What is a Protocol Audit?
A protocol audit is a professional security review of a smart contract's code. Independent security firms analyze the code for vulnerabilities, logic errors, and potential attack vectors. The goal is to find and fix issues before malicious actors can exploit them.
Audits are the primary way DeFi protocols demonstrate security to users. However, they're not guarantees. Many exploited protocols had audits. Understanding what audits can and can't do helps you make better risk assessments.
What Auditors Look For
Vulnerability Categories
Critical Severity:- Unauthorized fund withdrawal
- Complete protocol takeover
- Infinite minting bugs
- Must be fixed before launch
- Significant fund loss risk
- Logic errors with major impact
- Should be fixed immediately
- Potential for limited loss
- Edge cases that could be exploited
- Should be fixed
- Best practice violations
- Gas optimizations
- Code clarity issues
- Nice to fix
Common Vulnerability Types
Reentrancy: Attacker recursively calls a function before the first call completes, draining funds. Famous for the 2016 DAO hack. Access Control: Missing or incorrect permission checks allowing unauthorized actions. Oracle Manipulation: Price feeds that can be manipulated within a single transaction. Integer Overflow/Underflow: Math errors when numbers exceed their limits (less common after Solidity 0.8). Flash Loan Attacks: Vulnerabilities that can be exploited using borrowed capital. Logic Errors: The code doesn't do what it's supposed to do.Major Audit Firms
Tier 1 (Most Respected)
| Firm | Notable Clients | Reputation |
|---|---|---|
| . . . | . . . . . . . . - | . . . . . . |
| Trail of Bits | Yearn, MakerDAO, Compound | Excellent |
| OpenZeppelin | Aave, Compound, Uniswap | Excellent |
| ChainSecurity | Lido, Curve, MakerDAO | Excellent |
| Consensys Diligence | Aave, 0x, Balancer | Excellent |
Tier 2 (Well-Known)
| Firm | Notes |
|---|---|
| . . . | . . . - |
| Certik | High volume, varies in depth |
| PeckShield | Good reputation in Asia |
| Quantstamp | Long track record |
| Halborn | Growing reputation |
| Zellic | Strong technical team |
| Spearbit | Competitive audit network |
Emerging Firms
Code4rena, Sherlock, and Immunefi run competitive audits where multiple auditors compete to find bugs. Different model but can be effective.
How to Read an Audit Report
Finding the Report
- Protocol website (usually under "Security" or "Docs")
- Audit firm's public repository
- GitHub of the protocol
- Google "[Protocol] audit report"
Key Sections
Scope: Which contracts were reviewed? Important. Unaudited contracts may exist. Findings: List of issues by severity. Status: Was each finding fixed, acknowledged, or disputed? Summary: Overall security assessment.What to Look For
Green Flags:- All critical/high findings fixed
- Thorough scope covering key contracts
- Recent audit (within 12 months)
- Multiple audits from different firms
- Critical findings marked "won't fix"
- Limited scope missing core contracts
- Old audit with significant code changes since
- Single audit from unknown firm
Limitations of Audits
What Audits Don't Guarantee
Time-Limited Review: Auditors spend days to weeks, not months. They can't find everything. Scope-Limited: Only reviewed contracts are covered. New or modified code isn't included. Economic Attacks: Some exploits involve valid code but exploitable economics. Auditors focus on code, not game theory. Integration Risks: Composability means protocols interact. Audits typically don't cover all possible integrations. Human Error: Even the best auditors miss things. Security is probabilistic, not absolute.Famous Exploits of Audited Protocols
| Protocol | Loss | Auditor | Issue |
|---|---|---|---|
| . . . . . | . . . | . . . . - | . . . - |
| bZx | $8M | Multiple | Flash loan attack |
| Harvest | $34M | Haechi | Oracle manipulation |
| Wormhole | $326M | Neodyme | Bridge vulnerability |
| Ronin | $625M | Slowmist | Validator compromise |
Beyond Audits: Comprehensive Security
Bug Bounties
Ongoing reward programs for finding vulnerabilities:
- Immunefi hosts major bounties ($10M+ for some protocols)
- Continuous coverage vs. Point-in-time audit
- Attracts security researchers globally
Formal Verification
Mathematical proof that code behaves correctly:
- Highest level of assurance
- Very expensive and time-consuming
- Used for critical components (Uniswap V2 core)
Economic Audits
Review of tokenomics and incentive structures:
- Game theory analysis
- Attack vector modeling
- Less common but valuable
Monitoring and Response
Post-launch security:
- Real-time monitoring (Forta, Tenderly)
- Incident response plans
- Bug bounty escalation
Evaluating Protocol Security
The Security Checklist
| Factor | Low Risk | High Risk |
|---|---|---|
| . . . . | . . . . . | . . . . . - |
| Audits | Multiple from Tier 1 | None or unknown firms |
| Findings | All fixed | Critical issues unfixed |
| Bug Bounty | Active, large rewards | None |
| Track Record | Years without exploit | New or recently exploited |
| Code Changes | Stable or re-audited | Frequent unaudited changes |
| TVL | High (battle-tested) | Very low (untested) |
Questions to Ask
- When was the last audit?
- Which contracts are covered?
- Were all issues fixed?
- Is there a bug bounty?
- Has the code changed since the audit?
FAQ
Is one audit enough?Better than none, but multiple audits catch more issues. Different firms have different strengths. Major protocols typically have 2-3 audits.
Why do audited protocols still get hacked?Audits aren't perfect. They're time-limited reviews that can miss issues. Economic attacks, integration bugs, and novel attack vectors can evade review.
How much do audits cost?Varies widely: $20,000-$500,000+ depending on code complexity, firm reputation, and timeline. Major protocols may spend $1M+ on security.
Should I wait for an audit before using a protocol?Generally yes for significant funds. Early users take on audit risk. After successful audits and time in production, risk decreases.
Related Topics
Learn about smart contract verification, explore DeFi risk management, and understand how to evaluate protocol safety.
. -
Make informed security decisions with Fensory. We track protocol audits and security status across DeFi.[Explore Fensory →](https://www.fensory.com)