Frequently Asked Questions

These are the questions most frequently asked by our clients.

Which smart contract auditors will review our code, and what is their experience?

Smart contract audits are performed by Damian Rusinek (@drdr_zz) and Pawel Kurylowicz (@wh01s7).

Damian is a PhD, Security Researcher and speaker (ETHcc, Web3 Security Conference, AppSec Global, ETHWarsaw) who pays attention to high quality and all the details.

Pawel is a Security Researcher with over 7 years of IT Security professional experience and Creator of a training program for developers. He focuses on the efficient use of resources and the best possible result for the project.

Both of them have actively contributed to the crypto space since 2017. Composable Security has also helped a dozen projects to keep their smart contracts secure. Among them are FujiDAO, Enjin, DIVA Protocol, Volmex Finance, and Tellor.

How are smart contracts audited?

We believe that smart contract security should be adapted by each stage of development. Smart contract audits are a good choice under the following circumstances:

• before the release
• significant changes
• cross-check

If you’re in one of the mentioned stages, and decide on a smart contract audit, you will receive from us a checklist that will help you prepare for the whole process. Before we start working on improving the security of your project, we want to get a deep understanding to suit your needs and give you much better advice.

Next, we perform initial threat modeling to focus on the most important threats that real attackers will try to exploit. Then we start some automated tests using various tools and custom detectors to use audit time effectively. Finally, we manually verify the code line by line to not miss anything that could threaten your users.

For additional security, we perform internal cross-checks for key functionalities by at least 2 auditors. After such intensive tests, we create a final audit report that will be a valuable source of information about security for your team. It includes an executive summary, threat analysis, vulnerability descriptions, and recommendations sections.

Next, we give you time for improvements. Once they’re done we do retests to ensure that the recommendations have been introduced in the right way and that the found vulnerabilities do not exist anymore. During the whole process, we want to work closely with you and adapt the service to your needs.

We like to communicate directly with your team (e.g. through Slack or Telegram).

We do it all because as a smart contract audit company we believe in DeFi and innovation. We want to do our best to help you build with minimized risk.

To read more about our approach head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

Do you use manual auditing, automated tools, or a combination of both?

Smart contract auditing is performed with a few stages. First we do initial threat modeling so that tests include potential attack scenarios designed specifically for your project.

Next, we move on to automated testing which we use to detect repetitive bugs and use time efficiently. Afterward, we spend a significant part of our time on manual review. During this stage, we go line by line through your code to verify the presence of integration and business logic vulnerabilities.

To learn more about how we perform smart contract audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

What types of vulnerabilities do you focus on?

Since we individualize our services for each client’s needs, it partly depends on the client.

During the smart contract audit process, we provide you with a comprehensive review and evaluation of a smart contract's code and functionality to identify any potential security vulnerabilities, bugs, or deviations from best practices. What is more, one of the tools we use during audits is the Smart Contract Security Verification Standard, a checklist that standardizes the security of smart contracts.

To learn more about how we perform smart audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

How do you keep up with the latest vulnerabilities and attack vectors in the smart contract landscape?

We ensure to regularly educate ourselves on the latest findings, solutions, and news in the security space through reading publications of experts and experienced smart contract auditors and reports. Moreover, we attend real-life events and conferences such as Defi Security Summit, EthCC or EthWarsaw. In some of them, we’re not only attendants but also speakers.

Watch the recording of the security panel during the first edition of EthWarsaw in which one of our founders, Damian discussed with other security experts: https://composable-security.com/blog/eth-warsaw-2022-security-panel/

How long does an average smart contract audit take?

It depends on the complexity of the smart contract. However, on average it takes approximately one-two weeks.

To learn about how we perform smart contract audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

What factors might extend the audit timeline?

The smart contract audit timeline can be extended if we find atypical vulnerabilities that need complicated solutions or external factors beyond our control. The customer would be informed on an ongoing basis about any such situations.

What is included in your standard smart contract audit scope?

We always customize all blockchain security services to the project's needs and preferences.

Usually, the smart contract audit includes a selected commitID for a given repository along with a list of selected contracts. Known and multiple time tested dependencies (like OpenZeppelin) are usually excluded from the scope.

To learn about how we perform smart contract audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

What kind of post-audit support do you provide?

After introducing the changes to the smart contract, we perform a one-time verification to make sure that the recommendations have been introduced in the right way and that the found vulnerabilities do not exist anymore. Afterward, we are always open to assisting our clients in answering all of their questions and helping in solving issues related to security.

To learn about how we perform smart contract audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

Do you provide a retest after the vulnerabilities are fixed?

We provide a one-time retest after fixing all the security vulnerabilities that are included in the initial price. This way we always double-check your security.

To learn about how we perform smart audits head to this article: https://composable-security.com/blog/smart-contract-audit-our-approach

How do you determine smart contract audit price?

The price of the audit depends on many factors, but the following have a key impact on the price:

• number of lines of solidity code (nSLOC),
• the complexity of the code,
• documentation quality and code clarity,
• whether the auditors know your protocol and the components you use,
• whether you are using standard implementations or implementing something from scratch,
• the deadline for the audit.

Smart contract audit cost can be slightly minimized if before the audit you use a checklist prepared by us: https://composable-security.com/blog/smart-contract-audit-the-best-tips-on-how-to-be-prepared-better/

What contributions has your team made to the smart contract auditing industry?

We are creators of the Smart Contract Security Verification Standard, a FREE and comprehensive checklist created to standardize the security of smart contracts for developers, architects, security reviewers, and vendors.

You can find it here: https://github.com/ComposableSecurity/SCSVS

We have also created the first DApp Security Guide allowing for a multi-layered and comprehensive approach to security for smart contract based projects.

You can find it here: https://composable-security.com/security-guide/

Are any of your team members actively speaking at conferences, or publishing research?

Both founders of Composable Security regularly participate in meet-ups and conferences. During which, Damian often acts as a speaker.

You can watch a recording from the first edition of ETHWarsaw during which he participated in the Security Panel: https://composable-security.com/blog/eth-warsaw-2022-security-panel/

All of the Composable Security team members contribute to spreading knowledge about blockchain security through publishing articles on our blog: https://composable-security.com/blog/

Can you provide references from past clients?

Yes, please contact us requesting references.

Can we review some samples of your previous audit reports?

Definitely yes, most of them are here: https://github.com/ComposableSecurity#professional-collaboration.

To get access to the latest, it is worth writing to us.

Have any of your audited smart contracts been compromised?

None of the projects that have worked with us have been compromised.

Cooperation with us, in addition to performing the audit, also includes receiving a number of tips and advice on further steps that significantly minimize the risk. An example of this is cross-checks by companies whose quality of services we are convinced of. Multiple smart contract audits allowed us to detect vulnerabilities after our audit, similarly, we detected vulnerabilities after audits of market leaders.

Do you offer any guarantees, post-audit coverage, or warranties?

This is not in our standard offer. However, we can adapt to the customer and, if required, we are able to prepare such an offer on request.

If a vulnerability is discovered after the audit, how will you handle it?

We have detected vulnerabilities in the code after audits by other companies more than once. Minimizing risk is not the same as eliminating it, and although such cases are rare, they do happen.

In this case, we help the client to remove the detected vulnerability and provide consultation. We add the omitted vulnerability to the internal checklist so as not to miss the same attack vector a second time.

How do you handle urgent audit requests?

We always try to adapt to the customer's needs. If there is an available date, no problem. If there are no available dates and the project is urgent, we will try to move other projects by talking to the teams to see if any of them can be done at a later date. If this fails, we redirect to our trusted partners who we know do a great job.

We do not accept customers if there is no appropriate slot in our schedule, we do not compromise on quality.

What is a smart contract audit?

A smart contract audit is a comprehensive examination of the code underlying a blockchain-based smart contract. This process involves expert auditors looking for security vulnerabilities, design issues, and efficiency problems. The goal is to ensure the smart contract operates as intended, without any flaws that could lead to security breaches, rug pulls, or hacks.

Smart contract audit is crucial in the blockchain ecosystem to maintain trust and reliability in projects building decentralized applications.

Do you have a smart contract audit checklist?

Yes, we created two checklists.

One to help you prepare better for a smart contract audit: https://composable-security.com/blog/smart-contract-audit-the-best-tips-on-how-to-be-prepared-better/

Second to share knowledge about known threats. https://github.com/ComposableSecurity/SCSVS

This smart contract audit checklist includes code functionality review, security vulnerability analysis, gas optimization, compliance with established coding standards, and testing for potential attacks like reentrancy, overflow/underflow, and more. This comprehensive approach aims to provide the highest quality of smart contract audits.

Who needs a Smart Contract Audit?

Smart contract audits are essential for developers, businesses, and organizations utilizing blockchain technology. Whether you're launching a new DeFi platform, NFT project, or any blockchain-based application, a smart contract audit is crucial.

It’s especially vital for those who are building immutable projects or handling significant financial transactions to ensure security and build user trust.

Which blockchain do we audit?

Our expertise spans a wide range of blockchains, including most of the EVM-based blockchains: Ethereum, Arbitrum, Polygon, Avalanche, Optimism, Fantom, Cronos, Canto and more. Understanding the uniqueness of each blockchain, we tailor our audit processes to suit the specific requirements and standards of the blockchain your smart contract operates on.

We support Rust-based projects through the recommendations of proven specialists.

Why do smart contracts need to be audited?

Smart contracts need to be audited to ensure their security and effectiveness. As they are self-executing contracts with the terms directly written into code, any flaws can lead to significant financial losses.

Smart contract audits help identify vulnerabilities before deployment, safeguarding against potential hacks and ensuring the contract functions as intended.

How do I get my smart contract audited?

To get your smart contract audited, simply reach out to us through the contact form and schedule a FREE security consultation. Our process begins with an initial assessment, followed by a comprehensive audit. We provide detailed reports, recommendations, and continuous support throughout the process.

Contact us today to secure and optimize your smart contract.