How to choose the best smart contract auditing firm?

Portfolio

One of the easiest and quickest ways to initially filter off smart contract auditing companies is by taking a look at their portfolios.

First of all, check whether the projects audited by the given company have been exploited. Such a company will not be your first choice but, if you have time, we encourage you to dig deeper and check how they behaved and whether they helped handle the security incident.

A significant factor may also be the popularity and longevity of the project. If you would like to learn more about the company’s experience, you may always ask for past client’s testimonials and references.

As an example, see the one we got from FujiDAO

Expert team

However, the portfolio is not everything. Take into consideration the experience and reputation of individuals who will be working on your contracts. If these smart contract auditors have proven vast expertise in DeFi and contribute to the security of the whole blockchain security space by educating and sharing good practices with others, it’s a big green flag. At the same time, the anonymity of any of the team members and lack of contribiutions is a red one.

Always ask who will be on the team auditing your code.

Methodology

Prior to choosing a company, learn more about its methodology and practices. Together with a team talk about the scope of the smart contract security audit, tools, and standards used to perform the audit. That means what types of verification are made, and is there any checklist that is being followed by auditors.

The most basic version of the smart contract audit service should include:

• establishing the scope
• automated testing with the use of available tools
• manual review of the contract
• audit report

However, what we mention above is a minimum you should expect. Auditing companies often go way beyond what we mentioned. For example, our standard practices include:

• advising in choosing service that is the most suited to your needs,
• close and constant communication during the whole collaboration process through your preferred communication channel,
• threat modeling,
• verification to check whether vulnerabilities had been removed by the client,
• possibility of setting up a call to talk through possible solutions with a client,
• being in touch with clients, once the service is done.

An extensive smart contract audit report should include a detailed description of all issues found and suggestions for how to fix them. Each found vulnerability should be presented together with a realistic risk assessment, detailed description and steps that should be taken to remove them. Such an approach results in elaborate reports which may significantly increase the quality and security of your smart contract.

Learn what the report will look like. Request a public audit report.

Detecting vulnerabilities is one thing, but the fixes made by your team are also important. Ask whether smart contract auditors will provide you with retests once your project team finishes removing all the bugs from the code. Such practice additionally ensures the safety of your smart contracts.

Find out here what our approach to smart contract auditing is.

Customized Approach

All on-chain projects differ from each other, and so do their needs. Providers who are flexible in adjusting services to your needs and capabilities (also in terms of funds and timing) are the ones to opt for.

If you’re tight on budget, auditing companies should be able to provide you with the option that will help keep your project as secure as possible within a range.

What is more, depending on what stage is your project, auditors may advise you to take actions other than smart contract audits. These may include threat modeling or consultations. Being able to advise you on what’s best for you is undoubtedly one of the important qualities of smart contract auditors.

Summary: Better safe than sorry

No matter at what stage of development your project is, the security of the smart contract should be one of your priorities. By taking your time and researching the security companies you consider choosing, you may save yourself, and what’s most important your clients, a great amount of trouble by minimizing vulnerabilities and threat scenarios.

• Did you like this article? Share it on social media!

Composable Security 🇵🇱⛓️ is a Polish company specializing in increasing the security of projects based on smart contracts written in Solidity. Examples of projects that have trusted us are market leaders such as FujiDAO, Enjin, Volmex Finance, DIVA Protocol or Tellor. We are creators of the Smart Contract Security Verification Standard. Speakers at various conferences such as EthCC, ETHWarsaw, or OWASP AppSec EU. Authors of numerous publications on DeFi security. Experienced auditors operating in the IT Security space since 2016.

If you need support in the field of security or auditing smart contracts do not hesitate to contact us.