Choices and Considerations

Not every project needs the same kind of audit, and not every audit budget is best spent on the same provider. The choices made before an engagement begins — what type of audit, who will perform it, when it slots into the development cycle, and how the results will be acted on — often have more impact on outcomes than any single review activity.

This section walks through those choices:

  • Audit types — new, repeat, fix, retainer, incident, and scoping/threat-model engagements, each suited to a different stage of the project lifecycle.
  • Phases of an audit — the typical arc from kickoff through threat modeling, manual review, dynamic analysis, reporting, remediation, and mitigation review.
  • Firms versus independent auditors — how the market is structured today, what each model is good at, and where their incentives sit.
  • Decentralized auditing and bug bounties — gamified contest platforms (Code4rena, Cantina, Sherlock, Hats.finance, Codehawks) and continuous bounty programs (Immunefi), and how they complement rather than replace traditional audits.
  • Cost considerations — what drives audit pricing, current market ranges, and how teams can extract maximum value from a fixed budget.
  • A guide to audit selection — practical guidance on matching the audit model to your project's stage, complexity, and risk profile.

A Decision Framework

Before committing to any one audit model, project teams should be able to answer a few questions:

  1. What is the maximum tolerable loss? A protocol holding $50M in TVL warrants a very different review depth than a pre-launch experiment.
  2. What is the current code maturity? Has the code been internally reviewed? Does it pass a thorough test suite? Has it been fuzzed?
  3. What is the deployment timeline? Contests need 1–4 weeks of execution and a few weeks of triage; firm engagements need 4–12 weeks plus remediation; bounties run continuously.
  4. Will the code keep changing? A protocol that ships upgrades every sprint benefits more from a retainer or continuous bounty than from a one-shot review.
  5. Who needs to be convinced? Investors, exchanges, and integrators often expect specific firms' attestations; users may value transparent contest results more.

The right answer is usually a combination: internal review and fuzzing → one or two private audits → a public contest → a continuous bug bounty after launch. The sections that follow detail each of these options and how to combine them effectively.