Sign up to save your podcasts
Or
Share Three steps towards choosing the right smart contract auditor
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Three steps towards choosing the right smart contract auditor
Choosing the right auditor is not easy. In this post, I will give you some tips from my own experience on how to tell a good smart contract audit company from a not very good one.
How to do the initial selection?
The quickest way to filter off the audit companies that will not be worth your while is to look at the portfolios they have got. You or your team will need to do some research. The basic task will be to check if any of the projects audited by the company have been exploited. The popularity of audited projects will also be a significant factor, because the success of projects means that the audit company did a good job on its part. That is so because the protocols with vast amounts of liquidity will certainly attract the attention of hackers.
So, if you see a striking portfolio, it is a good indicator that this auditor is one worth your time. And when you have selected the ones that look good to you, the next tip will be to look at the quality of reports.
A sign of a good report is a detailed description of all issues found and suggestions for how to fix them. A good auditing team also pays close attention to the quality of the code. As a result, their reports are elaborate and explicit. If you find that an auditor’s reports are superficial, it is a sign of unprofessionalism.
Also, how busy the auditor is can be an indirect indication of the quality of its work. The best auditors have high demand and a long list of orders and most of the time will be able to offer you a deadline date up to three months away from now. However, a company’s readiness to do an audit quickly is not always indicative of its lack of popularity and a good reputation on the market.
What do good smart contract auditors have?
Good smart contract auditors have their own knowledge bases of smart contract exploits. They have their own systems of teaching smart contract auditing, and they improve their expertise through the mistakes of their colleagues and their own.
When we are doing an audit at HashEx, we have at least two different audit teams working on the same project independently. This maximises efficiency. On top of that, the project’s lead auditor also checks the results at the final stage. When it comes to the most difficult cases, I myself get involved in working on the audit. And keeping the client updated on the progress is a must. This is the standard that clients want to see and reputable smart-contract-auditing companies follow.
Should you invite white hackers to a project?
White hackers are valuable players in the DeFi market because time and again they find vulnerabilities in smart contracts that they report to projects. This saves millions of U.S. dollars to people and projects themselves. Many projects have bug bounty programs, and we encourage our clients to put them up as well.
Also, white hackers can point to some of the bugs that have already been found by auditors but have not been patched up by the project’s team. They can raise awareness of the community regarding the existing vulnerabilities in the project’s code and put more pressure on the project’s owner to eliminate them.
The biggest red flags to look out for
All smart contract auditors make mistakes and occasionally miss exploits in the code. However, if that happens again and again, it is a big warning. If you find out that the company’s clients have lost funds due to malicious attacks of hackers, you should think twice before using its service.If you feel that the company is hiding something from you, it may also be indicative of some downside to its service.
Another red flag is reports that point to very few issues or find no issues at all. A project that has almost or none issues is an extremely rare thing. Even though it might look far-fetched that there will be issues with some tried and tested piece of smart-contract code that has been borrowed from a different DeFi protocol, it might still have some inaccuracies that might not necessarily pose a threat to ...
View all episodes
By CryptoSlateChoosing the right auditor is not easy. In this post, I will give you some tips from my own experience on how to tell a good smart contract audit company from a not very good one.
How to do the initial selection?
The quickest way to filter off the audit companies that will not be worth your while is to look at the portfolios they have got. You or your team will need to do some research. The basic task will be to check if any of the projects audited by the company have been exploited. The popularity of audited projects will also be a significant factor, because the success of projects means that the audit company did a good job on its part. That is so because the protocols with vast amounts of liquidity will certainly attract the attention of hackers.
So, if you see a striking portfolio, it is a good indicator that this auditor is one worth your time. And when you have selected the ones that look good to you, the next tip will be to look at the quality of reports.
A sign of a good report is a detailed description of all issues found and suggestions for how to fix them. A good auditing team also pays close attention to the quality of the code. As a result, their reports are elaborate and explicit. If you find that an auditor’s reports are superficial, it is a sign of unprofessionalism.
Also, how busy the auditor is can be an indirect indication of the quality of its work. The best auditors have high demand and a long list of orders and most of the time will be able to offer you a deadline date up to three months away from now. However, a company’s readiness to do an audit quickly is not always indicative of its lack of popularity and a good reputation on the market.
What do good smart contract auditors have?
Good smart contract auditors have their own knowledge bases of smart contract exploits. They have their own systems of teaching smart contract auditing, and they improve their expertise through the mistakes of their colleagues and their own.
When we are doing an audit at HashEx, we have at least two different audit teams working on the same project independently. This maximises efficiency. On top of that, the project’s lead auditor also checks the results at the final stage. When it comes to the most difficult cases, I myself get involved in working on the audit. And keeping the client updated on the progress is a must. This is the standard that clients want to see and reputable smart-contract-auditing companies follow.
Should you invite white hackers to a project?
White hackers are valuable players in the DeFi market because time and again they find vulnerabilities in smart contracts that they report to projects. This saves millions of U.S. dollars to people and projects themselves. Many projects have bug bounty programs, and we encourage our clients to put them up as well.
Also, white hackers can point to some of the bugs that have already been found by auditors but have not been patched up by the project’s team. They can raise awareness of the community regarding the existing vulnerabilities in the project’s code and put more pressure on the project’s owner to eliminate them.
The biggest red flags to look out for
All smart contract auditors make mistakes and occasionally miss exploits in the code. However, if that happens again and again, it is a big warning. If you find out that the company’s clients have lost funds due to malicious attacks of hackers, you should think twice before using its service.If you feel that the company is hiding something from you, it may also be indicative of some downside to its service.
Another red flag is reports that point to very few issues or find no issues at all. A project that has almost or none issues is an extremely rare thing. Even though it might look far-fetched that there will be issues with some tried and tested piece of smart-contract code that has been borrowed from a different DeFi protocol, it might still have some inaccuracies that might not necessarily pose a threat to ...