Picking your audit firm wrong costs more than picking your VC wrong. This is the 8-dimension due diligence framework — what to ask, what to verify, and how to read between the lines of an audit proposal.
Picking your audit firm wrong costs more than picking your VC wrong. This is the 8-dimension due diligence framework — what to ask, what to verify, and how to read between the lines of an audit proposal.
Picking your audit firm wrong costs more than picking your VC wrong. A VC choice you regret loses you board influence and dilution. An audit choice you regret loses you $100M of treasury and the protocol itself.
This guide is the 8-dimension framework for evaluating smart contract audit firms — what to ask, what to verify, and how to read between the lines of an audit proposal. It assumes you already know you need an audit; if you are still deciding whether your launch needs one (or two), see Token Launch Checklist: From Tokenomics to TGE.
Each gets a real evaluation — not just a box-check.
Public audit reports are the most reliable signal of a firm's actual work product. Every reputable firm publishes a portfolio of recent audits on their website or GitHub. If a firm cannot show you 5+ recent reports, they should not be on your shortlist.
Finding count and severity distribution. A 0-finding audit is a red flag, not a good sign — either the code was already perfectly audited (rare) or the auditors did not look hard enough (common). Expect 5-30 findings per audit on a typical codebase, weighted toward low/informational with 1-5 high/critical.
Quality of the high-severity findings. Read 3-5 high-severity findings from their past reports. Are they describing real bugs with clear reproduction steps, or generic "the code uses tx.origin" boilerplate? Real findings have specific call paths, specific state preconditions, and proposed remediations that demonstrate understanding of the broader architecture.
Remediation language. Strong reports include the client's response and the auditor's verification of fixes. Weak reports just list findings without follow-through.
Editorial care. Typos, copy-paste errors from previous audits, inconsistent severity labels — these are signals that the audit was rushed.
The question to ask the firm is direct: "Who specifically on your team will review my code?" Then verify those names exist in their published audit history.
Senior named partners not on your engagement. Some firms sell on the reputation of a founder-auditor who has not personally touched audit work in 18 months. Your engagement gets junior reviewers under loose supervision.
Off-shoring without disclosure. Some "Western firm" engagements are actually performed by sub-contracted reviewers in lower-cost geographies. Not inherently bad — but if a firm doesn't disclose this and you're paying premium prices, you are paying for brand, not work.
Auditors with <2 years specific tenure. Web3 security has a steep learning curve. Auditors with less than 2 years of dedicated smart contract security work miss patterns that experienced reviewers catch.
Strong audits combine four methodologies. Firms that rely on one are doing surface-level work.
Ask the firm explicitly which they use and on what portion of your codebase. A firm that does manual review only is selling you a fraction of the protection a multi-method firm provides.
Audit experience on code like yours matters more than total years of operation. An auditor who has reviewed 20 DEXes will catch DEX-specific bugs faster than a 10-year veteran who has only audited token contracts.
Ask: "Show me your 3 most recent audits of [protocol type similar to yours]." If they cannot, downgrade your confidence — they will learn on your dime.
Be especially careful with first-of-kind protocols. If your design is genuinely novel (a new AMM curve, a new oracle mechanism), pick a firm with deep generic security expertise plus willingness to engage in design review, not just implementation review.
The audit report is not the deliverable. Working code is the deliverable. Post-audit support matters.
What to verify:
You'll spend 6-12 weeks working closely with this firm. Communication discipline matters operationally and as a signal of overall rigor.
What to assess in the sales process:
A "smart contract audit" is not a SKU. The price depends on:
What a $60K audit buys you. Typically 2-3 engineer-weeks across one or two reviewers. A solid mid-tier firm. Appropriate for an ERC-20 + simple staking contract.
What a $200K audit buys you. Typically 6-10 engineer-weeks across 2-3 reviewers, often including a formal verification pass on critical paths. A tier-1 firm. Appropriate for a full protocol with treasury, lending, or governance complexity.
Cheaper than $30K. Be skeptical. Either the firm is dumping prices to build portfolio (acceptable, but treat the result as a first pass, not a final audit) or the audit is too short to do the work.
This dimension is the most overlooked. Many audit firms have investor relationships, advisory positions, or token holdings that create real conflicts.
What to ask:
A firm that takes payment partly in your token has skewed incentives — they want your launch to succeed, which means under-reporting findings that would delay TGE. The cleanest engagements are 100% fiat-priced.
Once you have evaluated firms across the 8 dimensions, here is the framework to make the final call.
Floor: 2 independent firms. Pick from your top 4-5, then pick the second from a different "school" (e.g., one tier-1 generalist + one specialist boutique) for uncorrelated coverage.
Budget allocation. For a typical mid-cap protocol launch, budget $80K-180K across the two audits combined. Add $20K-40K for formal verification if any code path holds significant funds.
Timeline. Engage both firms at the same time you start writing your whitepaper draft. Audits run last; engagement starts first.
The Signal directory lists Web3 audit firms with verified track records, public methodology disclosures, KYB verification, and on-chain milestone escrow on engagements. You can brief once and receive matched introductions to firms appropriate for your codebase within 24 hours.
For the broader procurement context — how this audit decision fits into the rest of your launch decisions — see Token Launch Checklist: From Tokenomics to TGE and our Complete Web3 Founder's Procurement Guide.
Get expert guidance from The Arch Consulting on blockchain strategy, tokenomics, and Web3 growth.
Learn MorePicking your audit firm wrong costs more than picking your VC wrong. A VC choice you regret loses you board influence and dilution. An audit choice you regret loses you $100M of treasury and the protocol itself.
This guide is the 8-dimension framework for evaluating smart contract audit firms — what to ask, what to verify, and how to read between the lines of an audit proposal. It assumes you already know you need an audit; if you are still deciding whether your launch needs one (or two), see Token Launch Checklist: From Tokenomics to TGE.
Each gets a real evaluation — not just a box-check.
Public audit reports are the most reliable signal of a firm's actual work product. Every reputable firm publishes a portfolio of recent audits on their website or GitHub. If a firm cannot show you 5+ recent reports, they should not be on your shortlist.
Finding count and severity distribution. A 0-finding audit is a red flag, not a good sign — either the code was already perfectly audited (rare) or the auditors did not look hard enough (common). Expect 5-30 findings per audit on a typical codebase, weighted toward low/informational with 1-5 high/critical.
Quality of the high-severity findings. Read 3-5 high-severity findings from their past reports. Are they describing real bugs with clear reproduction steps, or generic "the code uses tx.origin" boilerplate? Real findings have specific call paths, specific state preconditions, and proposed remediations that demonstrate understanding of the broader architecture.
Remediation language. Strong reports include the client's response and the auditor's verification of fixes. Weak reports just list findings without follow-through.
Editorial care. Typos, copy-paste errors from previous audits, inconsistent severity labels — these are signals that the audit was rushed.
The question to ask the firm is direct: "Who specifically on your team will review my code?" Then verify those names exist in their published audit history.
Senior named partners not on your engagement. Some firms sell on the reputation of a founder-auditor who has not personally touched audit work in 18 months. Your engagement gets junior reviewers under loose supervision.
Off-shoring without disclosure. Some "Western firm" engagements are actually performed by sub-contracted reviewers in lower-cost geographies. Not inherently bad — but if a firm doesn't disclose this and you're paying premium prices, you are paying for brand, not work.
Auditors with <2 years specific tenure. Web3 security has a steep learning curve. Auditors with less than 2 years of dedicated smart contract security work miss patterns that experienced reviewers catch.
Strong audits combine four methodologies. Firms that rely on one are doing surface-level work.
Ask the firm explicitly which they use and on what portion of your codebase. A firm that does manual review only is selling you a fraction of the protection a multi-method firm provides.
Audit experience on code like yours matters more than total years of operation. An auditor who has reviewed 20 DEXes will catch DEX-specific bugs faster than a 10-year veteran who has only audited token contracts.
Ask: "Show me your 3 most recent audits of [protocol type similar to yours]." If they cannot, downgrade your confidence — they will learn on your dime.
Be especially careful with first-of-kind protocols. If your design is genuinely novel (a new AMM curve, a new oracle mechanism), pick a firm with deep generic security expertise plus willingness to engage in design review, not just implementation review.
The audit report is not the deliverable. Working code is the deliverable. Post-audit support matters.
What to verify:
You'll spend 6-12 weeks working closely with this firm. Communication discipline matters operationally and as a signal of overall rigor.
What to assess in the sales process:
A "smart contract audit" is not a SKU. The price depends on:
What a $60K audit buys you. Typically 2-3 engineer-weeks across one or two reviewers. A solid mid-tier firm. Appropriate for an ERC-20 + simple staking contract.
What a $200K audit buys you. Typically 6-10 engineer-weeks across 2-3 reviewers, often including a formal verification pass on critical paths. A tier-1 firm. Appropriate for a full protocol with treasury, lending, or governance complexity.
Cheaper than $30K. Be skeptical. Either the firm is dumping prices to build portfolio (acceptable, but treat the result as a first pass, not a final audit) or the audit is too short to do the work.
This dimension is the most overlooked. Many audit firms have investor relationships, advisory positions, or token holdings that create real conflicts.
What to ask:
A firm that takes payment partly in your token has skewed incentives — they want your launch to succeed, which means under-reporting findings that would delay TGE. The cleanest engagements are 100% fiat-priced.
Once you have evaluated firms across the 8 dimensions, here is the framework to make the final call.
Floor: 2 independent firms. Pick from your top 4-5, then pick the second from a different "school" (e.g., one tier-1 generalist + one specialist boutique) for uncorrelated coverage.
Budget allocation. For a typical mid-cap protocol launch, budget $80K-180K across the two audits combined. Add $20K-40K for formal verification if any code path holds significant funds.
Timeline. Engage both firms at the same time you start writing your whitepaper draft. Audits run last; engagement starts first.
The Signal directory lists Web3 audit firms with verified track records, public methodology disclosures, KYB verification, and on-chain milestone escrow on engagements. You can brief once and receive matched introductions to firms appropriate for your codebase within 24 hours.
For the broader procurement context — how this audit decision fits into the rest of your launch decisions — see Token Launch Checklist: From Tokenomics to TGE and our Complete Web3 Founder's Procurement Guide.
Get expert guidance from The Arch Consulting on blockchain strategy, tokenomics, and Web3 growth.
Learn More| Dimension | Why it matters | Weight |
|---|
| Public audit report quality | The single most reliable signal of work product | High |
| Team composition and tenure | Who actually reviews your code? | High |
| Methodology depth | Manual review, fuzzing, formal verification mix | High |
| Track record on similar code | Have they audited contracts like yours? | Medium-High |
| Post-audit support | Findings remediation guidance + re-review | Medium |
| Communication discipline | Slack/email responsiveness and clarity | Medium |
| Pricing transparency | Hours, deliverables, change-order policy | Medium |
| Disclosed conflicts of interest | Investor positions, advisory relationships | High |
| Dimension | Why it matters | Weight |
|---|
| Public audit report quality | The single most reliable signal of work product | High |
| Team composition and tenure | Who actually reviews your code? | High |
| Methodology depth | Manual review, fuzzing, formal verification mix | High |
| Track record on similar code | Have they audited contracts like yours? | Medium-High |
| Post-audit support | Findings remediation guidance + re-review | Medium |
| Communication discipline | Slack/email responsiveness and clarity | Medium |
| Pricing transparency | Hours, deliverables, change-order policy | Medium |
| Disclosed conflicts of interest | Investor positions, advisory relationships | High |