Auditing your contracts

What an audit is, what it isn't, and how to prepare your code to get the most out of one.

What is a smart contract audit?

An audit is a structured security review of your contract code by one or more external experts. Auditors look for vulnerabilities, logic errors, gas inefficiencies, and deviation from intended behavior. A clean audit from a reputable firm is a significant trust signal in DeFi — but it's not a guarantee of safety. Audits are snapshots, not ongoing protection.

Do you need an audit?

If your contract will hold real value — any amount — get an audit. The cost of an audit (typically $10k–$100k+ depending on firm and scope) is trivial compared to the cost of a hack. Notable hacks like Ronin Bridge ($625M), Wormhole ($320M), and many others were unaudited or had audit recommendations ignored.

Automated tools (use before an audit)

Slither

The most widely used static analysis tool for Solidity. Catches common issues automatically.

bash
pip install slither-analyzer
slither .

Mythril

Symbolic execution tool that finds deeper logic vulnerabilities.

bash
pip install mythril
myth analyze contracts/MyContract.sol

Aderyn

A newer Rust-based static analyzer from Cyfrin, fast and Foundry-compatible.

bash
cargo install aderyn
aderyn .

How to prepare for an audit

  • Write comprehensive tests — Auditors review test coverage. Gaps in coverage are red flags.
  • Add NatSpec documentation — Document every function's intent, parameters, and return values.
  • Run automated tools first — Fix everything Slither/Mythril flag before the audit. Don't waste auditor time on known issues.
  • Write a threat model — What can go wrong? Who are the actors? What are the trust assumptions? This guides the auditor's focus.
  • Freeze the code — Don't change the codebase during the audit.

NatSpec documentation

solidity
/// @title MyProtocol Vault
/// @notice Accepts ERC-20 deposits and issues yield-bearing shares
/// @dev Implements ERC-4626 tokenized vault standard
contract MyVault {

    /// @notice Deposit tokens and receive shares
    /// @param assets Amount of underlying token to deposit
    /// @param receiver Address that receives the shares
    /// @return shares Number of shares minted
    function deposit(uint256 assets, address receiver) external returns (uint256 shares) {
        // ...
    }
}

Reputable audit firms

  • Trail of Bits
  • OpenZeppelin (audits separate from their library)
  • Cyfrin
  • Sherlock (competitive audit platform)
  • Code4rena (competitive audit platform)

Competitive audit platforms (Sherlock, Code4rena) are a cost-effective option for projects that can't afford a full traditional audit — many independent auditors review your code simultaneously for a prize pool.

After the audit

Address every finding. Publish the audit report publicly — transparency is expected in DeFi. If you deployed unverified or without an audit and found a bug, use an emergency pause mechanism immediately and engage a recovery team before the exploit is replicated.

←   Connecting to frontendsBack to course overview   →

Let's work together

I'm always keen to connect with like-minded builders who are interested in pushing the envelope of what is possible in the product design space.

GithubLinkedInSend Rami an email
Learn Three.jsPrivacyTerms
© Rami James 2003-2025