Watching Watchmen: Meet smart contract auditors
Smart contracts are the heart of the Ethereum blockchain. Every dApp we engage with contains a smart contract created to dictate how it works at the most basic level. It is safe to say we should expect smart contract creators to produce sound and stable smart contracts. But the proverb, trust but verify, exists for a reason. Smart contract auditors are the independent verification mechanism to determine if the intentions and goals of the contract’s creator were rendered into the language of the blockchain. This verification is essential. Because of this importance, we want to shed some light on the organizations doing the audits to verify the integrity of the smart contracts powering the Ethereum blockchain.
We want to shed some light on the organizations doing the audits to verify the integrity of the smart contracts powering the Ethereum blockchain
Our report details a list of 17 smart contract auditing firms. It includes our analysis of 197 publicly available smart contract audits to visualize the scope and size of audits by these particular companies. From this data, we have focused on what we see as the key metrics to consider when choosing a smart contract auditor:
- Size and seniority of the company as determined by the number of public audits performed in last 2 years
- Total amount of Ether passing through the audited contracts
- Number of distinct addresses that have interacted with the audited contracts
- Total token valuation of token audits conducted
- Number of distinct addresses holding the audited tokens
- Ratio of token-related audits to all other audits to see the degree of token-only audit activity
See further below for a detailed description of our methodology and the raw data we used. Click here for the previous edition of the report.
This list is not ranked and is in alphabetical order only. Furthermore, SolidStamp does not endorse any particular auditor. The data below comes from publicly available information and should not be treated as investment or financial advice. Beyond quantitative data, it is important to consider qualitative metrics like the quality of work performed, individual auditor experience, and the specific scope of the audit you are commissioning.
Selected information about auditors on the list:
Authio (https://authio.org) is a blockchain consulting firm offering a range of services to bring a project from whiteboard to production. Authio’s method is to focus heavily on internal R&D as a means to understand the rapidly evolving ecosystem and always offer the best possible solution to clients. Their services cover initial design consultation, development, and end-of-line audits.
Chainsecurity (https://chainsecurity.com) uses the tools directly out of research labs at Switzerland’s ETH Zurich, to validate the correctness and uncover vulnerabilities in smart contracts. A thorough expert audit focuses on defining an exact functional specification, proves that it holds using formal verification tools and uncovers security, design and architecture issues in the analyzed code. Crypto projects rely on the detailed public audits by ChainSecurity to ensure top-grade security for their smart contracts and protocols.
Chainsulting (https://chainsulting.de/) is a blockchain consulting company in Germany providing smart contract development and audit, individual blockchain solutions, token sale advisory and cryptocurrency investments. Previous and current clients of Chainsulting come from countries such as Australia, USA, Switzerland and Germany. The team includes blockchain developers, financial experts and experienced project managers.
CoinFabrik (https://www.coinfabrik.com) is a blockchain development company specialized in smart contract coding and security audits. Their prime objective is to provide safe and clean smart contract code to customers worldwide. They audited important ICOs as Status.im, Patientory, Mona.co and participated in writing the smart contract code in successful ICOs which were able to raise millions of dollars. The company currently has 40 employees and it has been growing at a fast pace in the past 2 years.
Consensys Diligence (https://consensys.net/diligence/) is the arm of Consensys dedicated to performing audits, building security tools and promoting best practices in the Ethereum ecosystem.
Hosho (https://hosho.io/) is the blockchain security company. They offer smart contract auditing service ensuring code behaves as intended. Founded in 2017 and based in Las Vegas, NV.
iosiro (https://www.iosiro.com/) is a specialist blockchain security company based in South Africa. iosiro’s mission is to help companies entering the blockchain space do so safely and securely by securing both on-chain and off-chain systems. They offer penetration testing services, smart contract auditing as well as anti-phishing services to companies in the space all over the world and contribute to a number of open source security projects in the space. Their anti-phishing service protects some of the largest decentralised exchanges in the space, and their smart contract audits have secured millions of dollars raised during crowdfunds.
New Alchemy (https://newalchemy.io/) is a strategy and technology advisory group specializing in tokenization on the blockchain. They offer a full spectrum of guidance from tactical technical execution to high-level theoretical modeling. New Alchemy provides technology, token game theory, smart contracts, security audits, and ICO advisory.
Nomic Labs (https://nomiclabs.io/) help early stage blockchain projects launch and secure their offering by designing, building and auditing decentralized systems.
Quantstamp (https://quantstamp.com/) helps to secure blockchain applications such as smart contracts. Quantstamp is developing a new protocol for smart contract verification, performing professional audits and consultations, and developing security tools. Quantstamp also has expertise in application security and secure software development.
Sigma Prime (https://sigmaprime.io/) is a team of researchers, developers and security professionals working in the blockchain and cybersecurity space.
SmartDec (https://smartdec.net/) SmartDec can analyze applications in high and low level languages. They develop software and provide smart contract security audits.
SoHo Token Labs (https://sohotokenlabs.com/) is building developer tools for smart contracts. This is a multi-billion dollar market that will be unlocked by STL’s software (by addressing the issues that prevent smart contract usage from mainstreaming). Elissa Shevinsky, CEO launched Everyday Health (IPO), Geekcorps (acquired) and more recently was Head of Product at Brave.
Solidified (https://solidified.io/) launched in early 2017 and has established itself as the #1 full-audit service for smart contracts. Having helped secure companies such as Gnosis, Polymath, Bankera, Melonport and more than 50 others, Solidified has established itself as the leader for high-quality technical audits on Ethereum. With 200+ Solidity experts and more than 85M EUR secured, Solidified has the largest verified community of auditors, its own dedicated bug bounty platform and incorporates all stages of technical due diligence to bulletproof smart contracts.
Trail of Bits (https://www.trailofbits.com) since 2012, has helped secure many organizations and products. They combine high-end security research with a real world attacker mentality to reduce risk and fortify code.
Zero Knowledge Labs (http://zklabs.io/) provides smart contract development and auditing services for projects built on the Ethereum platform, as well as general crypto protocol design and consulting
Zeppelin (https://zeppelin.solutions/) builds infrastructure to develop and operate smart contract systems. They also conduct security audits of decentralized applications.
Our methodology and raw data
Our report is based on 197 smart contract audits listed by the auditors on SolidStamp or found on the Internet. We only considered audits that had a clear indication of client-side commissioning. Audit dates come from either the audit report as indicated or, lacking this, off of the GitHub commit date. Total values for number of public audits, number of 2017 audits and total audits from 2018 is a direct sum of all audits performed, broken down by year.
We called the symbol(), totalSupply() and decimals() functions for each token contract to determine its symbol and total supply. Each token symbol was plugged into CoinAPI to download the latest token price in terms of Eth. For tokens listed on multiple exchanges, we determined the mean price.
Token valuation equals the average price multiplied by total supply. Note: Total Token Value [Eth] is a sum of the valuation of all the audited tokens.
We calculated turnover for each audited address (both token and not-token) i.e. how much Ether was sent to and from each audited contract. Note: Total Contract Turnover [Eth] is the sum of turnover for all the audited addresses.
For both the token and non-token audited address, we calculated how many addresses (both regular addresses and contracts) interacted via sending Ether or calling a function with the audited contract. Note: Number of Addresses using the Contract is the sum of the interacting addresses for all the audited addresses.
For tokens, we calculated how many addresses (both regular addresses and contracts) currently hold the audited token. Note: Number of Token Holders is the sum of the distinct addresses holding all the audited tokens.
Dividing the number of token related audits by the total number of public audits performed by each auditor provides the % of Token Audits.
We contacted every auditor listed at least seven days in advance of publishing this report. We shared our findings and asked for further review and verification. Any comments or statements shared were done so with the expressed permission of the comment’s author.
All raw data used in our analysis is available here.
This is the second edition of our report and we made every effort to ensure the accuracy and validity of any data published here. However, there is always room for improvement. Please contact us if you believe we have made an error or you would like us to include additional data in future editions.
Matthew Di Ferrante, founder of Zero Knowledge Labs — a smart contract auditing company listed in this report — is an advisor to SolidStamp. He did not influence the report content.
The report makes no warranties or claims regarding the accuracy, quality or performance of particular smart contract auditors and the smart contracts audited. The results of this report should not be treated or considered as investment advice.
SolidStamp connects smart contract users and security auditors to ensure the safety of their Ether and tokens. We maintain an on-chain database of smart contract audits so you can be sure you are investing your funds securely. SolidStamp allows you to hire top-notch security specialists to audit the contract you plan to use to confirm their authenticity and security.
An auditor’s SolidStamp account does not factor into a listing on the report.