What is a smart contract audit?

A smart contract audit is a systematic security review of a smart contract's code by expert analysts who identify vulnerabilities, logic errors, and potential exploits before the contract is deployed or while it holds user funds. Audits are the primary security quality signal for DeFi protocols and NFT projects.

Why are smart contract audits important for crypto investors?

Unaudited smart contracts have been responsible for billions of dollars in losses through exploits. When you deposit funds into a DeFi protocol, you are trusting its code. An audit by a reputable firm provides evidence that the code has been independently reviewed for common vulnerabilities, though it cannot guarantee the absence of all risks.

What do smart contract auditors look for?

Auditors look for common vulnerability classes including reentrancy attacks (where a contract calls back into itself before state is updated), integer overflow and underflow, access control failures (functions that should be restricted are not), front-running vulnerabilities, oracle manipulation risks, and economic design flaws that could be exploited.

Which smart contract audit firms are most reputable?

The most respected audit firms include Certik, OpenZeppelin, Trail of Bits, Consensys Diligence, Hacken, and PeckShield. Tier 1 auditors like Trail of Bits and OpenZeppelin command significant fees and their reports carry the most weight. Checking the audit firm's reputation and whether they publish their reports publicly is important.

Where can investors find smart contract audit reports?

Most reputable projects publish their audit reports on their official GitHub repository, website, or through the auditor's website. Certik and Hacken maintain public databases of audited contracts. If a project cannot produce an audit report or claims it is coming soon, treat this as a significant red flag.

Does an audit guarantee a smart contract is safe?

No. Audits significantly reduce risk but cannot guarantee safety. Many protocols have been exploited despite having one or more audits. Audits are point-in-time reviews and do not cover code updated after the audit. New attack vectors are discovered continuously, and even the best auditors can miss subtle logic flaws in complex systems.

What is a bug bounty and how does it complement audits?

A bug bounty programme offers financial rewards to independent researchers who discover and responsibly disclose vulnerabilities. Projects with active bug bounties on platforms like Immunefi provide an ongoing incentive for security researchers to continuously review the code after formal audits are completed. Active bounty programmes are a positive security signal.

How should non-technical Australian investors use smart contract audit information?

Non-technical investors should use audits as a screening tool rather than attempting to evaluate the technical findings. The presence of an audit from a known reputable firm, combined with confirmation that all critical and high-severity findings were addressed, provides reasonable assurance. Absence of any audit should be a hard no-go for significant capital deployment.

How to Audit a Smart Contract: A Basic Guide

Why Smart Contract Auditing Matters for Investors

Every DeFi protocol, token contract, and smart contract-based application you interact with represents a piece of code that controls real assets. Unlike a traditional financial institution where regulatory oversight, legal recourse, and human judgment provide layers of protection, a smart contract executes exactly as written: without modification, without appeal, and without the ability to reverse a completed transaction.

This immutability is one of the great strengths of blockchain technology, but it also means that bugs, deliberate backdoors, or design flaws in smart contract code can result in permanent loss of funds. The history of crypto is filled with examples of exploited contracts resulting in hundreds of millions of dollars in losses: the DAO hack, the Ronin Bridge exploit, numerous smaller protocol hacks and rug pulls. In every case, the vulnerability existed in the code.

Smart contract auditing is the process of reviewing that code for vulnerabilities before or after it is deployed. Professional auditing is conducted by specialist security firms. But even as a non-developer investor, understanding the basics of what audits look for, how to read an audit report, and how to use available tools to assess a contract reduces your exposure to investing in protocols with known or discoverable flaws.

What a Smart Contract Audit Checks For

Professional smart contract audits follow a systematic methodology that covers several categories of vulnerability.

Reentrancy Attacks

A reentrancy vulnerability occurs when a contract makes an external call to another contract before updating its own state. The called contract can call back into the original contract before the first execution is complete, potentially withdrawing funds multiple times in a single transaction. The DAO hack in 2016 exploited precisely this vulnerability, resulting in the theft of approximately 3.6 million ETH. Auditors specifically check for reentrancy patterns and verify that contracts follow the “checks-effects-interactions” pattern to prevent them.

Integer Overflow and Underflow

Older Solidity code (before version 0.8.0) was vulnerable to arithmetic errors where calculations that exceeded the maximum or fell below the minimum value of an integer type would “wrap around,” producing incorrect results. An attacker could exploit this to manipulate token balances or other values. Auditors verify that arithmetic is handled correctly, either through SafeMath libraries or by using Solidity 0.8.0 and later, which includes automatic overflow and underflow protection.

Access Control Issues

Improperly implemented access controls can allow unauthorised addresses to call privileged functions: minting unlimited tokens, withdrawing contract funds, or modifying protocol parameters. Auditors verify that all privileged functions have appropriate access controls and that those controls cannot be bypassed.

Oracle Manipulation

Protocols that rely on external price oracles to determine asset values can be vulnerable to oracle manipulation attacks. If an attacker can temporarily manipulate the price reported by an oracle (for example, through a flash loan that moves a low-liquidity market), they can exploit the protocol. Auditors check oracle implementation and recommend manipulation-resistant approaches like time-weighted average prices (TWAPs).

Flash Loan Attacks

Flash loans, covered in the flash loans DeFi explained resource, allow enormous amounts of capital to be borrowed and repaid within a single transaction. Protocols vulnerable to flash loan attacks can be exploited to manipulate prices, drain liquidity pools, or trigger logical flaws that only manifest at scale. Auditors specifically test for flash loan attack vectors.

The Capital Nexus newsletter covers protocol security and notable exploits that affect the DeFi ecosystem weekly: Capital Nexus Newsletter.

Reading a Smart Contract on Etherscan

Even without a developer background, you can inspect the basic properties of a smart contract on Etherscan. Here is what to look for.

First, navigate to the contract address on Etherscan. If the developer has verified and published their source code (a sign of transparency), you will see a “Contract” tab with “Code” available. A contract whose source code is not verified and published on Etherscan is an immediate red flag: it means you cannot see what the code does, and neither can auditors or the community without additional effort.

Check the contract creation date and the deployer address. Very recently deployed contracts from anonymous deployers are higher risk. Check whether the deployer address has a history of other contracts and whether those contracts have been involved in any known exploits or rug pulls.

Look for the token ownership and admin control structure. Many token contracts include functions that allow the owner to mint unlimited tokens, pause transfers, or modify the tax rate on transactions. If these functions exist and are controlled by a single unverified address, the contract carries centralisation risk. An owner who can mint unlimited tokens can effectively rug pull at any time.

Check whether a time lock has been applied to admin functions. A time lock introduces a mandatory delay between when a privileged function is called and when it executes, giving the community time to react. Protocols with time locks on critical functions are meaningfully safer than those that allow immediate execution of admin actions.

Automated Audit Tools for Non-Developers

Several automated tools can analyse smart contract code for common vulnerability patterns without requiring programming expertise.

Token Sniffer (tokensniffer.com) analyses token contracts for common red flags including honeypot mechanics (contracts that prevent selling), unlimited mint functions, abnormal trading tax rates, and similarities to known scam contracts. For any new token you are considering, running the contract address through Token Sniffer takes 30 seconds and can identify obvious red flags immediately.

Slither, Mythril, and Echidna are professional-grade static analysis tools used by auditors. They can be run on publicly available contract source code to identify potential vulnerabilities automatically. These tools require more technical comfort than Token Sniffer but are available as open-source software.

De.Fi Shield and similar platforms aggregate security data about protocols, including audit history, treasury control, and past incidents. They provide risk scores that synthesise multiple data points into an accessible assessment.

Interpreting Professional Audit Reports

When a protocol has been professionally audited, the audit report is one of the most valuable documents for any investor to review. Here is how to read one effectively.

Check the audit date and the version of code that was audited. An audit conducted on an earlier version of the code may not cover changes made since then. If the protocol has deployed a newer version or made significant upgrades after the audit, the report may not fully reflect the current contract’s security posture.

Review the findings severity levels. Audits typically classify issues as Critical, High, Medium, Low, or Informational. Critical and High findings are the most important: they represent vulnerabilities that could result in direct loss of funds if exploited. Check whether all Critical and High findings were acknowledged and remediated before deployment. Unresolved critical findings in a deployed protocol are a serious red flag.

Check the audit scope. Some audits cover only specific components of a protocol, not the entire codebase. An audit of the staking contract does not cover the bridge, the oracle, or the token contract. Understand what was and was not included in the scope before treating an audit as comprehensive.

Consider the auditing firm. Reputable auditing firms in the space include Certik, Trail of Bits, OpenZeppelin, ConsenSys Diligence, and Spearbit. The presence of an audit from a well-regarded firm does not guarantee safety (audited protocols have still been exploited), but it indicates that a genuine, professional review was conducted. Beware of self-audits or audits from unknown firms: these provide little assurance.

The Limits of Smart Contract Audits

Even the best smart contract audit does not guarantee a protocol is safe. Understanding these limitations is important for calibrating the weight you give to audit status in your investment decisions.

Audits are point-in-time reviews. If a protocol deploys new code, modifies existing contracts, or adds new integrations after an audit, those changes may introduce new vulnerabilities not covered by the audit. Always check whether the audit was conducted on the current deployment.

Complex systems have emergent risks. A protocol composed of multiple audited components can still have vulnerabilities that arise from how those components interact. The 2023 Euler Finance exploit involved a complex interaction between multiple components, each of which appeared sound in isolation.

Economic design flaws can be exploitable even without code bugs. A protocol whose token economics create perverse incentives, or whose design is vulnerable to coordinated economic attacks, may be exploitable without any traditional code vulnerability. Economic analysis is separate from code review and equally important for higher-stakes investments.

Ultimately, smart contract auditing is one input into a broader DYOR process for identifying promising crypto projects. Combined with understanding the team, the tokenomics, the DeFi risks inherent in the protocol type, and the overall market context, it provides a more complete picture than any single data point alone.

Building Audit Awareness into Your Investment Practice

Incorporating basic smart contract due diligence into your investment research process requires only a small time investment but significantly reduces exposure to the most preventable category of DeFi losses.

Before interacting with or investing in any new protocol: check whether the contract source code is verified on Etherscan, run the token address through Token Sniffer, check for a professional audit report from a reputable firm, and verify the audit covered the current deployment. These four steps take under ten minutes and eliminate the most obvious risk categories.

For significant investments, read the actual audit report rather than just noting that one exists. Review the findings severity, what was fixed, and what remains as acknowledged risk. Check the on-chain access control structure for mint, pause, and upgrade functions. Look at whether a time lock is in place for critical admin functions. This level of diligence is appropriate for any DeFi allocation of meaningful size.

Shepley Capital’s Black Emerald membership gives you access to protocol-level research and security analysis for DeFi and on-chain investment opportunities: View Membership Options.