Skip to main content
Decentralized Finance Publication · DFR
← All answers

Answers · Q&A

What is a smart contract audit?

A smart contract audit is an independent review of on-chain code for bugs, design flaws, and known attack patterns. Decentralized Finance Publication stresses audits are point-in-time snapshots — they do not guarantee safety after upgrades or against novel economic attacks. Audited code can still be exploited. Use audits as one diligence input, not approval to deposit.

Last updated

What auditors typically do

Auditors read protocol contracts, model privileged roles, and test for issues such as reentrancy, access-control mistakes, oracle misuse, and broken accounting. Deliverables usually include a report with severity ratings and remediation notes. Serious teams publish reports and fix critical findings before mainnet launch.

Formal verification, fuzzing, and bug bounties can complement human review. Different firms and methods catch different classes of bugs — diversity of review is useful, not redundant marketing.

What audits do not cover

An audit does not insure user funds. It may not cover off-chain keepers, front-ends, bridges, or governance processes. Upgrades after the audit can introduce new code that was never reviewed. Economic design flaws — incentive loops that only appear under market stress — are harder to certify than simple coding errors.

“Audited” in a tweet is not the same as “fully reviewed latest deployment with public report.” Always check which commit, which contracts, and which firm produced the report.

How readers should use audit information

Prefer protocols that publish full reports, respond to findings, and maintain active bug bounties. Treat multiple audits over time as a stronger signal than a single launch-day review. Still assume residual risk remains.

Decentralized Finance Publication summarises audit concepts for education. We do not certify any protocol, and an audit mention in our guides is never a recommendation to invest.

FAQ

Frequently asked questions

Who performs smart contract audits?

Specialist security firms and independent researchers. Reputation varies; readers should review the actual report rather than relying on a logo alone.

Can audited protocols still get hacked?

Yes. History includes exploits of previously audited code, especially after upgrades or via novel economic attacks outside the original scope.

Is a bug bounty the same as an audit?

No. A bounty pays outsiders who find issues after deployment; an audit is a scheduled review before or during release. Both help; neither replaces the other.