Audit Firm Reviews: Can Crypto Security Auditors Stop the Hacks?
Crypto losses topped $3.4 billion in 2025, yet most of the code that failed had been audited first. We review what the top security firms deliver and where they fall short.
Criminals stole more cryptocurrency in 2025 than in any year on record, and most of the code that failed had been audited first. That uncomfortable pairing is forcing a hard look at the security firms whose stamp is supposed to certify that a smart contract is safe to use. This review examines what audit firms actually deliver, where they consistently fall short, and how readers can tell a serious report from a marketing badge.
A record year that audits did not prevent
According to Chainalysis, thieves took more than $3.4 billion of crypto in 2025, with a single February attack on the exchange Bybit accounting for $1.5 billion of that total. The firm found that the three largest incidents alone made up roughly 69 percent of all funds stolen from services. CertiK reached a similar scale in its Hack3d report, which put 2025 losses at about $3.35 billion across more than 600 incidents, a 37 percent jump from the prior year, with the average loss per attack climbing to $5.32 million. For added scale, the bug-bounty platform Immunefi counted about $1.49 billion lost to hacks and fraud in 2024 alone.
Here is the detail that should temper any rush to blame the auditors: the Bybit theft was not a smart contract bug. Investigators at NCC Group and reporters at BleepingComputer traced it to a supply chain attack on the Safe{Wallet} signing interface, where attackers linked to North Korea’s Lazarus Group compromised a developer machine and served malicious JavaScript through a legitimate domain. The FBI publicly attributed the heist to North Korea, and Chainalysis estimates DPRK-linked crews stole about $2.02 billion across 2025, lifting their all-time haul past $6.75 billion. No audit of on-chain code would have caught it, which is exactly why the scope of an audit matters before you trust one.
What a smart contract audit actually covers
A smart contract audit is a time-boxed review of a specific version of source code, usually pinned to a single commit. A mix of manual reading and automated tooling hunts for the classic failure modes: reentrancy, broken access control, oracle manipulation, arithmetic errors, flawed upgrade logic, and economic attacks that abuse how a protocol prices or moves value. The output is a report that ranks findings by severity, from critical down to informational, with recommended fixes and a note on whether the team resolved them. Automated tools catch known bug patterns quickly but miss business-logic errors, which is why manual review by experienced engineers still does the heavy lifting on high-value systems. Serious engagements end with a re-audit that confirms the fixes did not introduce new bugs.
What an audit does not cover is just as important. It typically excludes off-chain infrastructure, front-end interfaces, private key management, multisignature operations, governance decisions, and any code changed after the review closed. A report is a snapshot, not a warranty, and it speaks only to the exact files in scope on the exact day they were read. Audit quality also depends heavily on who does the work, since a report is only as sharp as the specific researchers assigned and the hours they were given. The Bybit loss sits squarely in that excluded zone, and so do a surprising number of other incidents.
The major firms at a glance
The market splits into traditional fixed-scope reviewers, formal-verification specialists, marketplace models that assemble senior researchers per job, and public contest platforms. The table below groups the most active names by how they work rather than by any single quality ranking, because depth varies from one engagement to the next.
| Firm | Primary model | Known for |
|---|---|---|
| OpenZeppelin | Fixed-scope review | Widely used contract libraries; DeFi blue chips |
| Trail of Bits | Fixed-scope review plus tooling | Deep security research; Slither and Echidna tools |
| CertiK | High-volume audits plus monitoring | Largest by audit count; public Skynet scoreboard |
| ConsenSys Diligence | Fixed-scope review | Ethereum-native audits and fuzzing |
| Halborn | Audits plus penetration testing | Infrastructure and DeFi engagements |
| Certora | Formal verification | Mathematical proofs of contract properties |
| Spearbit / Cantina | Researcher marketplace and contests | Senior auditors; multimillion-dollar contest pools |
| Sherlock | Contests with coverage | Insurance-style backing on findings |
| Code4rena | Time-boxed public contests | Crowdsourced researcher community |
Two specialties sit alongside that list. Formal verification firms such as Certora try to prove mathematically that a contract always holds certain properties, which gives stronger guarantees for the narrow slice of logic they cover. Incident-response shops such as PeckShield and SlowMist focus less on pre-launch review and more on tracing stolen funds and attributing attacks, which is why their names surface within minutes of most exploits.
When audited code breaks anyway
The clearest warning sits in the record of protocols that passed review and failed anyway. Euler Finance lost about $196 million to a flash-loan attack in March 2023 despite roughly ten separate reviews across six firms, a sequence documented by security shop AnChain, which also estimated that close to 92 percent of the exploited contracts it studied had been audited at least once. Euler’s attacker later returned most of the money, a rare and lucky outcome.
Several forces produce that result. An audit reviews a snapshot, so anything shipped afterward is unreviewed by default. Scope often excludes the economic assumptions that flash-loan and oracle attacks exploit. A clean report means only that no critical issue was found within the agreed scope, not that none exists. Composability makes this worse, because a contract that is safe in isolation can still be drained when a newly integrated protocol behaves in a way the auditors never modeled. And then there is audit theater: projects that deploy different code than the version reviewed, ignore critical findings while still waving the badge, or commission a shallow pass purely for marketing. A logo on a landing page tells you nothing until you read the report behind it.
The CertiK question: scale versus depth
No firm draws more scrutiny than CertiK, the largest auditor by volume and the operator of the widely cited Skynet monitoring service. Critics note that CertiK-reviewed projects have appeared repeatedly in exploit post-mortems, that quality can swing between teams handling simultaneous engagements, and that the standard fee-for-service model leaves an auditor financially untouched when code fails months later. Those criticisms are fair, but they describe the whole industry’s incentive structure rather than one company’s flaw. CertiK also produces some of the most quoted loss data in the sector, including the Hack3d figures above, which is why it appears in both the reporting and the criticism.
The rise of competitive audits
A newer model pays for results instead of hours. In a competitive audit, dozens or hundreds of researchers attack a codebase for a fixed prize pool over one to four weeks, splitting rewards by the severity of unique valid findings. Code4rena, Sherlock, and Cantina (the contest arm of Spearbit) run this format, with Cantina hosting pools above $2 million for large protocols such as EigenLayer and Uniswap v4, while a typical Code4rena or Sherlock contest ranges from $100,000 to $500,000. Standout researchers can clear six figures from a single contest. Because rewards flow to whoever files a valid issue first, contests reward speed and can leave subtler bugs unexamined once the obvious ones are claimed.
The model trades the coordination of a dedicated team for the breadth of many independent eyes, though coverage can be uneven and duplicate reports are common. The field is also consolidating: in 2026, Code4rena said it would wind down and hand its bug-bounty clients and researcher community to Immunefi, the largest standing bug-bounty platform, which pays for live vulnerabilities after deployment rather than before it. Top bug-bounty programs now advertise rewards reaching into the millions of dollars for a single critical report.
What audits cost, and who pays
Price scales with code size and complexity. Market references compiled by Sherlock and others put top-tier reviewers such as Trail of Bits and OpenZeppelin near $25,000 per engineer per week, with enterprise audits commonly landing between $80,000 and $200,000 and a mid-size DeFi primitive often running $200,000 to $300,000 once a re-audit is included. Formal verification from a firm like Certora costs more still, because proving properties mathematically is slower than reviewing them by hand.
The structural catch is that the project being audited is the party paying, which creates the same conflict that has long dogged credit ratings: the client wants a clean bill, and the auditor wants repeat business. Independent contests and bug bounties dilute that pressure without erasing it. That is why sophisticated teams increasingly treat a single paid audit as a floor, not a finish line.
Where US regulators stand
American investors should not read the word “audited” as “regulator approved.” The SEC imposes no mandatory smart contract audit requirement. In 2025 the agency created a Crypto Task Force in January and a Cyber and Emerging Technologies Unit in February, and under Chairman Paul Atkins it has floated a broader framework, sometimes branded Project Crypto, that would push interface providers to evaluate the systems they expose on criteria including security and auditability and to disclose their cybersecurity controls to users. The direction of travel is toward disclosure, not toward a government seal of approval on the code itself, so due diligence stays with the user. For now, the burden of judging an auditor’s track record falls on users, on the exchanges that list a token, and on the venture funds that back a protocol before launch.
How to read an audit report before you trust it
Whether you are allocating capital or just connecting a wallet, a few checks separate genuine assurance from decoration:
- Match the audited commit hash against the code actually deployed on-chain.
- Check the date, because anything shipped after the review is unreviewed.
- Read the scope section, since a narrow scope can leave whole components untested.
- Count the unresolved critical and high findings, not just the headline total.
- Prefer protocols with multiple independent reviews plus a live bug bounty.
- Treat a single badge as marketing until the full report proves otherwise.
The verdict
Audits reduce risk; they do not remove it. The best-secured protocols stack several independent reviews, run a public contest, apply formal verification where it fits, and keep a bug bounty open long after launch. Firms such as Trail of Bits, OpenZeppelin, and Certora earn their reputations on depth, and the contest platforms add breadth, but none of them can vouch for code that changes after they leave or for the off-chain systems that produced 2025’s single biggest loss. In a year when more than $3.4 billion drained from audited and unaudited projects alike, the honest conclusion is that audit firms are necessary, valuable, and nowhere near sufficient on their own.
By the HOGE Wire editorial desk.