How much does a smart contract audit cost?

blog + Smart contract Z. Oualid todayJuly 2, 2022

Background
share close

Smart contract attacks usually exploit a vulnerability in a smart contract source code which leads to some serious financial losses. Therefore, ensuring that the smart contract is clean from any possible vulnerability before deploying it in the Mainnet is a must. So, how much does a smart contract audit cost?

The price to perform a smart contract audit with a big and known company depends on the complexity and the number of code lines. Here is a table describing the cost for each line of code range:

Smart contract number of code linesPrice
Less than 600 lines of code less than 33,250$
Between 600 and 1000 lines of codeless than 47,500$
Between 1000 and 3500 lines of codeless than 71,250$
More than 3500 lines of codeless or more than 100,000$

The prices presented in this table are based on multiple smart contract audits performed by multiple companies in the market, during the last few years.

The code line in this table does not include the standard libraries used in the developments. Usually, those libraries are out of scope during a smart contract audit. In addition, the prices presented in this table are just estimative and an audit could cost more or less than that depending on how popular the company is and how rare the experts in the used technology are.

In the following sections of this blog post we are going to explain why those numbers are so high and how can you reduce the cost? In addition, we are going to explain what you should prepare before performing this audit and when you should do it. So, if you are interested in knowing more about this, just keep reading.

How much does a smart contract audit cost?

A smart contract audit price depends on multiple aspects to define the price. Here is a list of the most important things that define the price of an audit:

  1. The number of lines of code
  2. The complexity of the app in terms of business logic
  3. The used technology development complexity
  4. The number of auditors for your technology in the market
  5. The time allocated to the audit
  6. The number of auditors that will work on your project during that time frame
  7. The kind of vulnerabilities you are targeting

By taking all those elements into consideration and maximizing them, the price of such a project could be described in the following table:

Smart contract number of code linesPrice
Less than 600 lines of code less than 33,250$
Between 600 and 1000 lines of codeless than 47,500$
Between 1000 and 3500 lines of codeless than 71,250$
More than 3500 lines of codeless or more than 100,000$

The prices presented in this table, are for smart contracts that are:

  1. Very complex business logic
  2. Using the latest smart contract building technology (Solana for example or other more complex technologies)
  3. The number of auditor for that technology are very rare as the community is very small
  4. A concentrated smart contract audit of 5 days
  5. More than 30 auditors working on your project
  6. Targeting vulnerabilities related to business logic

Moreover, the price is high in smart contract audits because the projects are very sensitive, and any vulnerability could cost the company millions of dollars. Furthermore, the cost of fixing a vulnerability after deploying it to the Mainnet is very high. Therefore, companies usually tend to invest more money in building and auditing the smart contract before it gets deployed rather than managing a breach that can cost it more.  

What are the prerequisites of a smart contract audit?

A smart contract audit is a complex process, auditors generally need as much information as possible about your contract, so that they can cover all its features. Therefore, here is a list of each element you should correctly prepare before starting an audit to better reach your goals from it:

  1. Smart contract source code
  2. A very detailed and good documentation
  3. The smart contract unit tests with a good code coverage
  4. A very well-defined scope

Auditing a smart contract is similar to performing a code review on classic applications. Therefore, having documentation to guide and help the auditor during the audit is necessary if you want better results.

This documentation is used by the auditor to usually understand the business logic of the app and find vulnerabilities related to it. Without this documentation, the auditor may take more time to simply understand the app and there is a higher chance that he may miss some hidden functionalities.

The unit tests are used by the auditor to quickly communicate with the app to test some standard attacks without the need to write communication protocol from scratch. In some kind of smart contract, using a simple functionality may require calling multiple functions and setting multiple parameters before it can be called. Therefore, having those unit tests accelerate the audit process by preparing like an audit environment for the auditor, which reduce the time for the audit.

More time needed to perform an audit == More money for the audit.

Defining the scope of your audit helps you focus on the most important part of your application, those that are more likely to be vulnerable. For example, removing the standard libraries of Openzeppelin from your audit scope is a good idea as generally those smart contract libraries are already audited by the Openzeppelin team themselves. Therefore, there are fewer chances to find some vulnerabilities in it during an audit.

Is performing an automated smart contract vulnerability scan enough?

Performing an automated smart contract vulnerability scan is not enough. Vulnerability scanners are very efficient to find some standard vulnerabilities like reentrancy, infinite loops, time dependency … and many other ones. However, they are not able to find business logic vulnerabilities. This is because of the nature of those vulnerabilities that requires a deep understanding of the smart contract business logic.

However, using those tools before going to a smart contract audit, is necessary to eliminate some vulnerabilities. In addition, if the smart contract team is planning to do a bug bounty program in the future, then using those automated scans will be beneficial.

How to reduce a smart contract audit cost?

Here is a list of things that can be performed to reduce the price of a smart contract audit:

  1. Write a good documentation
  2. Use automated tools once you finish writing your code
  3. Define a good scope
  4. Optimize your code

As I said in the previous sections, having good documentation helps the auditor to quickly understand the business logic of the smart contract he is auditing. Therefore, this saves the time required to analyze the smart contract functionalities which means reducing the audit price.

Using automated tools before going for an audit is also beneficial to reduce the cost. Some companies prefer to pay auditors based on the vulnerabilities they find. Therefore, eliminating all the standard vulnerabilities before doing an audit helps save some money.

Defining a good scope definitely reduces unnecessary workloads.  Auditing known libraries that are already audited is a time waste as those smart contracts are continuously audited by the whole world. Therefore, there are fewer chances to find vulnerabilities in them, and even fewer chances to find them during a limited-time audit.

The last thing that you can do to reduce the cost of a smart contract audit, is to optimize your code as much as possible. As I have said in the first section of this blog post, one of the key elements that are used to define the audit price is the number of lines of code. Therefore, by optimizing your code, you are reducing the number of code auditors are willing to audit which then reduces the time and the cost of the audit.

Do you want a smart contract audit?

If you want to get a quote for your smart contract audit, please feel free to fulfill this form and we will be happy to give you a quote for you:

    Written by: Z. Oualid

    Rate it

    About the author
    Avatar

    Z. Oualid

    I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


    Previous post

    Similar posts

    Post comments (0)

    Leave a reply

    Your email address will not be published. Required fields are marked *