Many Eyes on the Prize: Decentralized smart contract audits are here to stay
We’ll tell you how decentralised smart contract audits work and explain why they will become an integral part of web3 security, complementing traditional audits.
Smart contract security is crucial and should not be compromised. Recent exploits painfully disclosed the consequences of neglected security measures and lifted demand for smart contract audits onto another level. While traditional audit firms still dominate the market, the concept of ‘decentralized smart contract audits’ has caught up quickly in recent months. The concept reclaims long-established values of the crypto community like decentralization and transparency.
In this article we explain the idea, the process, the appeal, the trade-offs, and the impact of platforms enabling decentralized audits. In conclusion, we suggest a hybrid approach to increase smart contract security.
The idea
This article aims to take a peek at the future of smart contract audits. Before getting there, let’s take a detailed look at the phenomenon of ‘decentralized audits’.
The concept came up in early 2021. It is based on permissionless platforms that enable developer teams to reward others to review their code. This embraces the idea that skilled people all around the globe should be able to join forces to audit code. The approach enhances the security of decentralized applications by leveraging swarm intelligence. It does so, without requiring contributors to work for a dedicated smart contract audit firm. Hence the term `decentralized audits`.
Demand for audits surged when cryptocurrency rallies led to drastic increases of the value locked in smart contracts. These open audit platforms meet the increased demand by enabling contributors to earn additional income. They can independently submit their findings to audits, either in their free time or even full-time.
The process
The key feature of these decentralized audit platforms is their openness. They allow anyone to register as an auditor — anonymously and without any kind of skills assessment — all within just a few minutes. If contributors decide to participate in a certain audit, they get access to the code to be audited and can start right away to submit tickets for each vulnerability they find.
Each audit is conducted in contest format. Findings are submitted in tickets — privately and only disclosed to the public once the contest is over. Each ticket contains information on the detected vulnerability, potential consequences, a severity rating and a possible mitigation measure.
Each audit contest runs for a predefined number of days. After the deadline, all findings are collected and evaluated. The evaluation process is conducted by senior members of the platform. Depending on the platform and the audit scope, the process is also supported by other contributors since (especially for large audit scopes) the number of submitted findings can reach up to several hundreds.
Once the preliminary results are published, a challenge period starts, in which auditors can raise disputes. Disputes are often raised if auditors feel like submissions have not been rated correctly, which in turn could affect their rewards. Succeeding this period, the final results are published and an audit report is compiled. Auditors are then rewarded for their contributions with a payout, and, if applicable, ranking points.
“Decentralized audits are ideal also for digital nomads.”
In combination with low entry barriers, the convenience of the auditing process explains why the concept is so attractive for developers and security researchers alike. Accounts on the respective platforms are usually linked to public keys on Ethereum. Contributors also need a Discord as well as a Github account. Besides that, no further resources or investments are required. This is ideal also for digital nomads.
The appeal
Now let’s take a step back to understand why decentralized audits have gained so much popularity over the last year — for developers and smart contract security researchers.
The most obvious aspect is the financial side of smart contract security. Due to the demand for smart contract audits skyrocketing, daily rates for auditors of well-renowned auditing companies saw strong hikes. The total costs for a smart contract audit depend on the daily rates for the auditors and the time they require to conduct the audit. The latter depends on the length and complexity of the code. Usually, the code is audited independently by at least two auditors to maintain the four-eyes-principle. With daily rates of up to US$5k per auditor, audits tend to become expensive very quickly. In case a large number of issues needs to be resolved, auditors may also request additional time. While this is usually worth it as these auditors have extensive experience, it is often tough to afford for smaller or nascent projects.
Contributing to their appeal is the fact that decentralized audits use a different approach compared to ‘traditional’ audits. On the platform, the requesting development team provides a contest reward pool with a fixed amount of money that is distributed to auditors for submitting issues and to the platform for reviewing submissions and creating the final audit report. Through this approach, companies can have more auditors look at the code for lower cost.
Another aspect differentiating decentralized audits is: Less waiting time. Despite the high daily rates, most auditing companies were overwhelmed by the numerous audit requests they received during the spikes in 2022. In that time, some auditing firms accumulated backlogs of more than six months. Since many projects desire to get audited before releasing on mainnet or simply feel the pressure from stakeholders to provide an audit report, time is very valuable. For cases like these, decentralized audits offer a great alternative as almost no waiting times are necessary. Since all major platforms rely on a large pool of auditors, capacity is rarely a problem, allowing platforms to move quickly and start audits within less than a week.
“Decentralized audits come with the promise of embodying openness and transparency.”
Lastly, decentralized audits come with the promise of embodying openness and transparency. These are key values of web3 and decentralized systems. It may not be an important aspect to most, yet it is interesting to keep in mind, as the promise of security in decentralized systems originates from the full availability of information to all participants of the network. “Many eyes will win the prize” — also when it comes to audits.
In conclusion, decentralized audits pose a great alternative, especially when it comes to financial and time constraints.
The trade-offs
There’s no such thing as a free lunch — decentralized audits also come with some trade-offs.
First and foremost, quality is crucial when it comes to audits. High quality, however, is difficult to guarantee for decentralized audit platforms. They rely on the interest of their auditors to participate in each contest — auditors need to actively join each audit and cannot be forced to participate. That means that if a contest is not interesting enough for top auditors, the audit will be conducted by a large number of less experienced contributors. This does not necessarily mean that the quality of the report will suffer, especially since every audit has at least one senior member assigned. Yet, the likelihood that a severe issue is overlooked increases.
On the other hand, the quality of decentralized audits may be lacking because some auditors only cover selected parts of the smart contract to be audited. Especially for large projects, the workload of auditing the entire code might be overwhelming for an individual. This increases the risk of overlooking vulnerabilities created by complex interplay of several smart contracts.
Another downside is the effort required by the audited project. During ‘traditional’ audits, the development team of the project is required to provide assistance and to answer questions to the auditors. This is often limited to one or two meetings during the audit process or a few messages. In decentralized audits, however, developers need to be active on the respective platforms most of the time. Since auditors work independently, questions are often asked multiple times, and as auditors on average are less experienced, more questions are asked in total.
The rather abstract concept of reputation also plays a role in audits. Simply put, you pay a premium to get your audit from a well-renowned auditing company as their audits are perceived to have a higher quality. Justified or not, this does matter to some. It also signals that your project is willing to invest big in security. Decentralized audits may not come with that reputational benefit.
The impact
Decentralized audits will be an integral part of the auditing landscape of the future. To be precise: Decentralized audits will conquer the niche of first-time audits. The reasoning is fairly simple.
“Decentralized audits will conquer the niche of first-time audits.”
The share of top auditors working independently on decentralized audits platforms will continue to grow, increasing the overall quality of decentralized audits. Meanwhile, waiting times can be expected to stay comparably short. Growing reward pools will make decentralized audits more expensive, but they will stay at affordable levels. However, a reward increase will be required to keep audits interesting for top security researchers despite the constant inflow of new and less experienced auditors.
The combination of these developments is highly attractive for projects, yet we predict that decentralized audits will mainly be utilized as first-time audits. This is due to the different characteristics of ‘traditional’ and decentralized audits outlined above. Regular audits cover great depths and thus have a greater chance to find high severity vulnerabilities. Decentralized audits on the other hand tend to be “broader”: the sheer number of auditors will likely find a higher number of low and medium severity vulnerabilities. Considering that specifically in first-time audits there may be many smaller issues of lower severity, like gas optimization, this may lead to an auditing firm requesting additional time, while for decentralized audits these smaller issues may also be covered by the initial reward pool.
Nevertheless, many projects will continue to rely on names and prestige of established auditing companies. This level of prestige is yet to be matched by decentralized audit platforms and might as well never be reached at all. Yet, this does not do any harm to the general appeal of the concept.
The hybrid approach
Our advice to developer teams is to make use of a hybrid approach for audits:
- Decentralized audit,
- Traditional audit,
- Bug bounty.
Ideally, a project should get at least two independent audit reports anyway. It can come in very handy to utilize a decentralized audit platform to conduct the first audit. At a later stage, we recommend a second audit by a different entity, preferably by an experienced audit firm.
“The earlier security is made the top priority, the cheaper and easier the audit process will be.”
Regardless of audits, however, we recommend that you involve a dedicated security expert into your project as soon as possible. The earlier the security of a project is made the top priority, the cheaper and easier the audit process will be. This can be achieved, for example, by getting assistance on conceptualizing a secure smart contract architecture. You can find out more about our smart contract security-related efforts on our website.
The hybrid approach is rounded off by a bug bounty that incentivises white hat hackers to continuously stay on top of even the deployed ‘live’ instances of the project’s code.
The platforms
The current decentralized audit space is dominated by two platforms, Code4rena and Sherlock. This section will cover both of them as well as other players in the smart contract security space.
Decentralized Audit Platforms
The pioneer among decentralized audit platforms is undoubtedly Code4rena. They started in February 2021 by launching the audit of Elastic DAO as their first decentralized audit. Following this first shot, the platform took off and gained significant traction in April 2021, reaching over 100 active auditors by the end of the year and over 1,000 active auditors by March 2023. To date, Code4rena is the most important platform for decentralized audits. Its concept is the most original one: Companies provide a reward pool and anyone can participate. Auditors get scored based on their performance and can move up the leaderboard. They also offer private audits, in which only selected auditors can participate (useful for stealth startups or confidential projects).
The second biggest platform is Sherlock. Sherlock started only in August of 2022, but quickly caught up to secure a top spot in the space. Sherlock mainly follows the original concept of decentralized audits as well, but they only reward their auditors for medium and high severity vulnerabilities. Their overall approach, however, has a little twist: Audited protocols have the opportunity to get insurance by Sherlock. This way, Sherlock has some “skin in the game”, which is probably the best incentive for them to strive for the highest possible quality of their audits.
Bug Bounty Platforms
Apart from audits, bug bounty platforms are another approach to secure smart contracts. Instead of competitions for a reward pool during a fixed period of time, bug bounty platforms enable projects to provide bug bounties to white hat hackers and auditors in exchange for reported vulnerabilities. Bug bounties are usually available for an unlimited time and a fixed amount is paid per finding, there is no competition for a predefined pool of rewards.
From the perspective of projects, this has the advantage that bounties only have to be paid if a vulnerability is found and furthermore, bug bounties incentivise individuals to disclose (randomly) found vulnerabilities with the project’s developer team instead of exploiting their finding. On the other hand, auditors are not as encouraged to audit the protocol as bounties for small findings are often neglectible and there are no contests with support from the development team of the respective project. To mitigate these disadvantages, bug bounties are often combined with audits, usually launching some time after the completion of the audit.
Relevant platforms to date are Immunefi, Saloon Finance and Bugcrowd.
Audit DAOs
Audit DAOs are a mix of regular auditing companies and decentralized audit platforms. The DAOs consist of several independent auditors, which form a team to conduct an audit. Joining criteria for the DAOs ensure a high skill level of auditors, which allows them to take on requests in the way of an auditing company while keeping a decentralized setup. Notable examples are Spearbit DAO and NinjAudit (NinjAudit was founded by high-ranking auditors on Code4rena and Sherlock).
Auditor Pooling Platforms
To date, only AuditOne uses this approach. Essentially, they work similar to audit DAOs, except that they are not organized in a decentralized way.
What’s next?
This article summarizes the state of the decentralized security space, mainly from a developer team/project perspective.
In the near future, we will release a second article focused on auditors, including the process from the auditor’s perspective, a short introduction on how to start with decentralized audits and resources to improve your auditing skills.
Additionally, we will shortly start publishing a series of articles summarizing decentralized audit contests we participated in on HackMD.
