Professional Crypto Audit Methodology Research

Research date: 2026-06-05 Purpose: Map professional audit firm methodologies to inform AI agent audit playbook design.

---

1. TRAIL OF BITS (Tier 1)

Source: https://www.trailofbits.com/services/software-assurance/blockchain/ (primary) Blog: https://blog.trailofbits.com/ (102 blockchain posts, Hugo-based, URL structure changed)

Phases / Service Tiers

Trail of Bits structures engagements as four distinct service offerings rather than a single linear pipeline:

1. Design Assessment -- Pre-code architecture review

   • System architecture and component specification analysis
   • Security analysis of deployment plans with incident response integration
   • Risk assessment of oracles, DeFi integrations, and upgradeability patterns
   • Strategic implementation of fuzzing, static analysis, and formal verification
   • Cryptographic and application security beyond standard blockchain risks

2. Early Stage Assessment -- For projects early in SDLC

   • Surface-level vulnerability detection in early-stage codebases
   • Decentralization analysis and upgradeability schema evaluation
   • MEV exposure analysis and oracle integration risk assessment
   • Testing coverage evaluation and monitoring system design
   • Protocol-specific security recommendations and best practices

3. Invariant Testing and Development -- Focused exclusively on invariants

   • System and function-level invariant identification with preconditions
   • Custom fuzzing initialization with minimal codebase disruption
   • CI/CD integration of fuzzing campaigns with cloud infrastructure
   • Hands-on developer training in invariant-driven testing methodologies

4. Comprehensive Code Assessment -- The full-scope review

   • Multi-language smart contract vulnerability analysis
   • Economic risk assessment including price manipulation and liquidation
   • VM security and cross-chain transaction validation for L1/L2
   • Bridge security with focus on cross-chain asset transfer validation
   • Off-chain component analysis and blockchain finality assumptions
   • Automated analysis tool integration and custom rule development

Tools Used

• Slither -- Static analysis framework for Solidity/Vyper (developed in-house)
• Echidna -- Property-based fuzzing for EVM (developed in-house)
• Medusa -- Next-generation fuzzer, successor to Echidna (developed in-house)
• Manticore -- Symbolic execution engine
• Crytic -- Continuous assurance platform
• Caracal -- Starknet-specific static analyzer
• Solana Lints -- Solana-specific analysis tooling
• test-fuzz -- Fuzzing framework integration

Manual vs. Automated Split

Not explicitly stated as a percentage. Their approach integrates tools deeply into the review:

• Automated analysis runs in CI/CD with custom rule development
• Invariant development is a dedicated service line
• Manual review covers economic risk, architecture, and "root cause" analysis
• Their blog categorizations: "static-analysis" (40 posts), "fuzzing" (53 posts), "symbolic-execution" (18 posts), "program-analysis" (23 posts)

Special Sauce

"We don't look to check boxes but discover the root causes of security weaknesses identified." They emphasize root cause analysis over checklist-based auditing. They pioneered invariant-driven development, having written invariants for over half a decade. Their tools (Slither, Echidna, Medusa) are industry standards. Cross-domain expertise -- they blend AI/ML, application security, blockchain, and cryptography seamlessly. "The power of collaboration and synthesis of knowledge across various fields."

Deliverables

• Public audit reports published at https://github.com/trailofbits/publications
• Reports cover: vulnerability findings, root cause analysis, architectural risks
• Example clients: Uniswap v4, Scroll, Offchain Labs, Discord, Microsoft
• "Building Secure Contracts" handbook available

Severity Framework

Not explicitly documented on their site. From public reports, they typically use a narrative structure with severity implications rather than rigid tiering.

Ecosystem Coverage

Ethereum, Optimism, Cosmos, Substrate, Solana, Starknet, TON, Aptos (Move)

Team Structure

• Software assurance team: experts in systems software, blockchain, cryptography
• Security engineering team: custom tool builders, remediation
• Research and development: high-end security research, zero-day discovery
• Multiple engineers per engagement

Pricing / Timeline

Not publicly disclosed. "Request a quote" model. Multiple engagement types available at different depth levels.

---

2. OPENZEPPELIN (Tier 1)

Sources: https://www.openzeppelin.com/security-audits (primary), blog, public reports

Phases / Service Tiers

OpenZeppelin has shifted from discrete audits to a Continuous Security Program model:

1. Architect -- Design review, threat modeling, security architecture advisory
2. Build -- Developer guidance during implementation, security patterns
3. Secure -- Audit/review of completed code
4. Support -- Ongoing monitoring, incident response, maintenance review

Traditional audit approach (still available):

• Scoping and proposal
• Code review (manual + automated)
• Vulnerability identification and classification
• Report delivery with findings and recommendations
• Fix review and verification

Tools Used

• Contracts Wizard -- Interactive smart contract generator with security defaults
• Upgrades Plugins -- Secure upgradeable contract deployment
• Contracts MCP -- AI-assisted secure contract building
• Monitor -- Observe smart contract activity
• Relayer -- Secure transaction sending
• Access Control -- Role and permission management
• Internal static analysis tools
• Fuzzing integration

Manual vs. Automated Split

Heavily manual-led with tool support. Their approach is architecture-first: understanding the system design before diving into code. They maintain the most widely used contract library (OpenZeppelin Contracts), which embeds security patterns directly.

Special Sauce

• Maintainers of the de facto standard smart contract library (OpenZeppelin Contracts)
• Shift from point-in-time audits to "Continuous Security Program" -- lifecycle approach
• Deep expertise in upgradeability patterns (Upgrades Plugins)
• Ethernaut CTF for security education
• Contracts Wizard codifies secure patterns automatically
• Strong focus on access control and permissions

Deliverables

• Detailed audit report with vulnerability classification
• Severity ratings for each finding
• Fix recommendations
• Fix review verification
• Public report archive available

Severity Framework

Standard Critical / High / Medium / Low / Informational framework. Severity considers both likelihood and impact.

Retesting

Fix review is a standard part of the engagement -- they verify remediations before final report.

Pricing / Timeline

Not publicly disclosed. The Continuous Security Program suggests retainer-based pricing for ongoing engagements.

---

3. CONSENSYS DILIGENCE (Tier 1)

Source: https://diligence.security/audits/ (primary), blog

Phases

From public audit reports and blog posts, the Diligence process follows:

1. Scoping -- Define codebase scope, timeline, and deliverables
2. Automated Analysis -- Run internal tools (Diligence Fuzzing, Napalm)
3. Manual Review -- Line-by-line code review, architecture analysis
4. Report -- Findings with severity, impact, and fix recommendations
5. Fix Review -- Verification of remediations

Tools Used

• Diligence Fuzzing -- Proprietary fuzzing platform (supports Foundry projects)
• Napalm -- Detection module IDE for building custom multi-tool detectors
• EthTrust -- Smart contract security standard (EEA EthTrust Security Levels Specification)
• Internal static analysis suite

Manual vs. Automated Split

Their blog emphasizes tool-building heavily: "You're missing out! If you're not writing detection modules." The Napalm tool is specifically designed to help auditors write custom detection modules. This suggests automated analysis is deeply integrated but custom-tailored per engagement.

Special Sauce

• "Securing Ethereum Smart Contracts since 2017"
• Napalm -- custom detector IDE, unique in the industry
• EthTrust -- contributing to formal industry security standards via EEA
• Deep integration with MetaMask and Linea (Consensys ecosystem)
• Academic publications and research on fuzzing, ZK, formal methods

Deliverables

• Public audit list at diligence.security/audits/
• Reports include: vulnerability description, severity, impact, PoC, fix recommendation
• Fix review verification

Severity Framework

Standard tiered severity (Critical/High/Medium/Low/Informational) Blog mentions "Benchmarking Smart-Contract Fuzzers" -- data-driven approach

Blog Topics (from listing)

• How to write robust and sustainable smart contracts
• Audit contest analytics and economics
• Fuzzing benchmarking
• ZK proving system security (Halo2)
• Reproducing exploits (DeusDao) with Diligence Fuzzing

---

4. SPEARBIT / CANTINA (Tier 1)

Source: https://cantina.xyz/ (Spearbit has merged into Cantina) Note: Spearbit now lives on Cantina as of ~2025.

Service Types (from Cantina homepage)

• Web3 Security Audits
• Smart Contract Reviews
• Penetration Testing
• Bug Bounty Programs
• Security Competitions
• Managed Detection and Response
• Incident Response
• Advisory Services

Special Sauce

• "AI-Native Security, Backed by Human Expertise"
• End-to-end approach: from depth of reviews, to competition process, to bounty facilitation
• Testimonials from Uniswap Labs (v4 launch), Euler, etc.
• Spearbit pioneered the competitive audit network model where multiple independent auditors review code simultaneously

Clients (from testimonials)

Uniswap Labs, Euler

Key Features

• Security competitions (inherited from Spearbit's competitive model)
• Bug bounty programs
• Managed detection and response (ongoing security)
• Advisory services

---

5. CODE4RENA (Tier 1 - Competitive Platform)

Source: https://docs.code4rena.com/ (GitBook docs)

How Contests Work

"Community-driven competitions for smart contract audits." C4 is a competitive audit platform, not a traditional firm.

Roles:

• Wardens -- Security researchers who review, audit, and analyze codebases for vulnerabilities. Compete for bounties.
• Sponsors -- Projects that create prize pools to attract wardens to audit their project.
• Judges -- Decide the severity, validity, and quality of findings and rate warden performance.

Process Flow

1. Sponsor submits codebase and sets prize pool
2. Contest period opens (typically 3-10 days)
3. Wardens find and submit vulnerabilities
4. Judges evaluate findings: severity, validity, quality
5. Awards distributed from prize pool based on finding quality
6. Sponsor receives report aggregating all findings

Judging Criteria

From docs.code4rena.com/awarding/judging-criteria:

• Findings classified by severity (High, Medium, Low/QA, Gas)
• Judges determine validity (legitimate vulnerability vs. non-issue)
• Quality assessment: clear description, impact analysis, PoC code, fix recommendation
• Warden performance rated by judges

Severity Framework

• High -- Assets can be stolen/lost, funds directly at risk
• Medium -- Protocol functionality disrupted, indirect risk
• Low / QA -- Code quality issues, best practices
• Gas -- Gas optimization suggestions (C4-specific category)

Prize Pools

Variable per contest. Top wardens earn significantly more. Model: winner-takes-most with tiered distribution.

Advancement System

Wardens advance through roles based on performance metrics from judged contests.

Key Difference from Traditional Audits

• Multiple auditors (wardens) compete simultaneously
• Prize pool model instead of fixed fee
• Contests are time-boxed (days, not weeks)
• Public and transparent process
• Community rating system for auditors
• Zellic announced (June 2025): "Code4rena will run audit contests for free"

---

6. ZELLIC (Tier 2)

Source: https://www.zellic.com/services (primary), https://www.zellic.com/blog

Methodology (from services page)

"Full vulnerability research process: We assume an attacker mindset when approaching your code. That includes attack surface enumeration, static analysis, manual review, and dynamic analysis."

Process Phases:

1. Attack surface enumeration
2. Static analysis
3. Manual review
4. Dynamic analysis

Staffing:

• Multiple engineers per engagement (substantially increases assurance)
• Engagement Managers for quality control layer

Specializations

1. EVM (Ethereum Virtual Machine) -- "We look past just the application layer to dive deep into EVM implementation details. We're not just familiar with EVM bytecode and assembly, we dig through Geth source code to get to the bottom of arcane quirks and edge cases."

   • Clients: LayerZero, SushiSwap, StarkWare, Wormhole, PancakeSwap, Wintermute, Pyth, Scroll, Biconomy, Ambient Finance, Ethena, Beefy Finance, Mantle
   • Reviews from 20 LoC to tens of thousands of lines

2. Zero-Knowledge Circuits -- Dedicated ZK team. Review circuits in Circom and Halo2. Clients: Scroll, Axiom, Nocturne, Polyhedra. Active original research on ZK security.

3. Web Application Security -- Full stack: Go, Rust, React, Electron. CTF/bug bounty background. Discovered vulnerabilities in US DoD, Github, Yahoo, Shopify, PayPal, Adobe, CrowdStrike, Amazon, Bitfinex. Found novel DNS rebinding bug in Geth.

4. Applied Cryptography -- Wallets, MPC, SSS, EOAs, multisig, enclave solutions, social login. Reviewed: Aptos IdentityConnect, Pontem, Avara (Aave Lens), Privy.

5. Secure Enclaves, TEEs, and Trusted Computing

6. Formal Verification, Static Analysis, and Fuzzing

7. L1s, L2s, and Roll-Ups

8. Cross-Chain Apps

9. DeFi Primitives

10. Aptos and Sui (Move)

11. Cosmos

12. Solana

Tools

• V12 -- Announced Sept 2025: "V12 finds critical bugs consistently and automatically. We'll be releasing it for free." (Static analysis / vulnerability discovery tool)
• Uses static analysis, fuzzing, and formal verification as part of their approach

Special Sauce

• "Multiple engineers per engagement" -- unlike many firms that assign 1-2 auditors
• "We assume an attacker mindset" -- offensive security background
• Deep dive into EVM internals and Geth source code
• ZK specialization with dedicated team
• Forky -- open source tool (named in footer)

Blog Topic Highlights

• "Choosing an Audit Competition: How to Spot Snake Oil" (April 2025)
• "Enumerating All 69,788,231 Ethereum Contracts" (May 2025)
• TON Security Primer series
• Fuzzing to Zero-Day research
• Bitcoin Scripting System survey
• "Choosing a DeFi Protocol: Risks, Red Flags, and Recommendations"

Team

CTO: Jasraj Bedi (found novel DNS rebinding bug in Geth, 2018) Named researchers: Sakura, Lime, Bryce, Philip, BaarkingDog, Sylvain Pelissier, Luna Tong, Rainier Wu, Gunhee, Avi Weinstock, Nipun

---

7. HALBORN (Tier 2)

Source: https://halborn.com/

Services (from website extraction)

Assurance Services:

• AI Security Assessment
• Smart Contract Assessment -- "Securing code integrity, protecting digital assets"
• Blockchain Layer 1 Assessment -- "Assessing protocols, securing blockchain foundations"
• Code Security Audit -- "Uncovering flaws, strengthening software integrity"
• Web Application Penetration Testing -- "Exposing weaknesses, fortifying digital defenses"
• Cloud Infrastructure Penetration Testing -- "Securing configurations, protecting critical environments"
• Red Team Exercise -- "Simulating real-world attacks, strengthening defenses"

Advisory Services:

• Blockchain Architecture Assessment -- "Optimizing architecture for tomorrow's networks"
• Compliance Readiness -- "Stay ready as regulations evolve"
• Custody and Key Management Assessment -- "Securing the heart of digital custody"
• Technical Due Diligence -- "See the risks before you invest"
• Technical Training -- "Empower your teams to secure what matters"

Special Sauce

• Blockchain Vulnerability Scoring System -- Proprietary vulnerability classification
• Covers full spectrum: smart contracts, L1 protocols, web apps, cloud, AI, red team
• "The trusted security advisor for blockchain and financial services industries"
• All latest vulnerabilities published by Halborn
• Monthly Halborn Digest (blog, videos, whitepapers, webinars, interviews)
• "Committed to Protecting Your Data" / "Service Commitments" emphasis on confidentiality

---

8. CERTIK (Tier 2)

Source: https://www.certik.com/

Methodology (from FAQ on homepage)

CertiK uses a three-pronged approach:

1. AI -- Automated vulnerability detection
2. Formal Verification -- Mathematical proof that software behaves exactly as intended under all possible conditions. "Eliminates entire classes of vulnerabilities that traditional testing methods may miss."
3. Expert Manual Review -- Human auditors

Services

• Smart contract audits
• Penetration testing
• Formal verification
• Real-time security monitoring via Skynet (security scores, risk analytics, due diligence data)
• Compliance and AML solutions via SkyInsights
• KYC verification
• Bug bounty programs
• Layer 1 chain audits
• Proof of Reserves audits
• DLT security solutions for enterprises

Scale

• 5,096+ clients
• $498 billion+ in assessed market cap
• 1.8 million monthly Skynet users
• Supports all major blockchains: Ethereum, BNB Chain, Bitcoin, TON, Cosmos, Cardano, Aptos, Algorand, Sui, Kaia
• Languages: Solidity, Rust, Move

Special Sauce

• Founded by professors from Columbia and Yale (2018)
• Skynet -- real-time security monitoring platform (big data approach)
• Combines AI + formal verification + manual review
• Largest scale in the industry by client count
• Chain-agnostic
• Proof of Reserves audits

Reputation Considerations

Note: CertiK has faced criticism in the security community regarding audit depth and quality consistency at their scale. However, their documented methodology (AI + formal verification + manual review + monitoring) represents an interesting model of scaled security.

---

9. QUANTSTAMP (Tier 2)

Source: https://www.quantstamp.com/ (limited extraction due to JS-heavy site)

From Available Data

• Services include: smart contract audits, protocol security
• "Securing the Future of Web3"
• Request-audit model with form including: project description, GitHub link, suggested meeting time
• Webflow-based site, heavily reliant on JavaScript

Known Industry Position

• One of the earliest blockchain audit firms
• Known for automated scanning combined with manual review
• Has audited major DeFi protocols
• Maintains a network of auditors

---

10. VERIDISE (Tier 2 - ZK-Focused)

Source: https://www.veridise.com/services/

Methodology (extracted from services page)

Process Phases:

1. Scope Assessment -- "Our experts assess the scope of the audit: We check the source repository and set key requirements to be verified."
2. Formalization and Automated Analysis -- "Our team formalizes key properties of your project and utilizes our proprietary analysis tools to check for common vulnerabilities and deeper logical bugs."
3. Report Delivery -- "We deliver a detailed audit report summarizing our findings and recommendations. Our reports include any uncovered vulnerabilities, their potential impact, and mitigation strategies."
4. Fix Verification -- "Our clients' teams fix discovered bugs and vulnerabilities. The Veridise team then verifies the new code to ensure it is secure."
5. Final Report -- "Once all bug fixes are verified, we issue a final audit report."

Services

• Zero Knowledge Audits -- Circuits, zkVMs
• zkVM Application Audits
• Smart Contract Audits
• L1/L2 Blockchain Audits
• Web3 Wallets and Integrations

Tools

• ZK Vanguard -- Proprietary static analyzer for zero-knowledge circuits
• In-house detection tools (team of security experts devoted solely to tool development)
• Formal verification tools

Special Sauce

• "Industry-leading tooling: Besides rigorous human auditing, a large part of our security experts are solely focused on developing our in-house detection tools"
• "Latest research insights: Our success stems from integrating cutting-edge academic research with practical industry experience. Many Veridise team members have a PhD background in formal methods."
• "Confidentiality and report ownership: We uphold the confidentiality of the audit report... Additionally, our reports become fully yours upon completion of the audit, unlike with some other providers."
• ZK specialization -- unique positioning
• "We've identified more than 100 high-severity vulnerabilities"
• "We have a track record of identifying critical vulnerabilities in protocols and projects that other security companies and auditors missed."

Clients

Risc Zero, Succinct, Linea

---

11. GUARDIAN AUDITS (Tier 2)

Source: https://www.guardianaudits.com/

Services (from homepage)

• Audits & Pentests
• Monitoring & Defense
• OpSec
• Risk & Compliance

Includes Guardian Sentry -- a specific audit product now available for protocol teams.

Special Sauce

• "Best-in-class security for onchain organizations"
• $44.9B+ in digital assets secured (counter on homepage)
• "Guardian's commitment to high quality audits, keeping up with industry best practices and alignment between the auditors and the protocol has led to them being a highly valuable partner" -- GMX testimonial
• "They are on a mission to become the best auditors out there. They don't need much guidance and understand the codebase quickly." -- Abracadabra Money
• "We've worked with a variety of audit shops before. Some are complete nightmares. But Guardian has been a delight to work with." -- Buttonwood
• "Within just a few days, they uncovered all issues, and their rapid review of fixes further underscores their efficiency." -- Orderly Network
• "Guardian has an impeccable eye to detail and goes above and beyond to ensure that the code is watertight. They are able to assess super advanced Solidity inline-assembly with ease." -- Solady
• "Having seen many audits over many years, no one even comes close to Guardian's approach, and the quality of the audit is unmatched." -- Azuki

Clients (from testimonials)

GMX, Jupiter, Umami Finance, Abracadabra Money, Buttonwood, Gamma, Orderly Network, Poolshark, Dolomite, USDT0, NFTY Finance, Magna, Tenor, Sentiment, MUX, YugaLabs, Azuki

Key Differentiator

Rapid turnaround ("within just a few days"), deep DeFi expertise (especially derivatives), attention to advanced Solidity (inline assembly).

---

12. LEAST AUTHORITY (Tier 3 - Privacy/Specialized)

Source: https://leastauthority.com/

Focus

"We believe that people have a fundamental right to privacy and that the use of secure solutions enables people to more freely use the Internet and other connected technologies."

Known Industry Position

• Specializes in privacy-focused protocols (Zcash, etc.)
• Deep cryptographic expertise
• Long history of blockchain security audits (since ~2015)
• Known for thorough, academically rigorous audits
• Services include: security audits, design consulting, cryptographic review

Notable Audits

Zcash, Ethereum 2.0 components, various privacy protocols, distributed storage systems

---

13. NCC GROUP (Tier 3)

Known Industry Position

• Large traditional cybersecurity firm with a crypto practice
• Applies enterprise-grade security assessment methodology to blockchain
• Services: smart contract audits, protocol security, cryptographic review
• Cross-domain expertise from traditional security domains

---

14. KUDELSKI SECURITY (Tier 3)

Known Industry Position

• Traditional security firm with blockchain practice
• Expertise in applied cryptography and hardware security
• Services: smart contract audits, blockchain protocol security, cryptographic implementation review

---

COMPETITIVE AUDIT PLATFORMS

Code4rena (Covered in Detail Above)

• Competitive audit contests
• Wardens, Sponsors, Judges roles
• Severity: High / Medium / Low-QA / Gas
• Time-boxed contests (3-10 days)
• Prize pool model

Sherlock

• Audit contest platform
• Similar competitive model to Code4rena
• Focus on DeFi protocols
• Escrow-based prize pools
• Judging process with Sherlock judges

Immunefi

• Bug bounty platform (not audit firm)
• Projects list bounties for vulnerability disclosure
• Differs from audits: ongoing, reactive, no guaranteed coverage
• Payouts for discovered vulnerabilities
• Used as complement to audits, not replacement

Hats Finance

• On-chain audit competitions
• Decentralized bounty and audit infrastructure
• Permissionless audit participation
• Smart contract-governed prize distribution

Cantina.xyz

• Absorbed Spearbit
• AI-native security platform
• Security competitions, audits, bug bounties
• Managed detection and response

Audit Wizard

No widely documented public methodology found. May be a tool rather than a firm.

---

AUDIT STANDARDS AND FRAMEWORKS

Solcurity Standard (Complete)

Source: https://github.com/transmissions11/solcurity

An opinionated security and code quality standard for Solidity smart contracts. Based on work by BoringCrypto, Mudit Gupta, Runtime Verification, and ConsenSys Diligence.

General Review Approach (the standard's recommended process):

1. Read the project's docs, specs, and whitepaper to understand what the smart contracts are meant to do.
2. Construct a mental model of what you expect the contracts to look like before checking out the code.
3. Glance over the contracts to get a sense of the project's architecture. Tools like Surya can come in handy.
4. Compare the architecture to your mental model. Look into areas that are surprising.
5. Create a threat model and make a list of theoretical high-level attack vectors.
6. Look at areas that can do value exchange. Especially functions like transfer, transferFrom, send, call, delegatecall, and selfdestruct. Walk backward from them to ensure they are secured properly.
7. Look at areas that interface with external contracts and ensure all assumptions about them are valid.
8. Do a generic line-by-line review of the contracts.
9. Do another review from the perspective of every actor in the threat model.
10. Glance over the project's tests + code coverage and look deeper at areas lacking coverage.
11. Run tools like Slither/Solhint and review their output.
12. Look at related projects and their audits to check for any similar issues or oversights.

Checklist Categories (with element counts):

• Variables (V1-V10): visibility, packing, types, documentation
• Structs (S1-S3): necessity, packing, documentation
• Functions (F1-F19): visibility modifiers, checks-effects-interactions, front-running, parameters, naming
• Modifiers (M1-M3): storage updates, external calls, documentation
• Code (C1-C51): arithmetic, gas, assembly, signatures, randomness, patterns. The largest section.
• External Calls (X1-X8): necessity, reentrancy, error handling, gas
• Static Calls (S1-S4): necessity, view marking, DoS
• Events (E1-E6): indexing, documentation, emission
• Contract (T1-T12): license, inheritance, events, natspec, imports
• Project (P1-P5): license, unit testing, fuzzing, symbolic execution, Slither/Solhint
• DeFi (D1-D11): oracle manipulation, token standards (rebasing, fee-on-transfer, ERC-777), AMM assumptions, internal accounting vs. actual balances

Total: ~130+ checklist items

DeFi Threat Matrix

Source: https://github.com/sambacha/defi-threat-matrix "MITRE ATT&CK Adapted for Decentralized Finance" Currently V2 - WIP. Original V1 available as Google Sheet. Maps traditional threat modeling to DeFi context.

SCSVS (Smart Contract Security Verification Standard)

Source: Not found at the expected GitHub URL (ComposableFi/SCSVS -- 404). May have moved or been removed. Conceptually modeled after OWASP ASVS but for smart contracts. The community has produced multiple derivatives.

Public Checklists

• Rari-Capital / Fei Audit Checklist: Widely referenced community checklist, incorporated into Solcurity
• Yield Protocol Audit Checklist: Community checklist, similar scope
• BoringCrypto's checks.txt: Original checklist that inspired Solcurity (from SushiSwap bentobox repo)
• ConsenSys Smart Contract Best Practices: Widely referenced, covers attacks and mitigations
• Runtime Verification's List of Security Vulnerabilities: Academic approach to vulnerability classification

EIP/ERC Security Considerations

The Ethereum EIP process requires a "Security Considerations" section for certain EIP types. This has become a de facto standard for documenting security properties of new protocol features.

---

CONSENSUS AUDITOR METHODOLOGY (SYNTHESIS)

The Common Pattern Across All Firms

Synthesizing across all 14+ firms and standards, the following represents the industry consensus best-practice audit workflow:

Phase 0: Pre-Engagement

• Scoping: Define codebase scope, timeline, deliverables, and fee
• NDA / Legal: Confidentiality agreements, report ownership terms
• Kickoff Meeting: Align on expectations, communication channels, access

Phase 1: Reconnaissance and Understanding

1. Documentation Review: Read whitepaper, docs, specs, architecture diagrams
2. Mental Model Construction: Build expectation of what the system should do
3. Architecture Analysis: Understand contract relationships, inheritance, dependencies
4. Threat Modeling: Create actor-based threat model, enumerate attack vectors
5. Codebase Familiarization: Initial pass through the codebase, use Surya/diagramming tools

Key Principle: Understand intent before auditing implementation.

Phase 2: Automated Analysis

Run all applicable tools:

1. Static Analysis: Slither, Aderyn, Mythril, Semgrep, CodeQL, proprietary tools
2. Fuzzing: Echidna, Medusa, Foundry fuzz tests, Diligence Fuzzing
3. Symbolic Execution: Manticore, Mythril, Halmos
4. Formal Verification: Certora Prover, K Framework, Coq (for critical components)
5. Linting: Solhint, linters
6. Gas Analysis: Gas reporters, optimization checkers

Key Principle: Tools catch patterns; humans catch logic.

Phase 3: Manual Review

This is the core of every professional audit. Multiple passes:

1. Line-by-Line Review: Every line of in-scope contracts
2. Data Flow Analysis: Track value through the system
3. External Call Analysis: Every interaction with external contracts
4. Economic/Game Theory Review:
   • Price manipulation vectors
   • Oracle manipulation
   • MEV exposure
   • Liquidation mechanisms
   • Incentive alignment
5. Access Control Review: Role/permission mapping
6. Upgradeability Review: Proxy patterns, storage collisions, initialization
7. Cross-Chain Review: Bridge security, message verification
8. DeFi-Specific Review:
   • Token standard compatibility (ERC-777 reentrancy, fee-on-transfer, rebasing)
   • AMM oracle manipulation
   • Flash loan attack vectors
   • Internal accounting vs. actual balances
   • Rounding/precision direction

Key Principle: Multiple perspectives -- code, architecture, economic, adversarial.

Phase 4: Invariant Development and Testing

Common among top-tier firms:

1. Document system invariants (properties that must always hold)
2. Write invariant tests (Foundry, Echidna, Certora)
3. Develop property-based tests
4. Create PoC exploits for suspected vulnerabilities

Key Principle: Prove what must never break.

Phase 5: Exploit Development (PoC)

1. For each suspected vulnerability, develop a proof of concept
2. Test against local fork or testnet
3. Confirm exploitability and impact
4. Document exact steps to reproduce

Key Principle: Never report a finding you cannot prove.

Phase 6: Reporting

Standard report structure across firms:

1. Executive Summary: High-level findings, overall security posture
2. Engagement Overview: Scope, timeline, methodology, team
3. Findings: Each with:
   • Title and severity rating
   • Description of the vulnerability
   • Impact analysis (what can an attacker do)
   • Proof of concept (code or step-by-step)
   • Recommended fix
   • References (SWC, OWASP, CWE mappings)
4. Informational/Observational Findings: Code quality, gas optimizations, best practices
5. Appendix: Tool outputs, test results, methodology details

Phase 7: Fix Review

1. Client implements fixes
2. Auditor reviews each fix
3. Verification that fix resolves the issue and introduces no new issues
4. Iterative until all critical/high findings are resolved
5. Final report issuance

Severity Classification Consensus

The industry has converged on a 5-tier system:

Tier	Name	Definition
Critical	Critical	Direct loss of funds, no preconditions, high likelihood
High	High	Loss of funds with some preconditions, or critical functionality broken
Medium	Medium	Indirect risk, DoS under specific conditions, incorrect behavior
Low	Low	Best practice violations, minor issues, unlikely exploitation
Info/Gas	Informational	Code quality, gas optimizations, documentation

Some firms use 4 tiers (Critical/High/Medium/Low) with informational handled separately. Code4rena uniquely separates Gas as its own category.

Team Structure Consensus

• Lead Auditor: Primary reviewer, most experienced
• Supporting Auditor(s): Second reviewer, fresh eyes
• Engagement Manager: Client communication, timeline management
• Quality Reviewer: Reviews findings before client delivery (some firms)

Top firms use minimum 2 engineers per engagement. Some (Zellic, Trail of Bits) explicitly mention multi-engineer staffing.

Timeline Consensus

• Small audit (simple token, simple staking): 1-2 weeks, 1-2 auditors
• Medium audit (AMM, lending protocol): 2-4 weeks, 2-3 auditors
• Large audit (complex DeFi, L1/L2, bridge): 4-8 weeks, 3+ auditors
• Competitive contests (C4): 3-10 days, dozens of wardens

Pricing Model Indicators

• Most firms use fixed-fee quoting based on scope/complexity
• Not typically per-line pricing (codebases vary widely in complexity per line)
• Competitive contests use prize pool model
• Some firms offer retainer-based continuous security programs (OpenZeppelin)

Tooling Consensus

The tools every firm mentions or implies:

1. Slither (static analysis) -- near-universal
2. Foundry (testing framework) -- has replaced Hardhat for security testing
3. Echidna/Medusa (fuzzing) -- Trail of Bits tools, widely adopted
4. Mythril (symbolic execution) -- commonly referenced
5. Certora Prover (formal verification) -- for high-assurance components
6. Custom/proprietary tools -- every top firm builds their own

The Meta-Pattern: What Makes a Great Audit

Across all firms, the distinguishing factors are:

1. Understanding Intent Before Auditing Code -- Read docs, build mental model, then look at implementation
2. Multiple Perspectives -- Code review + architecture review + economic review + adversarial review
3. Proof Over Assertion -- PoC exploits, not theoretical concerns
4. Tool-Assisted but Human-Led -- Tools find patterns, humans find logic bugs
5. Invariant-Driven -- Define what must never break, then try to break it
6. Root Cause Focus -- Don't fix symptoms, fix the design flaw
7. Multi-Auditor -- Second set of eyes is non-negotiable
8. Continuous, Not Point-in-Time -- The shift from discrete audits to ongoing security programs

Implications for AI Agent Design

Based on this research, an AI crypto audit agent should:

1. Implement the Phase 0-7 pipeline as its core workflow
2. Run automated tools first (Slither, Aderyn, etc.) and parse outputs
3. Apply the Solcurity checklist systematically (130+ items)
4. Generate invariants and test them via Foundry/Echidna
5. Cross-reference against vulnerability taxonomies (SWC registry, DeFi Threat Matrix)
6. Produce structured findings with severity, impact, PoC, and fix recommendation
7. Support fix review by diffing remediations against original findings
8. Maintain a threat model per engagement, enumerating actors and attack vectors
9. Apply the "attacker mindset" -- not just checklists but creative exploitation pathways
10. Map findings to standards (SWC, CWE, OWASP, SCSVS)