Top Smart Contract Audit Firms with Interesting Value Propositions
This list is not to say “which auditing firm is better than others” but rather a compilation of firms with unusual and clever value propositions for their customers.
It is a rather dangerous game to say one audit firm is more talented than another. There aren’t universally agreed upon metrics for this, and most of the population doesn’t have the experience to make an accurate judgement.
However, some have made unusual steps to demonstrate alignment with their clients, and we include those in the list below. In our subjective judgement, these firms also have have strong technical abilities and can be relied upon to find bugs.
Many lists like this simply rehash firms that are already well known, and thus don’t provide much value to the reader. Hopefully our insider view is useful.
This list is ordered alphabetically.
chainlight.io - Dominant performance in hacking contests
Anyone familiar with the web3 programming and hacking contests like ours, Curta, or Paradigm is familiar with Chainlight — the South Korean audit firm that consistently places in the top 3, if not the top 1. More recently, they were the first to claim a bug bounty for finding a very intricate zk proof forgery bug in Zk Sync — a class of bug that almost no audit firm is able to understand, let alone catch. In our public CTF contests on topics as diverse as compiler bugs and cryptography intricacies, Chainlight solves the puzzles first and with a huge margin.
You would think it would be more common for audit firms to regularly participate in contests or public bug bounties to showcase their skill to prospective clients, but it is surprisingly rare.
guardianaudits.com - Only pay if vulnerabilities are found
Aside from a small deposit, if they don’t find any vulnerabilities in your code, you won’t pay. This may be a welcome relief for some who have payed considerable sums only for no bugs to be found, making the buyer wonder how closely the auditor really looked at the code.
immunefi.com - Pay per live vulnerability
Immunifi is not an audit firm, it is a bug bounty platform. Nevertheless, the value proposition of bug bounties makes a lot of sense for protocols as a last line of defense. If a whitehat hacker finds a bug in a live protocol, they can disclose it to Immunifi and Immunifi will determine if the finding is a serious one or not and work out the payment.
Bug bounty payouts often cost less than an audit but can pre-empt catastrophic outcomes.
sherlock.xyz - Get refunded if you get hacked
Should you get a refund if your project gets hacked after getting a security review? Sherlock seems to think so. While you might not recover the entire amount lost, the fact that the organization has skin in the game shows that they really want to make sure your codebase does not have bugs. Sherlock is not an audit firm per se -- they are an audit contest platform where any hacker can participate in finding bugs and get rewarded if they do.
spearbit.com - Transparent Rates
On nearly every auditing website you'll find a "contact us for quotes" button, but on Spearbit you'll see clearly how much money is going to overhead (30%) and how much is going to the auditors. This is one of the very few firms (possibly only) to be this transparent. Their lead security researchers earn a weekly salary of $20,000, equivalent to over 1 million dollars per year, so this lets them bid for top talent.
Engineers at Spearbit and Immunifi have studied at RareSkills. Our students have earned money competing on Sherlock. We have no business relationships with Chainlight or Guardian Audits. None of this influences our decision to include them in the list. We do not have a referral program with any audit firm.
Do business with us
If you are a web3 engineering company looking to level up your team or recruit engineers, please see our recruitment and training offerings.