The smart contract audit market has exploded — there are now 100+ firms and platforms offering audit services. Quality varies enormously. Some firms deliver comprehensive reviews by seasoned security researchers. Others rubber-stamp a Slither output as an "audit." Choosing the wrong auditor can be worse than no audit at all — it creates false confidence.
Key Selection Criteria
1. Specialization Match
Does the auditor specialize in your protocol type? A generalist firm may miss DeFi-specific vulnerabilities that a specialized firm catches immediately.
- DeFi lending/borrowing → Look for experience with Aave/Compound-style protocols
- DEX/AMM → Experience with Uniswap/Curve-style contracts
- NFT/Gaming → ERC-721/1155 specific expertise
- Cross-chain/Bridge → Message verification and validator security
- Solana → Rust + Anchor framework expertise
2. Track Record
The critical question: have protocols audited by this firm been exploited after the audit? Check rekt.news and DeFiLlama's exploit database. No firm is perfect, but a pattern of post-audit exploits is a red flag.
3. Methodology Transparency
A good auditor explains their methodology clearly: what tools they use, how they prioritize findings, and what their review process looks like.
4. Team Quality
Ask about auditor experience: Do they have CTF experience? Bug bounty track records? Published research? Have they written exploit detectors?
5. Communication
Will they be available for questions during fixes? Do they explain why something is a vulnerability, not just that it is one?
Pricing Expectations
| Audit Type | Cost Range | Timeline |
|---|---|---|
| Automated scan only | $500-$2,000 | 24-72 hours |
| Small contract (<500 LoC) | $5,000-$20,000 | 1-2 weeks |
| Medium protocol (1K-5K LoC) | $20,000-$100,000 | 2-4 weeks |
| Large protocol (>5K LoC) | $100,000-$500,000+ | 4-12 weeks |
| Challenge-based (Vultbase) | $499-$18,000/mo | 24-72 hours |
Red Flags
- 🚩 "Guaranteed 100% secure" — No audit can guarantee this
- 🚩 Only uses automated tools with no manual review
- 🚩 Refuses to share sample reports
- 🚩 No published track record or CVEs
- 🚩 Extremely low cost relative to scope
- 🚩 24-hour turnaround for complex protocols (impossible for thorough review)
Need an audit that combines automated analysis with human expertise? Start with Vultbase — from $499/scan to enterprise-grade continuous monitoring.