How do I personally quote for an audit? In the following you will find a little checklist of what should be considered when quoting contracts. So far, I have quoted 300-400+ projects myself.
First of all, as a project founder and developer you should directly decline any auditor that quotes based on SLOC. The only good metric where SLOC can be used is if you have already quoted a project and they have refactored contracts but not necessarily introduced new logic. In such a scenario you could partially rely on your previous quote and adjust the new quote based on the SLOC change.
However, lets come to the really important topic:
The complexity and security of a smart contract is not necessarily proportional to its length. A good quote reflects a deep understanding of the contract's functionality, potential vulnerabilities, and the amount of state transitions. Let's break down the essential components for an accurate quote:
1. Understanding the Contract's Purpose
The initial step involves a quick check to identify what the contract aims to achieve. This understanding is foundational because you need to know which sections are important and how much time to allocate to each section. A vault-style protocol faces different risks and complexities than a simple NFT marketplace. This phase might include discussions with the development team to clarify intentions and expectations.
2. Math-Heavy Sections
Smart contracts often incorporate sophisticated mathematical models, these requiring precise validation mechanisms. These sections are critical because even minor inaccuracies can lead to significant vulnerabilities. A lot of time should be allocated to these parts
3. Reviewing Algorithms
Similar to the previous part, Algorithms demand careful analysis and time allocation. This scrutiny ensures not only their correct implementation but also evaluates their resilience against attack vectors. Special attention is required to verify that these algorithms perform as expected under a wide range of conditions. Specifically creativity plays a role here: You want to validate these mechanism against extreme boundaries.
4. Evaluating External Integrations
Contracts rarely operate in isolation. They interact with other contracts, protocols, and external data sources. Each interaction point introduces potential vulnerabilities, especially when considering the full call-flow and edge cases from interacting protocols. The audit must simulate various interaction scenarios to identify weaknesses effectively. This takes a lot of time
5. Assessing Contract Modes
Many smart contracts include governance mechanisms allowing parameters to be modified or simply bringing the contract in another “phase”.
Each mode can significantly alter the contract's behavior and interaction with other components. It's crucial to audit these modes comprehensively, understanding the implications of each possible state or mode on the contract's security and functionality.
Crafting the Quote
Given the complexity outlined, the approach to quoting emphasizes the need for a thorough and time-intensive audit process. It's essential to allocate sufficient time to explore each of these areas deeply. This methodical approach is what sets apart more experienced auditors from those less familiar. It is possible that less experienced auditors will not only quote less because they are less known, more importantly, they might not realize what needs attention (and what not). This is exactly where this post aims to help: to raise awareness on what's important.
When formulating your quote, consider:
Time Allocation:
Estimate the time required for each section of the audit. You don’t really want to be the one that underquoted a scope and then did a bad job.
Expertise Required:
Factor in the need for specialized knowledge, particularly for algorithms and math-heavy sections. Interactions with external protocols rely on proper knowledge of the underlying protocol.
First of all, as a project founder and developer you should directly decline any auditor that quotes based on SLOC. The only good metric where SLOC can be used is if you have already quoted a project and they have refactored contracts but not necessarily introduced new logic. In such a scenario you could partially rely on your previous quote and adjust the new quote based on the SLOC change.
However, lets come to the really important topic:
The complexity and security of a smart contract is not necessarily proportional to its length. A good quote reflects a deep understanding of the contract's functionality, potential vulnerabilities, and the amount of state transitions. Let's break down the essential components for an accurate quote:
1. Understanding the Contract's Purpose
The initial step involves a quick check to identify what the contract aims to achieve. This understanding is foundational because you need to know which sections are important and how much time to allocate to each section. A vault-style protocol faces different risks and complexities than a simple NFT marketplace. This phase might include discussions with the development team to clarify intentions and expectations.
2. Math-Heavy Sections
Smart contracts often incorporate sophisticated mathematical models, these requiring precise validation mechanisms. These sections are critical because even minor inaccuracies can lead to significant vulnerabilities. A lot of time should be allocated to these parts
3. Reviewing Algorithms
Similar to the previous part, Algorithms demand careful analysis and time allocation. This scrutiny ensures not only their correct implementation but also evaluates their resilience against attack vectors. Special attention is required to verify that these algorithms perform as expected under a wide range of conditions. Specifically creativity plays a role here: You want to validate these mechanism against extreme boundaries.
4. Evaluating External Integrations
Contracts rarely operate in isolation. They interact with other contracts, protocols, and external data sources. Each interaction point introduces potential vulnerabilities, especially when considering the full call-flow and edge cases from interacting protocols. The audit must simulate various interaction scenarios to identify weaknesses effectively. This takes a lot of time
5. Assessing Contract Modes
Many smart contracts include governance mechanisms allowing parameters to be modified or simply bringing the contract in another “phase”.
Each mode can significantly alter the contract's behavior and interaction with other components. It's crucial to audit these modes comprehensively, understanding the implications of each possible state or mode on the contract's security and functionality.
Crafting the Quote
Given the complexity outlined, the approach to quoting emphasizes the need for a thorough and time-intensive audit process. It's essential to allocate sufficient time to explore each of these areas deeply. This methodical approach is what sets apart more experienced auditors from those less familiar. It is possible that less experienced auditors will not only quote less because they are less known, more importantly, they might not realize what needs attention (and what not). This is exactly where this post aims to help: to raise awareness on what's important.
When formulating your quote, consider:
Time Allocation:
Estimate the time required for each section of the audit. You don’t really want to be the one that underquoted a scope and then did a bad job.
Expertise Required:
Factor in the need for specialized knowledge, particularly for algorithms and math-heavy sections. Interactions with external protocols rely on proper knowledge of the underlying protocol.
