Watching Watchmen: Meet smart contract auditors
Smart contracts are the heart of the Ethereum blockchain. Every dApp we engage with contains a smart contract created to dictate how it works at the most basic level. It is safe to say we should expect smart contract creators to produce sound and stable smart contracts. But the proverb, trust but verify, exists for a reason. Smart contract auditors are the independent verification mechanism to determine if the intentions and goals of the contract’s creator were rendered into the language of the blockchain. This verification is essential. Because of this importance, we want to shed some light on the organizations doing the audits to verify the integrity of the smart contracts powering the Ethereum blockchain.
We want to shed some light on the organizations doing the audits to verify the integrity of the smart contracts powering the Ethereum blockchain
Our report details a list of 13 smart contract auditing firms. It includes our analysis of 149 publicly available smart contract audits to visualize the scope and size of audits by these particular companies. From this data, we have focused on what we see as the key metrics to consider when choosing a smart contract auditor:
- Size and seniority of the company as determined by the number of audits performed in last 2 years
- Total token valuation of token audits conducted
- Total amount of Ether passing through the audited contracts
- Number of distinct addresses that have interacted with the audited contracts
- Ratio of token-related audits to all other audits to see the degree of token-only audit activity
See further below for a detailed description of our methodology and the raw data we used.
This list is not ranked and is in alphabetical order only. Furthermore, SolidStamp does not endorse any particular auditor. The data below comes from publicly available information and should not be treated as investment or financial advice. Beyond quantitative data, it is important to consider qualitative metrics like the quality of work performed, individual auditor experience, and the specific scope of the audit you are commissioning.
Selected information about auditors on the list:
Chainsulting (https://chainsulting.de/) is a blockchain consulting company and leading blockchain expert in Germany. Services are: Smart contract development and audit, individual blockchain solutions, token sale advisory and cryptocurrency investments. Previous and current clients of Chainsulting come from countries such as Australia, USA, Switzerland and Germany. The team includes blockchain developers, financial experts and experienced project managers.
CoinFabrik (https://www.coinfabrik.com) is a blockchain development company specialized in smart contract coding and security audits. Their prime objective is to provide safe and clean smart contract code to customers worldwide. They audited important ICOs as Status.im, Patientory, Mona.co and participated in writing the smart contract code in successful ICOs which were able to raise millions of dollars. The company currently has 40 employees and it has been growing at a fast pace in the past 2 years.
Consensys Diligence (https://consensys.net/diligence/) is the arm of Consensys dedicated to performing audits, building security tools and promoting best practices in the Ethereum ecosystem.
Cure53 (https://cure53.de/) believes in providing consulting of the highest quality, guided by a main goal of fostering the development of efficient solutions to real-life technical problems rather than investing in sales and marketing of the presumably “impenetrable” devices. This gives Cure53 a unique position in the information security field and underlines our motto: Fine penetration tests for fine websites.
Hosho (https://hosho.io/) is the blockchain security company. They offer smart contract auditing service ensuring code behaves as intended. Founded in 2017 and based in Las Vegas, NV.
iosiro (https://www.iosiro.com/) is a specialist blockchain security company based in South Africa. iosiro’s mission is to help companies entering the blockchain space do so safely and securely by securing both on-chain and off-chain systems. They offer penetration testing services, smart contract auditing as well as anti-phishing services to companies in the space all over the world and contribute to a number of open source security projects in the space. Their anti-phishing service protects some of the largest decentralised exchanges in the space, and their smart contract audits have secured millions of dollars raised during crowdfunds.
New Alchemy (https://newalchemy.io/) is a strategy and technology advisory group specializing in tokenization on the blockchain. They offer a full spectrum of guidance from tactical technical execution to high-level theoretical modeling. New Alchemy provides technology, token game theory, smart contracts, security audits, and ICO advisory.
Sigma Prime (https://sigmaprime.io/) is a team of researchers, developers and security professionals working in the blockchain and cybersecurity space.
SmartDec (https://smartdec.net/) SmartDec can analyze applications in high and low level languages. They develop software and provide smart contract security audits.
Solidified (https://solidified.io/) launched in early 2017 and has established itself as the #1 full-audit service for smart contracts. Having helped secure companies such as Gnosis, Polymath, Bankera, Melonport and more than 50 others, Solidified has established itself as the leader for high-quality technical audits on Ethereum. With 200+ Solidity experts and more than 85M EUR secured, Solidified has the largest verified community of auditors, its own dedicated bug bounty platform and incorporates all stages of technical due diligence to bulletproof smart contracts.
Trail of Bits (https://www.trailofbits.com) since 2012, has helped secure many organizations and products. They combine high-end security research with a real world attacker mentality to reduce risk and fortify code.
Zero Knowledge Labs (http://zklabs.io/) provides smart contract development and auditing services for projects built on the Ethereum platform, as well as general crypto protocol design and consulting
Zeppelin (https://zeppelin.solutions/) builds infrastructure to develop and operate smart contract systems. They also conduct security audits of decentralized applications.
Our methodology and raw data
Our report is based on 149 smart contract audits we found on the Internet. We only considered audits that had a clear indication of client-side commissioning. Audit dates come from either the audit report as indicated or, lacking this, off of the GitHub commit date. Total values for number of public audits, number of 2017 audits and total audits from 2018 is a direct sum of all audits performed, broken down by year.
We called the symbol(), totalSupply() and decimals() functions for each token contract to determine its symbol and total supply. Each token symbol was plugged into CoinAPI to download the latest token price in terms of Eth. For tokens listed on multiple exchanges, we determined the mean price.
Token valuation equals the average price multiplied by total supply. Note: Total Token Value [Eth] is a sum of the valuation of all the audited tokens.
We calculated turnover for each audited address (both token and not-token) i.e. how much ether was sent to each audited contract. Note: Total Contract Turnover [Eth] is the sum of turnover for all the audited addresses.
For both the token and non-token audited address, we calculated how many addresses (ordinary addresses only, not contract ones) interacted via sending Ether or calling a function with the audited contract. Note: Number of Addresses using the Contract is the sum of the interacting addresses and all the audited addresses.
Dividing the number of token related audits by the total number of audits performed by each auditor provides the % of Token Audits.
We contacted every auditor listed seven days in advance of publishing this report. We shared our findings and asked for further review and verification. Any comments or statements shared were done so with the expressed permission of the comment’s author.
All raw data used in our analysis is available here.
This is the first edition of our report and we made every effort to ensure the accuracy and validity of any data published here. However, there is always room for improvement. Please contact us if you believe we have made an error or you would like us to include additional data in future editions.
Matthew Di Ferrante, founder of ZKLabs — a smart contract auditing company listed in this report — is an advisor to SolidStamp. He did not influence the report content.
The report makes no warranties or claims regarding the accuracy, quality or performance of particular smart contract auditors and the smart contracts audited. The results of this report should not be treated or considered as investment advice.
SolidStamp connects smart contract users and security auditors to ensure the safety of their ethers and tokens. We maintain an on-chain database of smart contract audits so you can be sure you are investing your funds securely. SolidStamp allows you to hire top-notch security specialists to audit the contract you plan to use to confirm their authenticity and security.
An auditor’s SolidStamp account does not factor into a listing on the report.