What is a Smart Contract Audit? A Review of Different Audits

Smart contract audits are the first line of defense to safeguard your funds. But not all audits are equal. Learn which ones are best and which to avoid.

According to Hacken, 76.5% of cryptocurrency projects have either:

  • not passed a security audit, or
  • have not publicly disclosed the fact they had been audited


Audits are the first line of defense when it comes to finding a safe yield farm.

But even if a project has been audited, your funds are never 100% SAFU (I’ll explain why later).

In this guide, we’re going to go over why audits are important, how projects can easily create false audits, and our review of 11 major auditing companies.

Let’s dive in!

The History of Blockchain Audits

The DeFi space has blown up over the last few years. At its peak in early May this year, almost $90 billion USD was locked in DeFi (according to DeFi Pulse), while new projects are coming out every single day.

However, massive growth also entails massive security risks.

Given the unregulated nature of the industry, exploits and hacks have become ubiquitous in DeFi, with even well-established protocols falling victim to security breaches costing users millions in stolen funds. 

This is where audits come into play. Audits are third-party reviews of smart contract code with the goal of picking out bugs, coding errors, and other potential security exploits. 

Today, audits play an essential role in helping users determine the legitimacy of a project out in the Wild West of the blockchain world. 

But does a project being audited really guarantee your safety?

Why Are Audits Important?

To a complete beginner to yield farming, they might see a project proudly brandishing its TechRate audit and deem it completely safe.

But if you’ve been in the scene long enough, you’ll know that a TechRate audit can be completely pointless.


Because not all auditing companies are the same.

For example, TechRate uses “automated scanning” tools in the free version, which scans through large amounts of code, and that’s pretty much potato. 

Other auditing companies will take the time to manually (and pain-stakingly) comb through every line of code, one by one. 

Before we take a look at some individual audit companies, let’s examine some audit risks in more detail.

What Are The 4 Major Audit Risks?

Not all audits are equal.

In fact, there are 4 main reasons why audits may not be guarantees of safety:

  1. They’ve been forged.
  2. The audited files can be contained in a GitHub repository.
  3. Not all contracts may be included in the scope of the audit.
  4. The auditor’s skill level

Let’s kick it off with forged audits:

Wait, People Can Forge Audits?

Yes! There are quite a few crafty projects that decide to slap an “Audited by…” label on their website, when in fact it hasn’t been audited at all.

For example, take a look at this tweet by PeckShield:

Unfortunately, this is quite common in the crypto space. Shady developers can simply slap their name on a professional-looking PDF file and say they’ve been “audited.”

The only way to verify if a project is officially audited is to check the auditor’s website or social profiles for confirmation that the audit has been conducted.

Otherwise, don’t fall for this trap!

The Code is Contained in GitHub Repositories

GitHub is an online platform for open source code hosting and collaborative software development.

A ubiquitous tool in the tech space, GitHub is used by developers the world over to share code and collaborate on all things tech in a transparent manner. Smart contracts are no exception. 

However, this same reputation for transparency is also the very thing that can be abused by bad actors looking to push out scam protocols. Shady developers can publish a legitimate smart contract on GitHub, have it audited, and then simply deploy a completely different contract on the chain. 

Additionally, some of these GitHub repositories may be private, meaning the public has no way to verify the contract themselves if they wished to go the extra mile with their due diligence.

At RugDoc, we work around this by only reviewing contracts already on the chain, rather than on GitHub. 

To circumvent this, always double check that the actual deployed contracts were audited and not just the GitHub repository.

Firebird Finance’s GitHub audit by Hacken
Firebird Finance’s GitHub audit by Hacken

Contracts Outside The Audit’s Scope

Projects may sometimes add additional, un-audited contracts to their protocol after being audited. 

To ensure that you’re safe, make sure you carefully check the audit report for its scope, or the exact documents it reviewed. This will normally be near the very front of the report:

An example of an audit report from Hacken detailing its scope
An example of an audit report from Hacken detailing its scope 

Lack of Skill

Hey, auditors are people too, just like you and me.

And sure, it’d be great to spend weeks sipping coffee and examining each and every letter of code in a smart contract. But this is the ever-evolving DeFi space we’re talking about.

Some auditing firms have had to grow so rapidly, which led them to hiring less qualified personnel because of it.

And with less qualified auditors, this means a lower guarantee over the security of the protocol than would be desired. As. a result, some more serious projects have been hiring solidity engineers and white-hat hackers to battle-test their projects against exploits instead of relying on audits.

11 Cryptocurrency Auditing Companies Rated (with Pros & Cons)

Here, we’ll briefly go over 11 major cryptocurrency auditing companies and rate them based on their pros and cons. 


Ohhh, boy. Do I have a LOT to say about TechRate…

But first, some history:

TechRate is a smart contract auditing firm based in Moscow, Amsterdam and Vancouver. It provides both a free and a paid service (starting at $900).

And the free service is, as you might have guessed, as valuable as a popsicle stick. 

TechRate’s free service relies on automated scanning tools that search the code for bugs and vulnerabilities.

In short, we can pretty much say nobody REALLY looks at the code in the free service—just some quick scans to see if there’s anything potentially malicious or buggy that matches their existing database.

The paid service, however, offers an additional manual line-by-line code review (as audits SHOULD do!), however the paid service doesn’t seem to be very high-quality, either.

Audit reports are hosted on GitHub and listed on their website, but they note that some reports may be made private in the case of high severity issues or the developer’s disclosure policy. 

While they also offer a free re-check of the contract after the initial audit, it appears that their reports do not indicate whether or not their recommendations were fixed.

Provides a free service to those that can’t afford to payThe free service is worthless and nowhere near a professional audit
Sparse audit reports lack in-depth detail
No indication of recommendations being fixed or not

Final Rating: 4 / 10


Now that we got THAT out of the way, let’s take a look at something more stomach-able…

Hacken is a cybersecurity firm based in Kyiv, Ukraine with a focus on blockchain security. This firm has audited companies in the DeFi space like Goose Finance, Kyber Network, RAMP DeFi, Ellipsis Finance and many others.

In addition to smart contract audits, it offers a suite of products and services including HackenAI, a personal cybersecurity app; CER.Live, a crypto exchange security ranking service that’s partnered with CoinGecko; and a bug bounty program called HackenProof.

Its auditing process involves both automated scanning and manual code review, ultimately resulting in reports that detail the scope of the audit and whether or not their recommendations were fixed.

While Hacken’s audits are a step above TechRate, that doesn’t mean their audited projects are bulletproof, either. Merlin Labs, a fork of the popular PancakeBunny farm, was involved in an exploit of 240 ETH, and also passed an audit by Hacken just 11 days before the exploit.


It just goes to show that you can never be 100% safe in DeFi land, even with a “credible” audit.

Detailed audit reports covering automated scanning, manual reviews and functional testingCan be considered a “premium version” of Techrate
Offers a community-driven bug bounty program called HackenProof
Partnered with CoinGecko to provide Trust Scores for crypto platforms

Final Rating: 6 / 10


Paladin is a relatively new player in the auditing space looking to provide a more “user-centric” approach to security (i.e., an emphasis on the protection of users from malicious developers).

Forgoing automatic scanning altogether, Paladin’s team of blockchain experts manually comb through the code line-by-line to get a holistic understanding of every function and its purpose, thereby helping them better identify loopholes and potential exploits. 

In pursuit of user safety, Paladin aims to severely flag issues hinting at possible rug pulls that other firms may gloss over. Furthermore, it has thus far only conducted audits on on-chain contracts, mitigating the risk of shady developers ultimately deploying a different contract. 

Paladin also indicates if the final deployed contracts matches the ones in the zip or GitHub, so there’s no need to dig up information to see if the contracts match (see pic below).

One possible downside is the team is not doxxed—so you don’t know the face behind the audits.

Audit of Paladin's contracts showing if the GitHub codematches the ones audited
Thorough line-by-line manual code review without reliance on automated toolsRelatively new players in the auditing space
Mainly audits on-chain contracts; otherwise uploads privately-hosted .zip files for independent user verification
Reviews deployed contracts to ensure it is the same as the audited version
Aims to take a “user-focused” approach to security

Final Rating: 9 / 10

Consensys Diligence

Consensys Diligence is a smart contract auditing service under the Consensys umbrella, a blockchain development company. 

You may be familiar with this company if you’ve heard of certain projects like Uniswap, 1inch, Aave, and Paxos.

So yeah, they’re pretty big.

As a leader in the auditing space, Consensys Diligence frequently publishes academic papers advancing blockchain tech and has developed, among other products, MythX, a widely-used tool for automated smart contract review. 

Its reports, which are all available for perusal on their website, are detailed, technical and include very clear indicators on the status of recommendations (e.g. fixed, pending, etc.). Furthermore, each report explicitly states the length of time committed to the audit, as well as its scope.

Excerpt of Consensys Diligence’s audit of Aave Protocol 2.0
Excerpt of Consensys Diligence’s audit of Aave Protocol 2.0 
Developed (and uses) MythX, a state-of-the-art tool for automated smart contract reviewMight have a huge backlog
Publishes academic research in the security fieldPrice can be costly

Final Rating: 8.5 / 10


Founded by cybersecurity and computer science professors from Yale and Columbia, CertiK is a smart contract auditing company that has built a reputation for itself as the industry standard. It is the most popular auditing company in the space, with Cointelegraph touting it as the “most capitalized blockchain security company on the market.”

Oh, and the big boy Binance also partnered with CertiK, too:

Known for its proprietary “Formal Verification” algorithm, which is a fancy term of saying that it uses math to find common vulnerabilities. Notable protocols that CertiK has audited include PancakeSwap, Aave, and 1inch (sounds like another auditing we mentioned before, company, eh?).

In addition to detailed audit reports, their website lists and ranks all of their audited projects based on “security score”, alongside other information like social media sentiment and real-time on-chain monitoring. 

Even though the website’s interface is nice, CertiK is constantly busy with audits. The number of audit requests they receive is insane given their popularity, and because of this, they may at times leave quality in favor of quantity.

CertiK also has a major flaw in that they may not list potentially malicious code as “high risk.” For example, the infamous migrator code, which has the ability to transfer all users’ staked funds out of a smart contract, is not flagged as a major threat in their review.

CertiK also attempts to have community alerts for rugs on their website, which can be helpful:

CertiK's rug list

You can even buy their own token, called CTK token. CTK is the native utility token of the platform and can be used for gas consumption of smart contracts, staking, governance, and collateral for CertiKShield, CertiK’s own insurance program.

Generally considered the industry standardDoes not take centralization issues explicitly
Utilizes Formal Verification, automatic scanning and manual reviewAudits can take a longer time to release since they have higher demand
Officially recommended by BinanceCommonly accepts GitHub code
Has other offerings such as CertiKShield

Final Rating: 7 / 10


With an undoxxed team and no website copy apart from “We make DeFi a safer place,” Obelisk is somewhat of an unknown auditor in the auditing space. However, one admin on Beefy Finance’s Telegram can be seen saying the following:

A message from a Beefy Finance admin stating that Obelisk is composed of early members of Beefy community

Their audit reports, while lacking in the professional polish seen in more established firms, are solid. They are detailed yet digestible, and include clear indications of whether or not their recommendations have been addressed.

Moreover, they also conduct final reviews after deployment to ensure that there’s no foul play on the end of the developers.

Utilizes both automatic scanning and manual reviewRelatively new players to the space
Manual reviews are performed by two experts independently of each other Team is not doxxed and their credentials are unknown
Conducts final review after deployment to ensure that the contract is the same as the audited one

Final Rating: 7.5 / 10


OpenZeppelin, besides having a pretty cool name, is a company specializing in both smart contract audits and blockchain development products.

Its flagship product, Contracts, is a popular library of Solidity (the main language used to write DeFi apps) templates to help developers create apps on solid foundations while minimizing security risk.

Its development of this product points towards their expertise in blockchain security, further showcased by their auditing of big names such as Compound and Brave.

However, it should be noted that clients can choose to have their audit report kept private, meaning users may not be able to independently verify the legitimacy of a given project claiming to have passed their audit. 

Developed OpenZeppelin Contracts, a widely used library of templates for Solidity smart contractsAccepts GitHub-hosted source code
Client can choose to not publish final audit report

Final Rating: 8.5 / 10


Omniscia is a relatively new company composed of ex-auditors from top 5 auditing firms. It boasts a clean, no-fuss home page, and has audited projects like AllianceBlock, DiamondHand, and… Iron Finance.

Wait, Iron Finance, that project that got exploited and lost over $2 billion? Yup, that Iron Finance. Even though Omniscia audited the project, it wasn’t entiirely Omniscia’s fault as the project had bad tokenomics.

However, they still did not identify the core protocol’s weakness.

Overall, Omniscia’s reports are detailed and thorough, broken up into automatic scanning, manual review and code style segments. They use tools like Slither, Surya, and Echidna to review projects’ code.

The scope of the audit is clearly indicated at the beginning and recommendations are followed by the alleviations conducted by the developer.

Thorough reports with both automatic scanning and manual line-by-line code reviewAccepts GitHub-hosted source code
Team is not doxxed and their credentials are unverified

Final Rating: 7.5 / 10

Solidity Finance

Solidity Finance is an auditing company whose process forgoes automatic scanning for manual line-by-line code review and simulation testing. 

In addition to accepting GitHub-hosted source code, Solidity’s FAQ indicates that they generally do not require KYC from their clients. This, combined with the fact that not all reports are available for public perusal, may be a point of concern.

Furthermore, the reports themselves are less thorough than others, lacking the clearly defined “recommendations” and “alleviations” sections usually seen in the reports from the most well-regarded auditing firms.

Manual line-by-line code reviewAccepts GitHub-hosted source code
Runs simulations to test for security vulnerabilities Sparse audit reports lacking in detail
Team is not doxxed and their credentials are unknown

Final Rating: 6.5 / 10

Trail of Bits

Founded in 2012, Trail of Bits is a veteran in the security space, auditing projects such as Curve Finance, C.R.E.A.M, and Frax Finance. In addition to smart contract auditing and other security review services, it creates security products and tools and publishes academic research.

Notably, Trail of Bits is the developer of Slither, perhaps the most widely-used automatic scanning tool in smart contract auditing.

Their reports are thorough and detailed, but apparently not updated with developer alleviations. In addition, publicized drama between Trail of Bits and one of their clients, Hegic, showed that their process for determining the amount of effort and time assigned to each audit may lead to misunderstandings with devastating consequences

Excerpt from Trail of Bits’ audit of Curve DAO
Excerpt from Trail of Bits’ audit of Curve DAO
Developed Slither, a widely-used tool for automated smart contract reviewArbitrary levels of effort assigned to each project (full audit or review?), leading to mishaps
Publishes research in the security fieldNot all audit reports are available

Final Rating: 8.5 / 10


Comprised of a team of security experts and researchers from top tech companies, PeckShield is a Chinese auditing firm with a legitimate corporate flair and the venture capital backing to boot. 

Its audit reports are incredibly comprehensive and technical, making it clear why it’s considered an industry leader and a recommended vendor by Etherscan.io. 

Outside of its auditing services, PeckShield is also a mainstay on the Ethereum Bounty Program leaderboard and regularly publishes high-quality research papers and root cause analyses of protocol exploits. 

Comprehensive and technical audit reportsSome audit reports are only available in Chinese
Industry leader with venture capital funding 
Team is comprised of senior security experts and researchers from top tech companies

Final Rating: 9 / 10

Bonus: DiffChecker

OK, I had to include this one in the list.

If you’ve been in RugDoc long enough, you’ll know that it all started with a nifty tool called DiffChecker.

By effortlessly scanning through and comparing two different documents, DiffChecker is the easiest way to make sure that a deployed contract is the same as the privately audited one. 

And while we still use this tool today, any project we scan and add to our growing farms list is NOT a true audit. 

What is The Difference Between a Review And an Audit?

A review is an examination of a project’s code with the goal of identifying possible malicious intent on the developer’s end, while an audit is a more thorough analysis of the code with the main goal of securing it from external attacks.

Here at RugDoc, we ONLY do reviews:

  • We do not analyze their tokenomics.
  • We do not check in with the developers to make sure they use their deposit fees properly.

We simply review each line of code to see if there is any particularly malicious code.

This does NOT mean a farm we label as “Low Risk” cannot steal your funds. It simply means that we have evaluated the code and that it is highly unlikely it can steal 100% of all underlying assets from everyone in the project at once.

That’s it!

To find out more about our risk ratings, head on over to our home page and click on “Free Money”* (*not actually free money, duh).

What About Bug Bounty Programs?

A bug bounty program is when a cryptocurrency project or company offers a reward (usually monetary) in exchange for finding bugs or potential exploits in their code. Bug bounties benefit the user as they can offer large monetary rewards, such as Balancer Labs offering 1,000 Ethereum as the top prize.

While bug bounty programs can definitely offer more security for projects, Hacken found that only 16.6% of projects actually had an active bug bounty program at their time of investigation.

In short, most projects don’t have bug bounties… and many don’t even care.

Unlike the waves of auditing companies out there, bug bounty programs exist, but are fewer in number. Some popular ones include:

HackenProof's website, a crowdsourced cybersecurity testing platform
HackenProof, one of the bug bounty programs available

What About Timelocks?

A timelock is a piece of code in a smart contract that can lock the functionality of an application for a certain amount of time. Timelocks can help prevent rugs… but only if malicious code isn’t already present in the smart contract.

How do timelocks work? And how much time do you have before a contract can be modified? Learn more in this article here: Timelocks Explained


And there you have it! 

Remember, the key takeaway is that just because a project has been audited (and even by the most reputable firm) doesn’t mean that it’s 100% safe. 

That said, there are definitely things you can look out for to help you err on the side of caution. 

Hopefully, this article gave you the insight necessary to help make your farming journey just a little safer!


🟢 For owners who have made impactful changes and would like an update to their farm review:

1️⃣ Use #update at @RugDocChat with your description and proof of changes and it will be forwarded to our scanners.

2️⃣ This does not guarantee a change in your review.

3️⃣ Owners who have difficulty solving the issues can consider our Consultation Package – please contact @BaymaxCrypto on Telegram to discuss.

Our mission here at RugDoc is to screen for hard rug code that results in 100% theft of ALL underlying funds for ALL participants.

This is the ONE part of the due diligence process that most people cannot simply do on their own as it costs thousands of dollars to hire a senior solidity developer to look over a farm for safety.

A project coin with terrible code can go up in price, and a project with good code and a good team can also go down in price.

Do NOT use our ratings to refer to your likelihood in making money if you invest in the project. They are ONLY in reference to code safety.

Everything else beyond code safety is YOUR responsibility to go do research on. We just make sure the casino you’re betting in won’t rob you before you even get to place a bet.

Our reviews for projects are organized into a few colors.

🟢 Least Risk
These projects are the least likely to hard or soft rug. Usually reserved for cornerstone projects of an ecosystem where it makes no financial sense for them to rug in any manner as they make more money just being legit.

🔵 Low Risk
These projects are usually established projects in an ecosystem that have a track record of success or have KYC’d to us or other authoritative sources in the real world. As a result, it is extremely unlikely for them to soft rug or hard rug their projects. The projects can still fail and the token price can go down, but usually more as a result of natural market forces.

⚪️ Some Risk
This is the default rating for projects with unknown teams but have code that is unlikely to have hard rug risk. Since the team is unknown and doesn’t have a track record of success, it’s entirely possible that they may try to soft rug by dumping tokens, abandoning the project, etc. Even a last minute contract swap to a malicious contract is possible. The only thing that is unlikely is a complete hard rug as long as you are 100% sure you deposit into the contract we review.

🟠 Medium Risk
Similar to Some Risk, but the underlying code itself is custom enough or complex enough that it warrants an elevated risk rating that needs deeper research. Make sure you read every point presented to make sure you’re comfortable with that before entering. Still unlikely to hard rug, but more chances of custom code behaving incorrectly and causing other issues.

🔴 High Risk
Project contains code or practices that are HIGHLY LIKELY to lead to catastrophic losses as they are right now. Make sure you read the description carefully as we will always warn what these issues are. If you see the words Hard Rug anywhere in the review, STAY FAR AWAY!

⚫️ Not Eligible
We reserve the right to not review exceedingly complex projects that would require tens of thousands of dollars of senior security analyst man hours. Typically these are projects that deal with leverage, lending, options, derivatives, and anything that is overly complex and which requires tons of peer reviews and audits from top audit companies.