Loading spinner
Icon representing smart contract with the ethereum logo

Smart Contract Audit - What is it and How Much Does it Cost?

10 August 2021

Written by Timacum

Smart contracts are programs that execute the code within them without exception. There is no way that the agreement terms won't be met, which makes it easy to work with someone you don't trust.

Smart contracts are already being utilized to facilitate a variety of agreements, and with organizations like Ethereum allowing developers low-cost access to their services, anyone can now tap into the power of smart contracts these days.

This is exactly why smart contracts are often regarded as the most exciting area of blockchain technology implementation.

One thing to note, though, is that this new technology has its own set of challenges. One of the main challenges of a smart contract is the need to conduct an extensive audit before implementing it, as an improperly written and optimized contract can be detrimental to the project. Overlooking a single bug could cost companies $10s of millions on top of staining a company's reputation.

What is a smart contract audit?

A smart contract audit involves developers inspecting the code used to underwrite the terms of the smart contract. By auditing a contract, they have the chance to identify any potential bugs or vulnerabilities before the deployment of a smart contract.

Smart contract audits can be costly and are usually conducted by a third party to ensure that the code is examined as thoroughly as possible, as well as without any biases.

The importance of a properly written smart contract code is enormous, as once written in the blockchain, the code cannot be changed.

How is a smart contract audit performed?

In order to properly audit a smart contract, developers have to check for common errors such as stack problems, compilation, and reentrance mistakes, host platform's known errors and security flaws, as well as to break test the smart contract. Smart contracts can be inspected manually or automatically.

Manual vs. automatic code analysis

A manual code review involves developers thoroughly examining each line of code in order to find mistakes as well as security issues. On the other hand, an automatic code analysis works by creating a copy of a smart contract and then testing it with programs such as Populus or Truffle.

While automatic code analysis saves a lot of time, it has to be taken into account that this method has numerous drawbacks, including missed vulnerabilities or certain parts of code being falsely identified as a problem.

Most smart contract auditors use both methods in order to minimize the chance of a mistake.

Performance validation

The performance of a smart contract is directly linked to the quality of the code, and performance validation is a method used to focus on this particular problem and fix any performance issues.

While a code may not have any issues while performing certain actions, it may slow down or affect some aspect of the contract in a way.

Optimizing contract triggers and inspecting contract fulfillment is a key component of this part of the audit.

Gas analysis and optimization

Smart contract platforms cover the costs of executing smart contracts by imposing a small fee, which is called Gas in the case of Ethereum's blockchain.

Gas prices vary depending on the smart contract complexity, as well as network congestion. Good smart contract developers will have a good idea of the gas costs before even starting to code the contract.

Optimizing gas costs is a big part of the smart contract audit, as it directly affects the cost of implementing this technology.

Vulnerability checks

It is a well-known fact that every single piece of code can contain vulnerabilities, and smart contracts are no different. There have been numerous cases of hackers exploiting smart contract vulnerabilities and stealing funds from the network.

Ethereum smart contracts are susceptible to various forms of attacks, most notably:

  • Reentrancy attacks
  • Reordering attacks
  • Over and underflows
  • Short address attacks
  • Replay attacks

Developers use various software as well as check the code manually in order to find any possible vulnerable spots that could be exploited.

This step of the auditing process is crucial for both creating a cost-effective contract, as well as for creating a safe contract that will not be exploited and tarnish the reputation of your company.

Smart contract audit cost

The exact cost of conducting a full smart contract audit depends on a number of key factors, with the most important factor being whether the company decides to perform the audit in-house, or hire a third party to perform the audit.

Even though outsourcing a smart contract audit might bear a higher initial cost, the chance of identifying security vulnerabilities is likely to be higher due to their level of expertise and the lack of potential biases in-house auditors might have.

On top of that, important factors that affect the price of an audit include the size of the smart contract (lines of code) and the estimated number of engineering hours required to perform the audit.

Another factor that greatly influences the cost of a smart contract audit is the reputation of the auditor themselves. There is a huge difference in both the audit quality and the price based on who performs the audit. As an example, a small smart contract audit may cost anywhere from a couple of thousand dollars up to twenty thousand dollars (depending on the company performing it), while a large smart contract (such as the one Uniswap has) audit may cost up to half a million dollars.

Auditors such as CertiK, OpenZeppelin, and Consensys are regarded as top smart contract auditing companies, and their certificates are considered the most valuable. On the other hand, they are constantly overbooked and incredibly expensive.

What smart contract auditing boils down to

New projects are usually very conservative with spending their funds as they haven’t had any success in the market yet. Therefore, they mostly use smart contract audits as a way to show investors that their code is safe. In their case, the auditor certificate may be more important than the audit itself.

On the other hand, large projects that already acquired the required financial backing opt for well-known auditors that have proven themselves in the space. For them, the certificate means far less than the additional safety that the audit provides.

However, whether you are working on a small or a large project, and whether you are doing the audit for the certificate or for the added safety of your contract, one fact remains - almost every single smart contract auditor is overbooked, and you will likely have to wait for your audit for up to six months.

Of course, any party interested in getting their smart contract audited is able to get quotes directly from auditors themselves.

Final word

While there are many ways to approach a smart contract audit, the main goal of this inspection should be to ensure that the code is properly optimized and without any bugs.

Many companies dedicated themselves to developing powerful tools to help automate the process of smart contract auditing smart contacts, which made the process a lot cheaper nowadays.

While being able to perform in-house audits became much easier, the majority of developers recognize the value of having a third-party auditor.

Blockchain services

We use Blockchain technology to create new product solutions that transform existing work processes

Read more