will be solved. If it's an old audit or there have been many code upgrades, there might be fewer issues unsolved than what reports show. The opposite is also true: new updates can introduce new bugs or undo previous fixes because of dependencies.

Here's a crypto-audit example: Axie Infinity. Axie runs on blockchains like Ethereum and RoninChain. Ronin consists of 9-18 validators (centralized) and has been around for barely a year. In November 2021, it was hacked for $650M (now partially retrieved). According to the updated Ronin Bridge audit, it passed without any severe issues.

But Ronin had no audits before, and Axie still has major unsolved problems in the report. Even if it were secure, it was risky at a network level because of Roninchain. It's like storing money in a bank safe, except there are no guards or building security.

Best Crypto Audit Companies

These are the best crypto audit companies from most to least popular, including featured projects and examples.

HALBORN

Halborn is an industry-leading cybersecurity firm that offers a comprehensive suite of cutting-edge solutions to protect businesses and individuals from the ever-changing landscape of cyber threats.

With a team of highly skilled experts and state-of-the-art technology, Halborn provides top-tier services, including Penetration Testing, Incident Response, Secure Development Life Cycle (SDLC) Consulting, Security Code Review, Security Awareness Training, and specialized Blockchain Security assessments.

Their proactive approach ensures vulnerabilities are identified and addressed before they can be exploited, empowering clients to maintain a robust security posture. Halborn's dedication to excellence, client-centric focus, and commitment to staying ahead of emerging trends make them the ideal cybersecurity partner for organizations seeking unmatched protection in the digital age.

Certik

Certik has audited over 3,000 smart contracts, dApps, and blockchains since 2018. It operates from New York and was founded by Prof. Zhong Shao and Ronghui Gu. Most dev teams choose Certik because of its talent, including professors of Columbia and Yale and members from the largest tech companies.

Certik has audited Polygon, Shiba Inu, Aave, The Sandbox, PancakeSwap, 1Inch, Axie Infinity, BNB Chain, Terra Classic, and Tether.

Note: You can compare how different agencies work by comparing multiple reports from the same token. We'll use 1inch as the example because it's one of the few tokens with at least five independent reports. You can find the 1inch Certik report here.

Hacken

Hacken has audited over 1,000 projects since 2017. Along with Certik, they're responsible for 90% of public reports in all crypto. Dyma Budorin and Yevheniia Broshevan founded Hacken in Kyiv, Ukraine.

While most agencies focus on smart contract audits, Hacken is an all-around security company with developer experience that dates before Bitcoin. Besides conventional audits, they offer ethical hacking (pen-testing) and proof-of-reserve audits through their secondary company, Cer.live. According to Hacken, only five centralized exchanges have proven to have enough reserves to repay all customers at once.

Hacken also audited KuCoin, FTX token, and Huobi, among other tokens from Solana, Avalanche, and Fantom blockchains.

For comparison, here's the 1inch Hacken report.

ConsenSys Diligence

ConsenSys Diligence is an audit service created by Joseph Lubin in NYC in 2017. He founded ConsenSys in 2015, an innovative company with products like Metamask, Infura, and Quorum. One of them is Diligence, which was the most active in 2020-2021, now with almost 100 audits.

Aave, Uniswap, Ox, AMP, Paxos, Balancer, and other featured projects passed formal audits with ConsenSys Diligence. There's also a 1inch ConsenSys report for comparison.

Quantstamp

Quantstamp was founded by Richard Ma in San Francisco in 2017. Despite having around a dozen public reports, Quanstamp is quickly gaining popularity among blue-chip crypto projects. Two of them are Ethereum (through its infrastructure company Prysmatic Labs) and Maker (one of the oldest DeFi dApps).

(While they haven't audited 1inch, the next most relevant one is the Solana Quantstamp report)

Quantstamp has reviewed dApps and contracts from different coding languages, worked with popular exchanges, and helped to secure over $200B in digital assets. Along with the previous three, these audit companies are considered the most popular and reliable. Even though the next three have a great reputation, they are secondary choices. They typically work with teams that already have audits (from the first four) but want a second opinion.

Fairyproof

Fairyproof was founded by Yuefei Tan Hqed in Singapore in 2021. It's unclear how many projects they audited, although most of them are micro-cap tokens from BNB and Ethereum. The most notable is the Tether Fairyproof report of October 2021.

Slowmist

Slowmist is the most relevant (perhaps the first) Chinese auditor company. The founder (known only as "Cos") created the agency in 2018, and they've audited thousands of smart contracts ever since. Huobi, OKEx, Binance, imToken, Crypto.com, Klaytn, EOS, PancakeSwap, TUSD, Alpaca Finance, and MultiChain are some of their clients.

To compare with Certik/Hacken/ConsenSys, there's a 1inch Slowmist report.

Chainsulting

Chainsulting is a German company founded by Florian Protschka and Yannik Heinze in 2017. Unlike bigger competitors, it specializes in smart contract audits over blockchains and dApps. They have over 250 reports from little-known projects (except for Apecoin) related to NFTs, DeFi, bridges, exchanges, and enterprise networks.

Here's the 1inch Chainsulting report.

Examples of Audits That Didn’t Stop Cyber-Attacks

Security isn't just code but how we interact with it. And due to many factors outside the reports' scope, tokens can still crash anytime:

  • Monox Finance (MONO) passed three audits from Halborn and PeckShield, the latest one from May 2021. In December 2021, it lost $31M on an inflation bug related to an unintended feature. Auditors didn't expect an attacker to swap the same token, which repeatedly overwrote and inflated the MONO price.
  • Voyager (VGX) passed the Quantstamp audit in April 2021. And while the code was secure, the token price wasn't so much. Voyager had lent tokens to companies like Three Arrows Capital. Voyager was liquidated and bankrupt by July 2022. The token was safe, but the custodial platform wasn't (worth $1.4B).
  • Harmony (ONE) passed the Quantstamp audit in June 2021 with some low-risk issues unsolved. Exactly next year, attackers stole $97M from the Harmony Horizon Bridge. This dApp used a multisig wallet that required only 2 of 5 confirmations to approve transactions. Attackers didn't break the app but decrypted two private keys, accessed wallets, and transferred the tokens.
  • The infamous Axie Infinity (AXS) passed audits from Certik and Verichain in June 2022. Before the $600M attack in March 2022, there were two private audits from Verichain from November 2021. Axie and Ronin might be secure on code, but centralization is still the no.1 risk.
  • Terra (UST) passed its latest audit (by Certik) in October 2020. But the billion-dollar crash came from misdesign, not code. The "attackers" dumped a lot of tokens to de-peg the UST stablecoin, which then inflated the LUNA supply (now LUNC) and crashed the token price.
  • FTX Token (FTT) passed a Certik audit in April 2022. As with all exchange tokens, danger came from centralization. The prolonged bear market exposed the lack of liquidity and asset mismanagement. FTX goes bankrupt with ~$2B missing in November 2022, and FTT falls +90%.
  • Paid Network (PAID) passed audits from Certik and Hacken in February 2021 and July 2022. The $3M "attack" occurred in March 2021 after the generation and dump of 60M PAID tokens. The cause was a compromised admin key (so it might have been a rug pull).

This should make clear how limited crypto audits are for financial security. Some exploits occurred because of undetected bugs, but most were because of mismanagement (AKA centralization). Are crypto audits really that important?

Pros and Cons Of Crypto Audits: Are They Effective?

There's no reason not to audit a project, whether it's a dApp, smart-contract group, or blockchain. Crypto audits do work, but not all of them do, and they can't detect every single risk related to the token.

Cons Of Crypto Audits

Developers should be careful with how and who reviews the project. Crypto audits aren't just a nice-to-have. They can do more harm than good:

  • Audits create a dangerous sense of security.

You won't believe the amount of hacked projects that had "no issues" according to audits. Total cyber-security is either impractical or unattainable. There's always a way to break it, and the best way to approach "perfect" security is to always question it.

Let's say the audit team fails to detect a critical risk, and the report says you passed the test. Not only is the bug undetected, but the positive audit dissuades you from looking any further. Until someone exploits it.

Maybe the problem is risk analysis. Core developers usually solve the most critical issues but leave the low-risk ones unsolved. Maybe the agency mislabeled a threat as low-level when it's actually high, and now you're dealing with those consequences.

  • Audits can influence investor decisions.

It's common practice to buy the news and sell the bad ones. This can be a problem for the previous reason. What if people decide to invest long-term in something that isn't as safe as the audit shows (e.g., Terra & Luna)?

The opposite happens too. A barrage of bad news can scare many token holders. The team loses most of its liquidity, and if the bull market doesn't return on time, they're liquidated and bankrupt. Speaking of FTX.

  • Crypto audits become outdated very quickly.

Crypto audits serve more as credibility markers for potential investors than actual security analyses. If your project has an ambitious roadmap and an active core team, its security is going to change with every update. Crypto auditors can't see the future, including:

a. The governance's decisions about project upgrades and smart-contract changes.

b. Forks and upgrades of the underlying blockchain (e.g., Ethereum versions change almost every year).

c. The security level of any new blockchains that the dApp supports in the future (e.g., Uniswap extended from Ethereum to Polygon).

  • Many crypto audits are systematic and generic.

Have you ever tried contacting customer support in a large crypto exchange? Unless you phoned them, chances are that the response was copied from the Help blog. For someone to actually solve your problem, you need the persistence to message and "escalate the case."

If you've read a few audits from the same agency, you'll find something similar. Reports use the exact same sentences for similar problems and suggestions as if all tokens were the same. We assume that the teams get a more specific description from the agency, but for the person reading the public report, it's not.

One solution for this is to get reports from different auditors, just like oracles do (see Tellor). Audit agencies do this by having different developers review the code and compare it with each other. But because all reports follow the same format, it's better to have audits from Hacken, Consensys, and Certik than just one company.

Pros Of Crypto Audits

Now, none of these cons should discourage teams from running crypto audits. But rather the opposite. Once you recognize and plan for limitations, crypto audits are well worth the benefits:

  • Crypto audits can discourage hackers from attacking.

Many blockchains seem secure, not because hackers can't attack them, but because they're not worth the risk-reward. If a project has multiple positive, recent audits, it's telling potential attackers that the chance of finding an exploit is minimal or very expensive. Whether the audit is right or wrong, the effect is the same.

Attackers want big rewards for low effort, so (most of them) will look somewhere else. That's another reason why core teams don't solve many low-threat-level bugs. Potential losses are tiny.

Luckily for developers, it seems hackers don't like attacking the same platform. And one easy way to limit how much to lose is using multiple multisig wallets.

  • Teams can learn from attacks without risking any tokens.

Many audit agencies also do penetration testing. Essentially, you pay white hat hackers to break your platform through any means they know. There's a wide range of tactics including exploit tools, DDoS attacks, spear-phishing messages (which is how RoninChain was hacked)...

Attackers are unpredictable, and many problems aren't obvious until you put theory into practice. That's why penetration testing works. And the longer it takes to break things, the less likely anyone is to put in the effort.

There's always the risk that these ethical hackers aren't so ethical. Thankfully in crypto, such cases have never occurred (and definitely not with the top 5 audit agencies). What's more, an anonymous hacker once stole $600M from PolyNetwork "as a warning" and then returned it (check out the story of Mr. White Hat). That would have been the second most expensive hack in DeFi and seventh in all crypto.

  • Audited projects are less biased.

Decentralized or not, users overestimate how much control they have over the project. In Ethereum, for example, there's a core team of developers gating every proposal. They decide whether or not to publish drafts as proposals, include them on forks, or remove them on later versions.

These developers have the same freedom when working with crypto auditors. The difference is that audit reports have more visibility than improvement proposals. It's on the agency's database, then on the news, and pages like CoinMarketCap or Messari.

Everyone will know about the project's vulnerabilities, whether the team corrects or ignores them.

Maybe developers think they don't need to audit the token because they can solve any issues through governance or improvement proposals. Maybe it's because it's a centralized network that they can halt anytime. Neither should replace crypto audits, as they bring expert feedback from outside the organization.

  • Crypto audits save successful projects from tragedies.

While success is desirable, it also scales the consequences and difficulty of unsolved problems. And no matter how big a network becomes, one bad day can wipe out its market value (Luna being the clearest example). Bitcoin and Ethereum will likely remain, but should anything similar happen to them, hundreds of smaller projects could "break."

For good or bad, small networks are less centralized. There's less to lose, and changes are easier to make. Assuming it decentralizes as it grows, crypto audits can help to build the right foundations— not just to become but stay successful.

The same can't be said about many top cryptocurrencies. Some stablecoins trade more volume than Bitcoin and Ethereum, but their audits are outdated, unreliable, or non-existent. Many are wondering when they will collapse.

Are Crypto Audits Enough to Guarantee Security?

Many platforms have been hacked despite having positive audits. But even more cyber-attacks occurred on platforms without audits, which might have prevented many. Audits don't guarantee security, but rather point out the risks that developers can mitigate.

If you're a crypto investor, audits are a big plus when picking what coins to buy. But they're, at best, as useful as a whitepaper. Just like "refund guarantees" don't necessarily make a product good, audits neither make platforms much safer, let alone profitable. (in fact, if you could see those private audits, you would reconsider buying many "top cryptocurrencies.")

So when are crypto audits the most helpful? It depends on the timing and the project itself.

The ideal timing is right after updates or as recent as possible. And the ideal project is as SIMPLE as possible. The risk is in complexity, ambiguous code, and details that attackers can exploit. The more there is, the more can go wrong.

Liquid Loans is simple. It's not a multi-function DeFi tool, and it doesn't run on ten different networks. It provides zero-interest liquidity on PulseChain— that's it. Here's how.

FAQ

Why are blockchain bridges attacked so often?

Every blockchain has different security, scalability, decentralization, coding language, and ecosystem. Trying to link these networks under the same rules is like trying to rule all worldwide countries from one government. It can work in theory, but one government can't tell another how to run their country.

For blockchains, that would mean centralization, which is a security risk too. But if it's decentralized, then blockchains have different cyber-security, and one's vulnerabilities can affect the others. While this is true for every cross-chain platform, bridge hacks are more popular because of their trading volume.

Where can I find crypto audits for other cryptocurrencies?

Most crypto audits don't appear on sites like CoinMarketCap. Unfortunately, there aren't any explorers to find them all in one place. Instead, you have to check every list from the most popular audit platforms: Certik, FairyProof, Hacken, Quantstamp, and Slowmist.

Each one has different audit templates. Maybe someday there will be decentralized audit platforms the same way that there are oracles like Tellor.

What matters the most in a blockchain audit?

What matters the most is the number of critical issues found as well as the actions taken. You don't have to understand the bug descriptions as long as you know their threat level and status. Almost every crypto auditor rates the severity of the problem and then reports the core team's response.

Ideally, all issues are solved. But if they're not, it's only a matter of time before someone exploits them. If for example, an issue is "CRITICAL" or "HIGH" and appears as Acknowledged or Mitigated, it's still a risk. If it's low-risk and unsolved, not so much.

Join The Leading Crypto Channel

JOIN

Disclaimer:Please note that nothing on this website constitutes financial advice. Whilst every effort has been made to ensure that the information provided on this website is accurate, individuals must not rely on this information to make a financial or investment decision. Before making any decision, we strongly recommend you consult a qualified professional who should take into account your specific investment objectives, financial situation and individual needs.

User Avatar

Max

Max is a European based crypto specialist, marketer, and all-around writer. He brings an original and practical approach for timeless blockchain knowledge such as: in-depth guides on crypto 101, blockchain analysis, dApp reviews, and DeFi risk management. Max also wrote for news outlets, saas entrepreneurs, crypto exchanges, fintech B2B agencies, Metaverse game studios, trading coaches, and Web3 leaders like Enjin.

Latest Video
Latest Youtube Video
Latest Podcast
Latest Podcast
Newsletter Subscribe
Share This Article

Copyright © 2024 Crave Management.
All Rights Reserved.

The LL Librarian

Your Genius Liquid Loans Knowledge Assistant