We have compiled an updated list of the top performing blockchain security and smart contract auditing companies in 2022, giving you comprehensive data and history of these firms for you to make the best informed decision possible.
Why Do Smart Contract Auditors Matter?
A lot has happened since 2020 when we last ranked the best smart contract auditors at the time. As the crypto space is evolving, so are hackers and scammers around the world. Web3 attacks are becoming increasingly frequent, and each day malicious players have found creative ways to exploit smart contract vulnerabilities for quick profit.
One of the largest crypto hacks in history happened earlier this year when Wormhole, Solana’s cross-chain bridge, was hacked on February 2nd. The attack exploited a signature verification vulnerability in the network that allowed the hacker to freely mint 120,000 wETH, worth $325 million at the time. As a result, security audits are extremely important. According to an article by Hacken, though Solana may be blamed for providing the instrument with security flaws to its projects, Wormhole might have “prevented the incident by auditing the instruments it used.”
Quality smart contract assurance helps identify potential issues, and ensure that the protocol is ready at all times to address any threat that could put its users’ funds at risk. However, there are no guarantees that a protocol will be 100% secure after an audit, but a good smart contract auditor can still perform thorough reviews to potentially prevent major vulnerabilities after launch. To keep up with the increasing demand in blockchain security, certain auditing firms have also branched out to offer other cybersecurity services such as penetration testing, running bug bounty programs, vulnerability assessments, and threat modelling.
What Makes a Good Smart Contract Auditor?
We have compiled our list of the top smart contract auditors this year based on a set of criteria. One of the first steps in finding a reliable smart contract auditor is to check the portfolios of projects they have audited. Doing so allows you to see the size and popularity of the projects they have audited, and more importantly if any of the projects they have worked on have been compromised. Larger projects tend to attract more attention from hackers, and if they have not been exploited for a long period of time, then it is a good sign that their security is up to date thanks to their auditor(s).
The next factor to consider is the auditor’s expertise in certain blockchains. As of now, most auditors offer only Ethereum contract audits. Only some are specialized in auditing projects on altchains such as BNB, Solana or Polygon. This is because EVM-compatible chains have different architectures, and certain altchains use a completely different programming language, e.g. Rust for Solana. Different firms have different areas of expertise in auditing protocols built on different blockchains, so it is best to assess their level of competency before engaging them for an audit. For example, if you are looking for a Polygon-based contract audit, check the firm’s past audits for Polygon-based projects.
Finally, it goes without saying but the quality of audit reports is an important consideration to look for in a reliable auditor. Different auditing firms have their own methodology and approach. In many instances, the scope of an audit varies according to the scale and complexity of the project as well as the auditor’s agreement with their clients. It is important to note that a good report should include a comprehensive description of all the problems that were found during the test and inspection, and the findings of the audit have been addressed by the project.
Hacken
Website: https://hacken.io/
Projects Audited: 700+
Major Clients: FTX, Avalanche, VeChain, Huobi, Kyber, Air Asia
Chains Supported: Ethereum, EVM Chains, BNB Chain, Solana, Polygon, Avalanche, NEAR, Fantom
Hacken is a leading cybersecurity consulting company focused on blockchain security. Since its inception in 2017, Hacken has been educating and growing the ethical white hat hacker community to continually nurture and build the blockchain security ecosystem. Who better to identify and address cybersecurity threats than a hacker? (https://www.kambioeyewear.com/)
Hacken provides a wide range of security services including blockchain security consulting, web/mobile penetration testing, vulnerability assessments, coordination of bug bounty programs and more. The company also encompasses security products such as HackenAI Security Platform, hVPN, and hPass etc. Beyond just blockchain security ecosystem, Hacken has also partnered with non-blockchain giants like Air Asia.
Over the years, Hacken has built a commendable reputation as a security risk assessment for companies requiring a digital environment to create or enable services for their consumers, which is why Hacken is certified as Web 3.0 security standard by two of the world’s largest cryptocurrency data aggregator Coingecko and Coinmarketcap.
Quantstamp
Website: https://quantstamp.com/
Projects Audited: 200+
Major Clients: Ethereum 2.0, Solana, BNB Chain, Cardano, Maker, Curve, OpenSea
Chains Supported: All chains
Quantstamp is a security validation protocol for smart contracts and is one of the most recognized auditing companies in the blockchain sector. Their security team consists of PhDs and security professionals with experience in top IT companies such as Google, Facebook, Apple, and Ethereum Foundation.
Quantstamp specializes in auditing services of all programming languages designed for use in blockchain applications. Since its launch in 2017, Quantstamp has audited over 200 projects and helped secure over $200 billion in value. Its services include auditing layer-1 blockchains, smart contract-powered NFT and DeFi protocols, and developing financial frameworks for layer-1 blockchain ecosystems.
Trail of Bits
Website: https://www.trailofbits.com/
Projects Audited: 500+
Major Clients: 0x Protocol, Compound, MakerDAO, Acala, Balancer, yearn.finance
Chains Supported: Ethereum, Polkadot, Polygon, Tezos, Arbitrum
Trail of Bits is a cybersecurity industry giant with a long list of big-name clients such as Microsoft, Adobe, Reddit, Zoom, Airbnb, and Reddit etc. Founded in 2012, before smart contracts were even invented, the company prides itself as a network of developers with the capabilities of identifying and fixing loopholes in software, devices, and code. They have long developed tools that help developers find and fix critical vulnerabilities. Manticore is one of their signature tools, a multi-contract and multi-transaction emulator. Other tools include Cryptic, Slither and Echidna which are also blockchain-focused solutions.
ConsenSys Diligence
Website: https://consensys.net/
Projects Audited: 100+
Major Clients: 0x Exchange, Aave, Balancer, Uniswap
Chains Supported: Ethereum
Consenys is a US-based blockchain technology solutions company and is one of the biggest and prominent blockchain incubators in the industry. Unlike other security firms mentioned on this list, ConsenSys dedicates its resources and technological expertise solely to the development of Ethereum blockchain applications and software, especially financial infrastructures.
Its signature product, MythX, is one of the most powerful automated scanners for Ethereum smart contracts, providing a solid API which developers can use to access security analytics tools. Over the years, ConsenSys has successfully protected over 100 Ethereum-based projects and uncovered over 200 issues. Apart from security auditing, the company also provides two other services known as Fuzzing, a bug-finding tool for first specifications, and Scribble, a runtime verification tool that translates high-level specifications into Solidity code.
CertiK
Website: https://www.certik.com/
Projects Audited: 1800+
Major Clients: BNB Chain, Polygon, The Sandbox
Chains Supported: All chains
CertiK is a blockchain security company specialized in formal verification and AI technology in collaboration with some of the world’s best cybersecurity experts to create end-to-end audit services. The company has developed “CertiK Chain”, a public blockchain focused on mathematically validating the safety of smart contracts through formal and manual verification. Other services of CertiK include Skynet, Skytrace and Penetration Testing.
CertiK is an official partner company of Binance, and is also backed by numerous big-name firms such as Golden Sachs, Coinbase, Lightspeed, Matrix Partners, and DHVC.
LeastAuthority
Website: https://leastauthority.com/
Projects Audited: 80+
Major Clients: Ethereum Foundation, Chia Network, O(1) Labs, Protocol Labs, cLabs, Tezos Foundation
Chains Supported: Ethereum, Chia Network, Tezos
LeastAuthority is a cybersecurity consulting firm with its main focus on privacy. Using privacy-enhancing technologies, it classifies itself as an enabler of private and disruptive storage solutions. The platform offers two major products which are essentially storage architectures. The first, Privatestorage (formerly S4), is a centralized system that provides storage infrastructure to end-users and offers them the autonomy over the collection, processing and distribution of their private data. The second product, Tahoe LAFS, enables a decentralized, distributed and fault-tolerant storage facility.
Apart from security audits, other services also include penetration testing, network and traffic analysis, and mechanism and incentive design. The company’s consultants work with developers throughout their development cycles to ensure that their projects are not susceptible to security threats.
ChainSecurity
Website: https://chainsecurity.com/
Projects Audited: 85+
Major Clients: yearn.finance, Maker, Compound, Curve, Rarible, Kyber Network
Chains Supported: Ethereum
ChainSecurity is a blockchain security firm led by security experts from the renowned university ETH Zurich. Similar to ConsenSys, the company specializes in Ethereum contract auditing. They have developed an automated audit platform that allows projects to thoroughly analyze smart contract designs, test their viability, and monitor metrics detailing their performances after launch. The company has worked with more than 85 Ethereum-based projects and helped secure more than $17 billion worth of assets.
OpenZeppelin
Website: https://openzeppelin.com/
Projects Audited: 150+
Major Clients: Ethereum Foundation, Coinbase, Compound, Aave, The Graph
Chains Supported: Ethereum
OpenZeppelin is a cybersecurity technology and services company known for its development of Solidity libraries known as “OpenZeppelin Contracts.” These libraries are used in most Solidity projects as a tested and standard template for contracts deployable on DApps. Developers can easily integrate these solutions into their applications through OpenZeppelin’s native SDK.
OpenZeppelin was the first cybersecurity company to reinvent blockchain security by introducing elements of gamification to identify security vulnerabilities in smart contracts. “Ethernaut” is a web3/Solidity war game which challenges gamers to find and exploit loopholes in smart contracts to progress to the next level. The company also provides free services such as “Defender”, which helps clients automate their smart contract administration, offering a more secure and private transaction infrastructure.
SlowMist
Website: https://www.slowmist.com/en/
Projects Audited: 1000+
Major Clients: Binance, OKX, Huobi, Pancakeswap, Crypto.com
Chains Supported: Ethereum, EVM Chains, EOS, Fabric, Solana, VeChain, ONT
SlowMist is China’s leading blockchain security company founded in 2018. The team at SlowMust has over 10 years of experience in network security, specializing in smart contract audits, blockchain security, wallet security testing, and more. The company constantly tracks and publishes data about security situation on crypto exchanges through their Blockchain Threat Intelligence (BTI) service. Their most notable product MistTrack is a system that tracks the movement of stolen funds. Since its launch, it has helped recover nearly $1 billion in stolen funds.
The company also offers security-related products such as anti-money laundering software, DarkHandBook (crypto safeguarding handbook), SlowMist Hacked (crypto hack archives), and FireWall.X (firewall for EOS smart contracts).
Runtime Verification
Website: https://runtimeverification.com/
Projects Audited: 100+
Major Clients: Algorand, Polkadot, Tezos Foundation, Ethereum Community Fund, NASA
Chains Supported: All Chains
Runtime Verification is a research and development company focused on verification-based techniques to perform security audits on virtual machines and smart contracts on public blockchains. The platform is a dynamic software analysis approach that analyzes programs as they execute, observing the results of the execution and using those results to find bugs. This solution designs standard models for high-value applications and uses them as templates to develop security-sensitive products.
Runtime Verification has developed two main smart contract security products. The first, K Semantic Framework, offers smart contract correctness proofs to validate the viability of Ethereum and Cardano’s smart contracts. The second, Firefly, is a test coverage analysis tool for Ethereum smart contracts. The company has also worked with Ethereum Foundation on building a formal framework for Ethereum 2.0 testing.
