Three steps towards choosing the right smart contract auditor
When it comes to choosing a smart-contract-auditing company, you have to choose well because the security of the smart contract is the most important part of a blockchain-based protocol.
Choosing the right auditor is not easy. In this post, I will give you some tips from my own experience on how to tell a good smart contract audit company from a not very good one.
How to do the initial selection?
The quickest way to filter off the audit companies that will not be worth your while is to look at the portfolios they have got. You or your team will need to do some research. The basic task will be to check if any of the projects audited by the company have been exploited. The popularity of audited projects will also be a significant factor, because the success of projects means that the audit company did a good job on its part. That is so because the protocols with vast amounts of liquidity will certainly attract the attention of hackers.
So, if you see a striking portfolio, it is a good indicator that this auditor is one worth your time. And when you have selected the ones that look good to you, the next tip will be to look at the quality of reports.
A sign of a good report is a detailed description of all issues found and suggestions for how to fix them. A good auditing team also pays close attention to the quality of the code. As a result, their reports are elaborate and explicit. If you find that an auditor’s reports are superficial, it is a sign of unprofessionalism.
Also, how busy the auditor is can be an indirect indication of the quality of its work. The best auditors have high demand and a long list of orders and most of the time will be able to offer you a deadline date up to three months away from now. However, a company’s readiness to do an audit quickly is not always indicative of its lack of popularity and a good reputation on the market.
What do good smart contract auditors have?
Good smart contract auditors have their own knowledge bases of smart contract exploits. They have their own systems of teaching smart contract auditing, and they improve their expertise through the mistakes of their colleagues and their own.
When we are doing an audit at HashEx, we have at least two different audit teams working on the same project independently. This maximises efficiency. On top of that, the project’s lead auditor also checks the results at the final stage. When it comes to the most difficult cases, I myself get involved in working on the audit. And keeping the client updated on the progress is a must. This is the standard that clients want to see and reputable smart-contract-auditing companies follow.
Should you invite white hackers to a project?
White hackers are valuable players in the DeFi market because time and again they find vulnerabilities in smart contracts that they report to projects. This saves millions of U.S. dollars to people and projects themselves. Many projects have bug bounty programs, and we encourage our clients to put them up as well.
Also, white hackers can point to some of the bugs that have already been found by auditors but have not been patched up by the project’s team. They can raise awareness of the community regarding the existing vulnerabilities in the project’s code and put more pressure on the project’s owner to eliminate them.
The biggest red flags to look out for
All smart contract auditors make mistakes and occasionally miss exploits in the code. However, if that happens again and again, it is a big warning. If you find out that the company’s clients have lost funds due to malicious attacks of hackers, you should think twice before using its service.If you feel that the company is hiding something from you, it may also be indicative of some downside to its service.
Another red flag is reports that point to very few issues or find no issues at all. A project that has almost or none issues is an extremely rare thing. Even though it might look far-fetched that there will be issues with some tried and tested piece of smart-contract code that has been borrowed from a different DeFi protocol, it might still have some inaccuracies that might not necessarily pose a threat to people’s funds but still create inconvenience in one way or another.
And the final characteristic that will have a reddish colour to it is anonymous members of the team. Reputation is the main asset audits have and put forward to attract clients. Anonymous team members are a worrying sign that should not be ignored by a potential client because this could mean that there are some hidden dangers they want to protect themselves from. And if that is the case, the client could also be threatened as well.
The company’s reputation is the bottom line. If you are going to use the service of a smart contract audit company with a poor reputation, you should do so at your own risk. The audit companies with solid reputations on the market normally charge more for their services, but it is worthwhile if you are ready to pay up. For your money, you will get a detailed report of the found bugs or potential exploits and suggestions for eliminating them. You will also have more solid assurances of the quality of the audit because the market leaders adhere to the highest standards when it comes to the quality of their work.
And doing your own research is an important part of choosing a smart contract auditor. And I hope that the tips I have provided will help you and others to have a better understanding of how to make the process smoother.