According to Hacken, 76.5% of cryptocurrency projects have either:
- not passed a security audit, or
- have not publicly disclosed the fact they had been audited
Audits are the first line of defense when it comes to finding a safe yield farm.
But even if a project has been audited, your funds are never 100% SAFU (I’ll explain why later).
In this guide, we’re going to go over why audits are important, how projects can easily create false audits, and our review of 11 major auditing companies.
Let’s dive in!
The History of Blockchain Audits
The DeFi space has blown up over the last few years. At its peak in early May this year, almost $90 billion USD was locked in DeFi (according to DeFi Pulse), while new projects are coming out every single day.
However, massive growth also entails massive security risks.
Given the unregulated nature of the industry, exploits and hacks have become ubiquitous in DeFi, with even well-established protocols falling victim to security breaches costing users millions in stolen funds.
This is where audits come into play. Audits are third-party reviews of smart contract code with the goal of picking out bugs, coding errors, and other potential security exploits.
Today, audits play an essential role in helping users determine the legitimacy of a project out in the Wild West of the blockchain world.
But does a project being audited really guarantee your safety?
Why Are Audits Important?
To a complete beginner to yield farming, they might see a project proudly brandishing its TechRate audit and deem it completely safe.
But if you’ve been in the scene long enough, you’ll know that a TechRate audit can be completely pointless.
Because not all auditing companies are the same.
For example, TechRate uses “automated scanning” tools in the free version, which scans through large amounts of code, and that’s pretty much potato.
Other auditing companies will take the time to manually (and pain-stakingly) comb through every line of code, one by one.
Before we take a look at some individual audit companies, let’s examine some audit risks in more detail.
What Are The 4 Major Audit Risks?
Not all audits are equal.
In fact, there are 4 main reasons why audits may not be guarantees of safety:
- They’ve been forged.
- The audited files can be contained in a GitHub repository.
- Not all contracts may be included in the scope of the audit.
- The auditor’s skill level
Let’s kick it off with forged audits:
Wait, People Can Forge Audits?
Yes! There are quite a few crafty projects that decide to slap an “Audited by…” label on their website, when in fact it hasn’t been audited at all.
For example, take a look at this tweet by PeckShield:
Unfortunately, this is quite common in the crypto space. Shady developers can simply slap their name on a professional-looking PDF file and say they’ve been “audited.”
The only way to verify if a project is officially audited is to check the auditor’s website or social profiles for confirmation that the audit has been conducted.
Otherwise, don’t fall for this trap!
The Code is Contained in GitHub Repositories
GitHub is an online platform for open source code hosting and collaborative software development.
A ubiquitous tool in the tech space, GitHub is used by developers the world over to share code and collaborate on all things tech in a transparent manner. Smart contracts are no exception.
However, this same reputation for transparency is also the very thing that can be abused by bad actors looking to push out scam protocols. Shady developers can publish a legitimate smart contract on GitHub, have it audited, and then simply deploy a completely different contract on the chain.
Additionally, some of these GitHub repositories may be private, meaning the public has no way to verify the contract themselves if they wished to go the extra mile with their due diligence.
At RugDoc, we work around this by only reviewing contracts already on the chain, rather than on GitHub.
To circumvent this, always double check that the actual deployed contracts were audited and not just the GitHub repository.
Contracts Outside The Audit’s Scope
Projects may sometimes add additional, un-audited contracts to their protocol after being audited.
To ensure that you’re safe, make sure you carefully check the audit report for its scope, or the exact documents it reviewed. This will normally be near the very front of the report:
Lack of Skill
Hey, auditors are people too, just like you and me.
And sure, it’d be great to spend weeks sipping coffee and examining each and every letter of code in a smart contract. But this is the ever-evolving DeFi space we’re talking about.
Some auditing firms have had to grow so rapidly, which led them to hiring less qualified personnel because of it.
And with less qualified auditors, this means a lower guarantee over the security of the protocol than would be desired. As. a result, some more serious projects have been hiring solidity engineers and white-hat hackers to battle-test their projects against exploits instead of relying on audits.
11 Cryptocurrency Auditing Companies Rated (with Pros & Cons)
Here, we’ll briefly go over 11 major cryptocurrency auditing companies and rate them based on their pros and cons.
Ohhh, boy. Do I have a LOT to say about TechRate…
But first, some history:
TechRate is a smart contract auditing firm based in Moscow, Amsterdam and Vancouver. It provides both a free and a paid service (starting at $900).
And the free service is, as you might have guessed, as valuable as a popsicle stick.
TechRate’s free service relies on automated scanning tools that search the code for bugs and vulnerabilities.
In short, we can pretty much say nobody REALLY looks at the code in the free service—just some quick scans to see if there’s anything potentially malicious or buggy that matches their existing database.
The paid service, however, offers an additional manual line-by-line code review (as audits SHOULD do!), however the paid service doesn’t seem to be very high-quality, either.
Audit reports are hosted on GitHub and listed on their website, but they note that some reports may be made private in the case of high severity issues or the developer’s disclosure policy.
While they also offer a free re-check of the contract after the initial audit, it appears that their reports do not indicate whether or not their recommendations were fixed.
|Provides a free service to those that can’t afford to pay||The free service is worthless and nowhere near a professional audit|
|Sparse audit reports lack in-depth detail|
|No indication of recommendations being fixed or not|
Final Rating: 4 / 10
Now that we got THAT out of the way, let’s take a look at something more stomach-able…
Hacken is a cybersecurity firm based in Kyiv, Ukraine with a focus on blockchain security. This firm has audited companies in the DeFi space like Goose Finance, Kyber Network, RAMP DeFi, Ellipsis Finance and many others.
In addition to smart contract audits, it offers a suite of products and services including HackenAI, a personal cybersecurity app; CER.Live, a crypto exchange security ranking service that’s partnered with CoinGecko; and a bug bounty program called HackenProof.
Its auditing process involves both automated scanning and manual code review, ultimately resulting in reports that detail the scope of the audit and whether or not their recommendations were fixed.
While Hacken’s audits are a step above TechRate, that doesn’t mean their audited projects are bulletproof, either. Merlin Labs, a fork of the popular PancakeBunny farm, was involved in an exploit of 240 ETH, and also passed an audit by Hacken just 11 days before the exploit.
It just goes to show that you can never be 100% safe in DeFi land, even with a “credible” audit.
|Detailed audit reports covering automated scanning, manual reviews and functional testing||Can be considered a “premium version” of Techrate|
|Offers a community-driven bug bounty program called HackenProof|
|Partnered with CoinGecko to provide Trust Scores for crypto platforms|
Final Rating: 6 / 10
Paladin is a relatively new player in the auditing space looking to provide a more “user-centric” approach to security (i.e., an emphasis on the protection of users from malicious developers).
Forgoing automatic scanning altogether, Paladin’s team of blockchain experts manually comb through the code line-by-line to get a holistic understanding of every function and its purpose, thereby helping them better identify loopholes and potential exploits.
In pursuit of user safety, Paladin aims to severely flag issues hinting at possible rug pulls that other firms may gloss over. Furthermore, it has thus far only conducted audits on on-chain contracts, mitigating the risk of shady developers ultimately deploying a different contract.
Paladin also indicates if the final deployed contracts matches the ones in the zip or GitHub, so there’s no need to dig up information to see if the contracts match (see pic below).
One possible downside is the team is not doxxed—so you don’t know the face behind the audits.
|Thorough line-by-line manual code review without reliance on automated tools||Relatively new players in the auditing space|
|Mainly audits on-chain contracts; otherwise uploads privately-hosted .zip files for independent user verification|
|Reviews deployed contracts to ensure it is the same as the audited version|
|Aims to take a “user-focused” approach to security|
Final Rating: 9 / 10
Consensys Diligence is a smart contract auditing service under the Consensys umbrella, a blockchain development company.
You may be familiar with this company if you’ve heard of certain projects like Uniswap, 1inch, Aave, and Paxos.
So yeah, they’re pretty big.
As a leader in the auditing space, Consensys Diligence frequently publishes academic papers advancing blockchain tech and has developed, among other products, MythX, a widely-used tool for automated smart contract review.
Its reports, which are all available for perusal on their website, are detailed, technical and include very clear indicators on the status of recommendations (e.g. fixed, pending, etc.). Furthermore, each report explicitly states the length of time committed to the audit, as well as its scope.
|Developed (and uses) MythX, a state-of-the-art tool for automated smart contract review||Might have a huge backlog|
|Publishes academic research in the security field||Price can be costly|
Final Rating: 8.5 / 10
Founded by cybersecurity and computer science professors from Yale and Columbia, CertiK is a smart contract auditing company that has built a reputation for itself as the industry standard. It is the most popular auditing company in the space, with Cointelegraph touting it as the “most capitalized blockchain security company on the market.”
Oh, and the big boy Binance also partnered with CertiK, too:
Known for its proprietary “Formal Verification” algorithm, which is a fancy term of saying that it uses math to find common vulnerabilities. Notable protocols that CertiK has audited include PancakeSwap, Aave, and 1inch (sounds like another auditing we mentioned before, company, eh?).
In addition to detailed audit reports, their website lists and ranks all of their audited projects based on “security score”, alongside other information like social media sentiment and real-time on-chain monitoring.
Even though the website’s interface is nice, CertiK is constantly busy with audits. The number of audit requests they receive is insane given their popularity, and because of this, they may at times leave quality in favor of quantity.
CertiK also has a major flaw in that they may not list potentially malicious code as “high risk.” For example, the infamous migrator code, which has the ability to transfer all users’ staked funds out of a smart contract, is not flagged as a major threat in their review.
CertiK also attempts to have community alerts for rugs on their website, which can be helpful:
You can even buy their own token, called CTK token. CTK is the native utility token of the platform and can be used for gas consumption of smart contracts, staking, governance, and collateral for CertiKShield, CertiK’s own insurance program.
|Generally considered the industry standard||Does not take centralization issues explicitly|
|Utilizes Formal Verification, automatic scanning and manual review||Audits can take a longer time to release since they have higher demand|
|Officially recommended by Binance||Commonly accepts GitHub code|
|Has other offerings such as CertiKShield|
Final Rating: 7 / 10
With an undoxxed team and no website copy apart from “We make DeFi a safer place,” Obelisk is somewhat of an unknown auditor in the auditing space. However, one admin on Beefy Finance’s Telegram can be seen saying the following:
Their audit reports, while lacking in the professional polish seen in more established firms, are solid. They are detailed yet digestible, and include clear indications of whether or not their recommendations have been addressed.
Moreover, they also conduct final reviews after deployment to ensure that there’s no foul play on the end of the developers.
|Utilizes both automatic scanning and manual review||Relatively new players to the space|
|Manual reviews are performed by two experts independently of each other||Team is not doxxed and their credentials are unknown|
|Conducts final review after deployment to ensure that the contract is the same as the audited one|
Final Rating: 7.5 / 10
OpenZeppelin, besides having a pretty cool name, is a company specializing in both smart contract audits and blockchain development products.
Its flagship product, Contracts, is a popular library of Solidity (the main language used to write DeFi apps) templates to help developers create apps on solid foundations while minimizing security risk.
Its development of this product points towards their expertise in blockchain security, further showcased by their auditing of big names such as Compound and Brave.
However, it should be noted that clients can choose to have their audit report kept private, meaning users may not be able to independently verify the legitimacy of a given project claiming to have passed their audit.
|Developed OpenZeppelin Contracts, a widely used library of templates for Solidity smart contracts||Accepts GitHub-hosted source code|
|Client can choose to not publish final audit report|
Final Rating: 8.5 / 10
Omniscia is a relatively new company composed of ex-auditors from top 5 auditing firms. It boasts a clean, no-fuss home page, and has audited projects like AllianceBlock, DiamondHand, and… Iron Finance.
Wait, Iron Finance, that project that got exploited and lost over $2 billion? Yup, that Iron Finance. Even though Omniscia audited the project, it wasn’t entiirely Omniscia’s fault as the project had bad tokenomics.
However, they still did not identify the core protocol’s weakness.
Overall, Omniscia’s reports are detailed and thorough, broken up into automatic scanning, manual review and code style segments. They use tools like Slither, Surya, and Echidna to review projects’ code.
The scope of the audit is clearly indicated at the beginning and recommendations are followed by the alleviations conducted by the developer.
|Thorough reports with both automatic scanning and manual line-by-line code review||Accepts GitHub-hosted source code|
|Team is not doxxed and their credentials are unverified|
Final Rating: 7.5 / 10
Solidity Finance is an auditing company whose process forgoes automatic scanning for manual line-by-line code review and simulation testing.
In addition to accepting GitHub-hosted source code, Solidity’s FAQ indicates that they generally do not require KYC from their clients. This, combined with the fact that not all reports are available for public perusal, may be a point of concern.
Furthermore, the reports themselves are less thorough than others, lacking the clearly defined “recommendations” and “alleviations” sections usually seen in the reports from the most well-regarded auditing firms.
|Manual line-by-line code review||Accepts GitHub-hosted source code|
|Runs simulations to test for security vulnerabilities||Sparse audit reports lacking in detail|
|Team is not doxxed and their credentials are unknown|
Final Rating: 6.5 / 10
Trail of Bits
Founded in 2012, Trail of Bits is a veteran in the security space, auditing projects such as Curve Finance, C.R.E.A.M, and Frax Finance. In addition to smart contract auditing and other security review services, it creates security products and tools and publishes academic research.
Notably, Trail of Bits is the developer of Slither, perhaps the most widely-used automatic scanning tool in smart contract auditing.
Their reports are thorough and detailed, but apparently not updated with developer alleviations. In addition, publicized drama between Trail of Bits and one of their clients, Hegic, showed that their process for determining the amount of effort and time assigned to each audit may lead to misunderstandings with devastating consequences.
|Developed Slither, a widely-used tool for automated smart contract review||Arbitrary levels of effort assigned to each project (full audit or review?), leading to mishaps|
|Publishes research in the security field||Not all audit reports are available|
Final Rating: 8.5 / 10
Comprised of a team of security experts and researchers from top tech companies, PeckShield is a Chinese auditing firm with a legitimate corporate flair and the venture capital backing to boot.
Its audit reports are incredibly comprehensive and technical, making it clear why it’s considered an industry leader and a recommended vendor by Etherscan.io.
Outside of its auditing services, PeckShield is also a mainstay on the Ethereum Bounty Program leaderboard and regularly publishes high-quality research papers and root cause analyses of protocol exploits.
|Comprehensive and technical audit reports||Some audit reports are only available in Chinese|
|Industry leader with venture capital funding|
|Team is comprised of senior security experts and researchers from top tech companies|
Final Rating: 9 / 10
OK, I had to include this one in the list.
If you’ve been in RugDoc long enough, you’ll know that it all started with a nifty tool called DiffChecker.
By effortlessly scanning through and comparing two different documents, DiffChecker is the easiest way to make sure that a deployed contract is the same as the privately audited one.
And while we still use this tool today, any project we scan and add to our growing farms list is NOT a true audit.
What is The Difference Between a Review And an Audit?
A review is an examination of a project’s code with the goal of identifying possible malicious intent on the developer’s end, while an audit is a more thorough analysis of the code with the main goal of securing it from external attacks.
Here at RugDoc, we ONLY do reviews:
- We do not analyze their tokenomics.
- We do not check in with the developers to make sure they use their deposit fees properly.
We simply review each line of code to see if there is any particularly malicious code.
This does NOT mean a farm we label as “Low Risk” cannot steal your funds. It simply means that we have evaluated the code and that it is highly unlikely it can steal 100% of all underlying assets from everyone in the project at once.
To find out more about our risk ratings, head on over to our home page and click on “Free Money”* (*not actually free money, duh).
What About Bug Bounty Programs?
A bug bounty program is when a cryptocurrency project or company offers a reward (usually monetary) in exchange for finding bugs or potential exploits in their code. Bug bounties benefit the user as they can offer large monetary rewards, such as Balancer Labs offering 1,000 Ethereum as the top prize.
While bug bounty programs can definitely offer more security for projects, Hacken found that only 16.6% of projects actually had an active bug bounty program at their time of investigation.
In short, most projects don’t have bug bounties… and many don’t even care.
Unlike the waves of auditing companies out there, bug bounty programs exist, but are fewer in number. Some popular ones include:
What About Timelocks?
A timelock is a piece of code in a smart contract that can lock the functionality of an application for a certain amount of time. Timelocks can help prevent rugs… but only if malicious code isn’t already present in the smart contract.
How do timelocks work? And how much time do you have before a contract can be modified? Learn more in this article here: Timelocks Explained
And there you have it!
Remember, the key takeaway is that just because a project has been audited (and even by the most reputable firm) doesn’t mean that it’s 100% safe.
That said, there are definitely things you can look out for to help you err on the side of caution.
Hopefully, this article gave you the insight necessary to help make your farming journey just a little safer!