3.9.3 Selecting an Audit Path

The audit industry has matured into several distinct service categories, each with different cost structures, time horizons, deliverable formats, and bug-finding profiles. A team paying for "an audit" in 2026 is choosing between options that did not all exist five years ago, and the right choice depends on what the protocol is, where it is in its lifecycle, and what the team's risk tolerance is.

This subsection covers the five major audit paths: established audit firms, independent solo auditors, contest platforms (Code4rena, Sherlock, Cantina, Codehawks), bug bounty programs (Immunefi), and formal verification engagements (Certora). Each is examined as a product — what it costs, what it provides, what it's good at finding, and when it's the right choice. The goal is to equip the team to make an informed selection rather than to default to whatever option is most familiar.

A typical mature protocol uses several of these paths in combination, not one in isolation. A protocol pre-launch might commission a firm audit, run a contest, then launch with a bug bounty. The categories are complementary, and choosing well across them is part of the security strategy.

Audit Firms

Established security firms perform private, fixed-price audits with a small team of senior researchers. They are the traditional audit format and remain the appropriate choice for many protocols, especially those at production milestones with substantial value at stake.

Examples

The major firms (as of writing): Trail of Bits, OpenZeppelin Security, ConsenSys Diligence, Spearbit, Zellic (which acquired Code4rena in 2024), Quantstamp, CertiK, Halborn, ChainSecurity, Cyfrin (which runs Codehawks), Macro, and dozens of smaller specialized firms. The list shifts annually as firms merge, dissolve, or specialize.

Cost

For a typical Solidity protocol audit, expect:

  • Small audits (< 500 LoC, simple logic): $20K-$50K
  • Medium audits (500-2000 LoC, moderate complexity): $50K-$150K
  • Large audits (2000-5000 LoC, high complexity): $150K-$500K
  • Very large engagements (5000+ LoC, multi-protocol): $500K-$2M+

Pricing is typically quoted per line of code in scope, with significant adjustments for complexity. A 1000-LoC AMM with novel pricing logic costs more than a 1000-LoC ERC-20 wrapper. Specialized stacks (Vyper, Move, ZK circuits, Cairo) cost more than standard Solidity.

The cost includes auditor time across a typical 2-6 week engagement plus the report-writing phase. Fix verification is sometimes included in the original price; sometimes billed separately.

Time

  • Booking queue: Top firms have 4-12 weeks of backlog. Engagement contracts are typically signed 1-2 months before the audit begins.
  • Engagement duration: 2-4 weeks for typical scope; longer for complex protocols.
  • Report delivery: Usually 1-2 weeks after engagement ends.
  • Fix verification round: Additional 1-2 weeks if included.

The lead time from "we need an audit" to "we have a final report" is typically 8-16 weeks total.

What Firms Are Good At

  • Deep, focused review of complex business logic by senior researchers
  • Continuous engagement — researchers build context over the engagement period and revisit findings
  • Professional reporting — polished PDFs with executive summaries, severity classifications, fix recommendations
  • Reputational signaling — "audited by Trail of Bits" is a recognized credential
  • Established communication protocols — predictable status updates, clear escalation paths
  • Fix verification — post-audit re-review of remediation work

What Firms Are Less Good At

  • Coverage breadth — a team of 2-3 reviewers cannot match the breadth a 200-researcher contest provides
  • Speed — booking queues mean firms cannot respond to urgent timelines
  • Pricing flexibility — fixed-price engagements regardless of how many bugs are found
  • No incentive alignment — auditors are paid the same whether they find 50 bugs or 0

When a Firm Audit Is the Right Choice

  • Pre-mainnet launch of a protocol with substantial value at stake
  • Major version upgrade where deep review of changed logic is essential
  • Investor or insurance requirements that specify "audited by recognized firm"
  • Complex novel logic where senior expertise is needed (cryptographic protocols, exotic AMM designs, ZK applications)
  • Protocols where the team can absorb 8-16 weeks of lead time

Independent Solo Auditors

Individual senior security researchers, often former employees of major firms, offering audits as solo practitioners. The market has grown substantially over recent years as top researchers leave firms to operate independently.

Examples

The independent space is wide and individual researchers vary substantially in profile. Some well-known examples (subject to change): pashov, samczsun, Trust Security, MiloTruck, jaraxxus, hansfriese, cmichel, 0xpants. Public leaderboards on Code4rena, Sherlock, and Cantina are reasonable proxies for individual skill.

Cost

Independent auditors typically charge:

  • Daily rate: $1,500-$5,000/day for top-tier researchers
  • Per-LoC pricing: Similar to firm pricing, sometimes 20-30% lower
  • Retainer arrangements: Available with established relationships

A typical solo audit of 1,000-2,000 LoC runs $30K-$100K. The variance is wider than firm pricing — top researchers may charge firm-equivalent rates; mid-tier independents may be substantially cheaper.

Time

  • Booking queue: Variable — some top independents have multi-month queues, others have availability within weeks
  • Engagement duration: 1-3 weeks typical
  • Report delivery: Often within days of engagement end

What Independents Are Good At

  • Focused expertise — many independents specialize in specific domains (DeFi, bridges, governance, ZK)
  • Direct communication — no project manager intermediary; you work directly with the researcher
  • Flexibility — engagement scope and timing can be negotiated more freely than with firms
  • Cost efficiency — typically lower overhead than firms
  • Speed — for available independents, faster engagement than firms

What Independents Are Less Good At

  • Single point of failure — one researcher's strengths and blind spots define the audit's coverage
  • No backup if unavailable — illness, family emergency, etc. can derail an engagement
  • Less institutional support — no project management infrastructure, no fix verification framework
  • Reputational signaling varies — "audited by [unknown name]" carries less weight than "audited by Trail of Bits"
  • Variable report quality — formats and depth differ across individual researchers

When an Independent Audit Is the Right Choice

  • Mid-stage protocols looking for cost-efficient deep review
  • Teams that have an existing relationship with a specific researcher
  • Specialized domain requirements where the right specialist is independent
  • Follow-up reviews to a firm audit (second opinion at lower cost)
  • Pre-contest preparation (cleaning up easy findings before exposing to a competition)

Contest Platforms

Crowdsourced auditing platforms where dozens to hundreds of researchers compete to find bugs within a fixed time window. A single contest brings significantly more eyeballs to the code than any firm or independent engagement could.

Examples (Current Landscape)

  • Code4rena (c4) — original and largest by community size; acquired by Zellic in 2024 but operating independently. Tiered model (invitational, private, open contests).
  • Sherlock — premium tier focusing on experienced researchers; includes optional coverage product (insurance-style payout if exploited).
  • Cantina — newer platform; combines curated team-based reviews with crowdsourced competitions.
  • Codehawks — Cyfrin's platform; backed by Patrick Collins's educational community.
  • Hats Finance — decentralized platform; on-chain reward distribution.
  • Immunefi (boosts) — primarily known for bug bounties, but offers time-bounded "boost" contests.

Each platform's specifics shift over time. Current pricing, formats, and policies should be verified directly before engagement.

Cost

  • Entry-level contests: $25K-$75K total prize pool
  • Mid-range contests: $75K-$250K
  • Large competitive engagements: $250K-$1M+
  • Platform fees: Typically 5-20% on top of the prize pool

The prize pool structure incentivizes finders proportional to severity (e.g., 80% of pool for High/Critical findings, 15% for Medium, 5% for Low). High-severity findings split the relevant pool among finders; the platform deduplicates and judges quality.

Time

  • Booking queue: Varies by platform; major contests often book 2-6 weeks ahead
  • Contest duration: Typically 1-4 weeks (the audit window)
  • Judging and finalization: 2-4 weeks after contest end
  • Total timeline: 4-10 weeks from contract signing to final report

What Contests Are Good At

  • Coverage breadth — hundreds of researchers means many independent perspectives
  • Novel attack discovery — the diversity of approaches surfaces bugs traditional reviews miss
  • Time efficiency for review window — the contest fits in a single calendar block
  • Incentive alignment — researchers are paid only if they find bugs
  • Public transparency — most contests publish full findings reports, creating educational value for the broader community

What Contests Are Less Good At

  • Signal-to-noise ratio — open contests receive many low-quality submissions; the team must read through them all (or pay the platform to filter)
  • Limited follow-up — once the contest ends, individual researchers rarely engage for clarification or fix verification
  • Reputational signaling varies — "audited via Code4rena" carries weight; specific researcher attribution may not
  • No financial accountability for missed bugs — if the contest misses a critical bug and the protocol gets exploited, the platform is not liable
  • Predictability of coverage — depends on which researchers chose to participate

When a Contest Is the Right Choice

  • Protocols seeking breadth over depth for a specific milestone
  • Pre-launch coverage to complement a firm audit
  • Established codebases where novel issues are likely to be edge cases
  • Teams that can absorb the operational overhead of evaluating many submissions
  • Public-facing protocols that benefit from the transparency of published findings

Bug Bounty Programs

Continuous, open-ended programs where anyone can submit vulnerabilities for reward at any time after launch. Unlike contests, there is no fixed window — the bounty runs as long as the protocol pays for it.

Examples

  • Immunefi — the dominant platform; manages bug bounties for most major DeFi protocols
  • HackenProof — competitor platform; smaller market share
  • Direct programs — some protocols run their own bounties via internal infrastructure

Immunefi alone has paid out over $100M in bounties across its history. The platform's leaderboard regularly features individual whitehat payouts in the $1M-$10M range for critical findings.

Cost

  • Maximum bounty per finding: Set by the protocol; typically 5-10% of value-at-risk, capped at a fixed maximum
  • Total program cost: Variable — only pays when bugs are found
  • Platform fees: 10-20% on top of bounty payments

A protocol with $100M TVL might offer maximum bounties of $1M-$10M for critical findings, with smaller bounties for lower-severity issues. The expected annual cost depends entirely on how many findings come in.

Time

  • Setup: 1-2 weeks to configure the program (scope, severity tiers, payment terms)
  • Bug submission: Continuous — submissions arrive whenever researchers find them
  • Triage: Hours to days per submission, depending on severity
  • Payment: Days to weeks after acceptance, depending on platform terms

What Bug Bounties Are Good At

  • Ongoing coverage — protection that continues for the life of the protocol
  • Catastrophic-bug discovery — large rewards attract serious researchers to deep analysis
  • Post-launch coverage — captures issues that emerge in live conditions or with real liquidity
  • Pay-for-results model — no payment unless a bug is found and accepted

What Bug Bounties Are Less Good At

  • Coverage breadth at any single moment — there's no guarantee any particular researcher is looking at any particular code path right now
  • Time-bounded coverage — not a substitute for pre-launch audit
  • Submission quality — many submissions are duplicates, false positives, or out-of-scope
  • Operational overhead — the security team must respond to submissions promptly to maintain program credibility
  • Negotiation pressure — researchers and the protocol sometimes disagree about severity and payout

When a Bug Bounty Is the Right Choice

  • Every protocol post-launch should have one
  • Especially valuable for protocols with substantial TVL where the maximum bounty can be set high enough to attract top researchers
  • Complementary to all other audit forms, not a replacement
  • The "always-on" baseline of the security program

Formal Verification

Mathematical proof that specific properties of a contract hold under all possible inputs. Unlike testing (which checks specific cases) or audits (which review code patterns), formal verification proves properties — but only the specific properties that are formalized.

Examples

  • Certora Prover — the dominant commercial offering; used by Compound, Aave, Balancer, and many others. Reads Solidity source plus a "specification" written in Certora's CVL language.
  • Halmos — open-source symbolic testing tool from a16z; can be integrated with Foundry.
  • Kontrol — formal verification framework targeting EVM bytecode, from Runtime Verification.
  • K Framework / KEVM — academic formal semantics of the EVM; the foundation for several commercial tools.

Cost

  • Certora engagement: $50K-$500K depending on protocol complexity and number of properties verified
  • Self-driven formal verification: Time cost of internal engineers learning CVL or similar specification languages; tooling is sometimes free for early-stage or open-source projects
  • Halmos / open-source: Free in software cost; engineering time investment

Time

  • Engagement duration: 4-12 weeks for full coverage of moderately-complex protocol
  • Iteration cycles: Specifications often need refinement as the prover surfaces unexpected counterexamples

What Formal Verification Is Good At

  • Mathematical certainty about the specific properties that are formalized
  • Catches subtle bugs that escape testing — counterexamples at edge cases no test would construct
  • Establishes invariants formally — solvency, conservation, monotonicity properties can be proven, not just tested
  • High-value for high-stakes protocols — when an exploit would be catastrophic, the mathematical guarantee justifies the cost

What Formal Verification Is Less Good At

  • Coverage scope — only proves what's specified; bugs outside the specified properties are missed
  • Cost — significantly more expensive than equivalent-scope audits
  • Specification effort — the team must articulate precisely what they want proven, and getting the specification right is itself difficult work
  • Compiler trust — verification at the Solidity level depends on the compiler being correct (cf. the Curve Vyper incident, Section 3.8.10)

When Formal Verification Is the Right Choice

  • High-TVL DeFi protocols where catastrophic-bug cost exceeds verification cost
  • Critical primitives (lending protocols, stablecoins, bridges) where solvency invariants must hold
  • Long-lived contracts that will not be regularly upgraded
  • Teams with the technical capacity to engage with specification work seriously

A Realistic Selection Matrix

For typical protocols at different lifecycle stages:

StageRecommended PathRationale
Pre-MVP (R&D phase)Internal review + Slither/MythrilNo audit budget yet; cleaning up obvious issues
MVP to testnetOne independent auditor or small firmFirst external eyes; ~$30-60K range
Testnet to mainnet (low TVL)Firm audit + Code4rena/Sherlock contestDefense in depth at the launch milestone
Mainnet, growing TVLBug bounty (Immunefi) + periodic firm re-audits on changesContinuous coverage + milestone validation
Mature, high TVLBug bounty + formal verification + contests on major upgradesMulti-modal coverage; the cost is justified
Cross-chain or bridgeMultiple firm audits + formal verification + contestBridges have produced the largest single-incident losses

The matrix is a starting point. The right answer depends on specifics: novelty of the protocol, team experience, TVL trajectory, regulatory context, and the team's risk tolerance.

Combining Audit Paths

The most resilient security programs combine paths rather than relying on one. A pattern that works well for mid-to-late stage DeFi protocols:

  1. Firm audit (Trail of Bits, Spearbit, or similar) for pre-launch deep review of core logic
  2. Contest (Code4rena or Sherlock) for breadth coverage post-firm-audit
  3. Bug bounty (Immunefi) for ongoing post-launch coverage
  4. Formal verification (Certora) for the most critical invariants
  5. Independent re-audits (a respected solo auditor) when major changes ship

Each layer catches different bugs. Each layer reinforces the others. The combined cost is higher than any single audit, but the combined coverage is what high-TVL protocols genuinely need.

Smaller protocols cannot afford all layers, and that's fine. The realistic minimum for a new mainnet launch is one firm or independent audit plus a bug bounty. Anything less than that is gambling.

What to Verify Before Signing Any Engagement

Regardless of audit path:

  • Specific researchers assigned. For firm audits and independents, ask exactly who will work on your code. Look them up on contest leaderboards and past audit reports.
  • Domain specialization. A firm great at EVM Solidity is not automatically right for Move, Cairo, or ZK circuits. Match the auditor to the stack.
  • Track record on similar codebases. Has this auditor reviewed similar protocols? Has their audited code been exploited post-audit?
  • Communication expectations. Weekly status calls? Slack channel? Response time SLAs?
  • Report format and delivery timeline. What does the deliverable look like? When does it land?
  • Fix verification policy. Is fix verification included in the original price? What's the timeline?
  • Public release terms. When (if ever) can the report be made public? Does the auditor want to retain rights to publish their findings?

These are negotiable. A team that doesn't negotiate them is leaving value on the table.

Cross-References

  • Audit prerequisites — Section 3.9.2 covers what to deliver to the auditor regardless of path chosen
  • During the audit — Section 3.9.4 covers the operational dynamics of an engagement
  • Post-audit remediation — Section 3.9.5 covers what to do with findings
  • Auditor's perspective — Book 4 covers the audit process from the security researcher's angle
  • SDLC integration — Section 2.3 covers where audits fit in the overall development lifecycle
  • Industry references — current platform and firm offerings shift; verify current state before engaging