The Future of Blockchain Audits

The following is a paper I wrote in collaboration with one of my co-founders at Dartmouth Blockchain, Aaron Xie. My fellow members at Dartmouth Blockchain and I love to discuss these topics, so please get in touch any time to chat on ideas, theses, disagreements, etc.

May 2023

The incentive structure between smart contract auditors and blockchain protocols is broken. This is a major weight on the development of both new protocols and effective auditing teams. New smart contract auditors that accept future equity or long-dated-vesting tokens as compensation should emerge to solve this alignment issue. With proper alignment, these new auditors will work with projects they truly believe in, meaning teams will need to get better to prove themselves worthy of audits. With this improved audit structure, protocol teams will be able to bootstrap as opposed to spending extensive company funds on expensive audits, and auditors will have a true vested interest in the protocol’s success. This will lead to the emergence of better on-chain protocols, fewer exploits, and the improvement of the blockchain development ecosystem overall.

The current top auditing firms like Spearbit, Trail of Bits, and Consensys Diligence often receive payment in USDC (or other USD equivalents) for an audit. We saw this directly through our involvement at a DeFi project, which we will refer to as X. The X team was forced to have an almost constant focus on maintaining enough funds for auditors. When a late-stage audit was returned for X’s new protocol in April of 2023, X’s CEO found three bugs almost immediately that the auditor (who shall not be named) did not catch. X’s CEO proceeded to fix the bugs himself, but this already revealed the lack of true quality from a consultant-esque auditor. We need auditors that embed themselves almost directly into the teams and projects they work with. We need auditors with the alignment of a venture capitalist, not a consultant.

One auditing company that has begun to pave the way here is Sherlock. Sherlock’s auditing process starts with one or two senior auditors who briefly analyze the code. Then the auditing company begins a competition where entrants are rewarded for finding vulnerabilities. To address the poor incentive structures between auditing firms and protocols, Sherlock offers a unique model, in which they provide insurance coverage for their audited protocols of up to $5M in the case of a security vulnerability. This insurance coverage feature provides a form of “skin in the game.” While Sherlock’s model is a step improvement, we believe that it is not the end state of incentive-aligned auditors.

To better understand the shortcomings of Sherlock, one must first understand the high-level goal of a protocol seeking an audit. A protocol seeks out an audit to ensure the long-term security of its protocol code. With the status quo, protocol development companies achieve this by hiring security firms on a consultancy model. The cost of audits in combination with the lack of long-term alignment can destroy a new project. The ideal relationship is one in which an auditing firm and protocol are in a long-term (multi-year time horizon) relationship, with a vested interest via equity or tokens. This relationship alleviates the unpredictability of one-off audit expenditures and provides the protocol with a long-term security partner that has deep context of the protocol over several years. Auditing firms that adopt this new structure will have a superior edge and improved overall outcomes – enter the Audit VCs.

New protocol auditors should emerge that only take equity or long-dated-vesting tokens as compensation. Too many projects are forced to raise excessive venture funding just to pay for costly audits. However, what if the auditors became the VCs? Or what if the VCs became the auditors? (Imagine: Audited by a16z Audits or Pantera Audits – instant credibility and incentive alignment between investor and protocol). Auditing is arguably the biggest value-add an investor could provide. By becoming the auditors through audit wings, VCs would be able to put up less cash and add more value for the same equity by having an auditing relationship with their portfolio companies. If that protocol X had worked with an auditor that accepted equity as compensation, would the auditor have been as careless? Would the CEO have had to manually fix the missed bugs in order to not be forced to pay more or wait weeks on end for a second review? We would argue “no” to both of these questions regarding the state of incentive alignment in on-chain auditing.

The broken state of on-chain auditing has led to many inefficiencies in the acceleration of blockchain growth. We hope to urge the emergence of Audit VCs: security audit firms that manage an exclusive portfolio of companies. These auditors will offer their value-add auditing services in exchange for equity, forging stronger partnerships with their protocol teams. Auditors should not be a hurdle to jump over but rather a partner that is incentivized to offer support for a protocol’s lifetime. This is the next generation of blockchain auditing.