How do I personally quote for an audit? Inthe following you will find a little checklist of what should be consideredwhen quoting contracts. So far, I have quoted 300-400+ projects myself.
First of all, as a project founder anddeveloper you should directly decline any auditor that quotes based on SLOC.The only good metric where SLOC can be used is if you have already quoted aproject and they have refactored contracts but not necessarily introduced newlogic. In such a scenario you could partially rely on your previous quote andadjust the new quote based on the SLOC change.
However, lets come to the really importanttopic:
The complexity and security of a smartcontract is not necessarily proportional to its length. A good quote reflects adeep understanding of the contract's functionality, potential vulnerabilities,and the amount of state transitions. Let's break down the essential componentsfor an accurate quote:
The initial step involves a quick check toidentify what the contract aims to achieve. This understanding is foundationalbecause you need to know which sections are important and how much time toallocate to each section. A vault-style protocol faces different risks andcomplexities than a simple NFT marketplace. This phase might includediscussions with the development team to clarify intentions and expectations.
Smart contracts often incorporatesophisticated mathematical models, these requiring precise validationmechanisms. These sections are critical because even minor inaccuracies canlead to significant vulnerabilities. A lot of time should be allocated to theseparts
Similar to the previous part, Algorithmsdemand careful analysis and time allocation. This scrutiny ensures not onlytheir correct implementation but also evaluates their resilience against attackvectors. Special attention is required to verify that these algorithms performas expected under a wide range of conditions. Specifically creativity plays arole here: You want to validate these mechanism against extreme boundaries.
Contracts rarely operate in isolation. Theyinteract with other contracts, protocols, and external data sources. Eachinteraction point introduces potential vulnerabilities, especially whenconsidering the full call-flow and edge cases from interacting protocols. Theaudit must simulate various interaction scenarios to identify weaknesseseffectively. This takes a lot of time
Many smart contracts include governancemechanisms allowing parameters to be modified or simply bringing the contractin another “phase”.
Each mode can significantly alter thecontract's behavior and interaction with other components. It's crucial toaudit these modes comprehensively, understanding the implications of eachpossible state or mode on the contract's security and functionality.
Crafting the Quote
Given the complexity outlined, the approachto quoting emphasizes the need for a thorough and time-intensive audit process.It's essential to allocate sufficient time to explore each of these areasdeeply. This methodical approach is what sets apart more experienced auditorsfrom those less familiar. It is possible that less experienced auditors willnot only quote less because they are less known, more importantly, they mightnot realize what needs attention (and what not). This is exactly where this postaims to help: to raise awareness on what's important.
When formulating your quote, consider:
Time Allocation: Estimate the time requiredfor each section of the audit. You don’t really want to be the one thatunderquoted a scope and then did a bad job.
Expertise Required: Factor in the need forspecialized knowledge, particularly for algorithms and math-heavy sections.Interactions with external protocols rely on proper knowledge of the underlyingprotocol.
