Innovation & Technology

A deep look into burgeoning blockchain audit

• 6 mins read
Share link on Facebook
Share link on LinkedIn
Share link via Email
Copy link
smart contract audit, blockchain, crypto

A new study explores the emerging trend of smart contract audits and shows that in the realm of assurance, decentralised finance is proving its worth

Decentralised finance, or DeFi, emerged more than a decade ago alongside the rapid growth of cryptocurrencies as alternative investments. With no central authority, DeFi disrupts traditional financial systems and is a conduit for innovation. At the core of its disruptive power lie smart contracts on self-executing blockchains.

Similar to other financial products, DeFi is not immune to theft, which is caused by programming errors and incomplete contracts. In April 2023, for example, blockchain-based lending protocol 0VIX lost approximately US$2 million after hackers exploited technical faults to manipulate its token prices. To mitigate this risk, smart contract audits became popular.

smart contract audit, blockchain, crypto
Smart contract audits focus on the integrity and completeness of a piece of computer code as opposed to financial statements.

Unlike standard financial audits for public firms, smart contract audits focus on the integrity and completeness of a piece of computer code as opposed to financial statements. A new study by Janja Brendel, Assistant Professor of the School of Accountancy at the Chinese University of Hong Kong (CUHK) Business School, found that the smart contract audit market is thriving.

The study titled Decentralised finance (DeFi) asssurance: Early evidence, which was conducted in collaboration with Professor Thomas Bourveau at Columbia University and Professor Jordan Schoenfeld at the University of Utah, provides valuable insights into the smart contract audit market and the role of auditors in ensuring the security and reliability of DeFi ecosystems.

“We provide some of the first evidence showing that these audits are pervasive, with the audit firm market composed of new technical audit firms. The scope of these audits can span a variety of contract features, and the audit inputs and outputs differ substantively from those of conventional financial audits,” says Professor Brendel. “The market reacts positively to the release of these audit reports, suggesting that these reports are value-relevant.”

DeFi making deft inroads

For this seminal study, Professor Brendel and the team gathered a comprehensive sample of smart contract reports from January 2017 to the end of June 2023 from a smart contract scanner, De.Fi. The data showed that new blockchain assurance services have become a force to reckon with in the market in the past few years, as can be seen in the table. The “full sample” consists of 8,531 unique audit reports that delve into specific details. The “market sample” comprises 303 audit-venture events focusing on each DeFi project.

smart contract audit, blockchain, crypto

The audit market for smart contracts is composed of many new entrants. TechRate, the largest audit firm established in 2017, accounts for around 20 percent of the market share, followed by InterFi, founded in 2021, with more than 11 per cent and Certik, which was set up in 2018, with six per cent.

In terms of cost, the audit fee mostly depends on the length and complexity of the code. Audit firms with more expertise and experience can also charge more. TechRate and InterFi are widely considered to be low-cost, charging from US$250 and US$300 respectively, for a standard audit. As a comparison, Quantstamp, OpenZeppelin, and Trail of Bits label their services from US$5,000, and Hacken starts its fee at US$9,000.

These prices are justified for various reasons. The largest audit firms have conducted audits for more than thousands of projects with household names in the crypto world. Top-quality audit firms are found to provide more detailed reports, comprising team size, methods used, and days spent on the audit. These firms are also more likely to deploy audit teams of five or fewer, use a combination of manual and automatic processes about 88 per cent of the time, and conduct longer audits, as measured in days.

While these audits can identify vulnerabilities, programming errors, and deviations, audit firms do not provide a guarantee against data breaches, thefts, and hacks. Many smart contract audit firms even put legal disclaimers in their reports and advise clients to obtain third-party opinions, leaving some space for insurance to grow. For instance, Certik introduced a plan in 2023 to compensate its clients for any hack-related losses incurred after one of its audits, up to US$2 million.

Smart contract audit reports are used by DeFi service providers primarily to build trust with existing and prospective users of and investors in their services.

Professor Brendel Janja

Users can look at several factors to assess how good an audit firm’s reputation is. This includes checking portfolios and tracking records. If they have worked on large and high-profile projects that have not been compromised, it is a sign of reliability. Those seeking a smart contract audit should look at the firm’s previous projects with specific blockchains, as they may be more relevant to the project they are currently pursuing. The smart contract audit firm’s previous reports can also be examined for their level of detail or comprehensiveness.

Keeping on the right track

“Smart contracts play an increasingly important role in structuring and executing common DeFi financial transactions, such as loans and venture capital funding, with more than US$200 billion now locked in such contracts,” Professor Brendel explains. “Smart contract audit reports are used by DeFi service providers primarily to build trust with existing and prospective users of and investors in their services.”

smart contract audit, blockchain, crypto
The release of a smart contract audit report is found to result in a positive and statistically significant market-adjusted return.

Such assurance is important, perhaps due to its decentralised nature, which means smart contract audits are not mandated by legislation. Besides, blockchain projects have a chequered history, so it is inevitable that investors need reassurance that the security protocols are up to scratch and that the underlying code works. This allows investors to assess the overall trustworthiness of blockchain projects while mitigating the risks that cause loss of income and irreversible damage.

Smart contracts that are audited are often audited again when there is a significant update to the contract, not periodically every fiscal year like financial audits. There is no formal education or certification required to be an auditor, and the audits also do not need to follow a universal standard or guideline, which means that the audit process and output can differ significantly based on the auditors’ approach and methodologies in ways that financial auditors typically cannot.

In general, smart contract auditors normally apply automated bug detection software to scan smart contracts for potential vulnerabilities, then augment the procedures with line-by-line manual code review to ensure a thorough assessment. Furthermore, stress testing is also conducted to emulate different attacks that could threaten the system.


Can crypto spring reshape social lending?

Blockchain and crypto companies can decide whether to release the audit result after weighing the costs and benefits. However, the release of a smart contract audit report is found to result in a positive and statistically significant market-adjusted return of about a 10 per cent increase within the two days after the release. This is consistent with the longstanding proposition in accounting that audits serve as a mechanism to reduce information asymmetry and improve the functioning of capital markets.

With the proliferation of DeFi, assurance services within these new fields are becoming crucial to all fields of business for a number of reasons. Auditing is essential for adding credibility to information that is disclosed, which in turn helps increase trust with users and investors and ultimately helps to raise the number of transactions.