Guide
Smart Contract Auditing: What "Audited" Doesn't Mean — and How to Read the Report

Bottom line: an audit is a record that experts read specific code, not proof that the code is safe
A smart contract audit is a scoped, point-in-time review: outside specialists read one exact commit of the code, over a fixed window, within an agreed boundary, and write down what they found. It is not a pass/fail certification, and it is not an endorsement of the project.
The auditors say so themselves. The disclaimer in Quantstamp's public audit of the Nomad bridge (published 6 June 2022) reads:
This report is based on the scope of materials and documentation provided for a limited review at the time provided. Results may not be complete nor inclusive of all vulnerabilities... The review does not extend to the compiler layer, or any other areas beyond the programming language... A report does not indicate the endorsement of any particular project or team, nor guarantee its security.
The mechanics of contracts themselves are covered in what a smart contract is, and the risk landscape in smart contract risk. This piece is about the artifact: how to actually read a report.
Which code, and when?
A real report pins its target precisely. Quantstamp's Nomad report:
| Field | Value |
|---|---|
| Review window | 2022-04-12 to 2022-06-06 |
| Language / EVM | Solidity / London |
| Source | nomad-monorepo @ 17f0557 (plus zodiac-module-gnomad @ d887024, 482c1e2, 93daaf9) |
The commit hash is there for a reason: the audit covers that commit and nothing else. Change a line the next day, and nobody has reviewed that line.
This is measurable, not theoretical. Zellic's analysis of Nomad found that only 18.6% of the on-chain Replica.sol matched the audited version, with the drift concentrated in process, acceptableRoot and prove — the critical functions. Zellic notes that "the buggy code responsible for the hack was introduced after the audit had begun" and that "the smart contract code that was ultimately deployed differed from the audited code." The industry calls this audit drift. (Bridges carry their own structural problems — see bridge risk.)
The field everyone misreads
Beginners fixate on severity — critical, high, medium, low. The field that matters more is status. Quantstamp defines four:
| Status | Meaning |
|---|---|
| Fixed | Implementation adjusted to eliminate the risk |
| Mitigated | Impact or likelihood minimised |
| Acknowledged | The issue remains in the code — it is the result of an intentional business or design decision |
| Unresolved | The risk is acknowledged and accepted as-is |
要点
"Acknowledged" means someone noticed. It does not mean anyone fixed it. This is the single most misread field in an audit report.
Nomad's report logged 40 findings, of which only 16 were Resolved (1 of 1 high, 6 of 6 medium, 7 of 18 low, 1 of 9 informational, 1 of 6 undetermined). A reader who only checks "was it audited?" misses that 24 findings were left standing — and one of them was the one that mattered.
Five protocols that were audited and drained anyway
| Protocol | Date | Loss (DefiLlama, as of 2026-07-16) | What the audit actually did |
|---|---|---|---|
| Nomad | 2022-08-01 | $190,000,000 | Flagged the bug — as Low, and Acknowledged |
| Euler | 2023-03-13 | $197,000,000 | Audited "many more times than is the industry standard" + a $1M bounty |
| Curve DEX | 2023-07-30 | $61,700,000 (estimates vary) | Bug was below the contract, in the Vyper compiler |
| Cetus CLMM | 2025-05-22 | $223,000,000 | MoveBit's report: 18 findings, all Fixed |
| Balancer V2 | 2025-11-03 | $128,000,000 | Exploited library was explicitly out of scope in the later audit |
Nomad: found it, rated it Low, got told no
Quantstamp's QSP-19, "Proving With An Empty Leaf" — severity Low Risk, status Acknowledged, file Replica.sol — describes the exact bug that later emptied the bridge: pass an empty bytes32 as the leaf plus an artificial Merkle proof with a specified index, and the inclusion check passes. The recommendation was one line: validate that _leaf is not empty.
What makes the report remarkable is that it preserves the client's refusal and the auditor's rebuttal. Nomad replied that finding the preimage of the empty leaf was "effectively impossible." Quantstamp wrote back:
We believe the Nomad team has misunderstood the issue. It is not related to finding the pre-image of the empty bytes. Instead, it is about being able to prove that empty bytes are included in the tree... Therefore, anyone can call the prove function with an empty leaf and update the status to be proven.
The auditor found it. The team declined. On 2022-08-01 the bridge lost $190,000,000 (DefiLlama hacks tracker, as of 2026-07-16; classification Protocol Logic, technique "Trusted Root Exploit").
Balancer: severity, scope and timing all failed at once
After Balancer was exploited, Trail of Bits published an analysis of its own prior audits. The root cause, it says, was "a rounding direction issue that had been present in the code for many years" — and then, candidly:
We now know that the Composable Stable Pools that were hacked on Monday were exploited using the same vulnerability that we reported in our audit.
Per the firm's own account: three reviews of Balancer v2 in 2021; the April 2021 commit "did not have this vulnerability present"; the October 2021 Linear Pools audit filed it as TOB-BALANCER-004 but marked it undetermined severity, because they "couldn't definitively determine whether the identified rounding behavior was exploitable"; and in the September 2022 Composable Stable Pools audit, "The Stable Math library was explicitly out of scope."
So "audited by Trail of Bits" could be perfectly true while the exploited library had never been in scope. Trail of Bits also explains why small findings are so hard to grade: a 1-wei precision loss "may not seem significant when a fuzzer first identifies it, but in a particular case, such as a low-liquidity pool configured with specific parameters, the precision loss may be substantial enough to become profitable." Severity is a judgement call, not a fact.
Formal verification did not save it either. Certora had formally verified Balancer v2's Stable Pools in a 2022 audit; after the hack it stated that "the verified properties did not constrain the relationship between individual swaps or rounding behavior," and that scenarios where iterative operations such as a token roundtrip swap could systematically gain value from rounding bias "were not ruled out." Formal verification proves the properties you wrote — and only those.
Balancer V2 lost $128,000,000 on 2025-11-03 (DefiLlama, as of 2026-07-16). Trail of Bits describes it as "over $100M drained across nine blockchain networks."
Cetus: a clean, all-fixed report is not a shield
Cetus does something genuinely good: it publishes its audit reports in a public repository (CetusProtocol/Audit) with reports from MoveBit, OtterSec and Zellic, so anyone can verify them independently rather than trusting a badge. MoveBit's review (2023-03-27 to 2023-04-28, Move on Sui, cetus-clmm-sui @ 11d65f5d…) raised 18 issues — 12 minor, 3 medium, 2 major, 1 critical — and marked all 18 Fixed.
Cetus CLMM was still drained for $223,000,000 on 2025-05-22 (DefiLlama, as of 2026-07-16; Protocol Logic, technique "Spoof Token Exploit"; reported amounts range from roughly $220M to $223M). It is the largest DeFi loss of 2025 in that dataset.
OtterSec's review (2023-03-30 to 2023-05-03) included a lower-tier finding, OS-CTS-SUG-04, "Possible Arithmetic Errors", about u256 return values cast to u64: exceed MAX_U64 and arithmetic errors may occur. Patch status: "The Cetus team responded that it is highly unlikely for this scenario to occur and will not implement a patch."
To be precise — and this matters — SUG-04 concerned compute_swap_step, a different function from the path exploited in 2025. This is not "the auditors found the exact bug and were ignored." It is that the bug class (u256→u64 overflow) was raised and waved away as unlikely. OtterSec is explicit about how to read that tier: such findings "do not present an immediate security impact" but "represent antipatterns and could lead to security issues in the future."
Curve: the bug was underneath the contract
The Curve DEX exploit of 2023-07-30 was not a logic bug in the contracts. It was a Vyper compiler bug. The official advisory GHSA-5824-cm3x-3c38 (CVE-2023-39363, Critical, published 2023-08-05), "Incorrectly allocated named re-entrancy locks," affects Vyper 0.2.15, 0.2.16 and 0.3.0 and was patched in 0.3.1: "each function using a named re-entrancy lock gets a unique lock regardless of the key," enabling cross-function reentrancy.
No amount of reading the source would have surfaced this — it is precisely where Quantstamp's disclaimer says the review does not extend. Tellingly, DefiLlama does not file it under Protocol Logic at all: it is classified Infrastructure, with the technique labelled literally "Vyper Compiler Bug." The tracker records $61,700,000 (as of 2026-07-16), but contemporaneous reporting put the gross figure near $70M and the net around $52M after whitehat and MEV returns — treat no single number as settled.
Euler: more audits and a big bounty, still $197M
Euler's own post-mortem says the donateToReserves function "lacked a health check to make sure that an existing user wouldn't be able to put themselves in an unhealthy state just by donating to the reserves." The company writes that it "had the protocol audited at great expense many more times than is the industry standard" and ran "a $1M bug bounty for anyone who found critical bugs in Euler." It lost roughly $197M on 2023-03-13 regardless. The attacker later returned the funds — DefiLlama records returnedFunds of $240,000,000 (as of 2026-07-16) — but that outcome is an extreme outlier and should be read as luck, not reassurance.
The structural limit: 56% of the money is outside an audit's reach
Aggregating the DefiLlama hacks API directly on 2026-07-16 (586 incidents, $16,712,372,055 all-time):
| Classification | Losses | Share | Incidents |
|---|---|---|---|
| Infrastructure (private key compromise, social engineering, admin compromise) | $9,396,368,100 | 56.2% | 124 |
| Protocol Logic (contract bugs — what audits target) | $5,640,218,955 | 33.7% | 340 |
要点
Contract bugs are the most frequent category and a minority of the money. A smart contract audit structurally cannot address most of what gets stolen.
Ronin Bridge is the canonical case: $624,000,000 on 2022-03-23, "Private Key Compromised (Social Engineering)." Flawless contract code plus compromised signers still equals total loss. The two largest Japanese incidents in DefiLlama's dataset sit in the same bucket — Coincheck, $534,000,000 on 2018-01-26, and DMM Bitcoin, $305,000,000 on 2024-05-31, both recorded as "Private Key Compromised (Unknown Method)" (as of 2026-07-16). No contract audit would have prevented either.
That "in DefiLlama's dataset" qualifier is load-bearing. Mt. Gox — which said it had lost almost 750,000 customer bitcoins plus around 100,000 of its own, roughly 850,000 BTC, worth around $473 million near its 28 February 2014 filing in Tokyo for civil rehabilitation — is larger than DMM Bitcoin in dollar terms and is absent from the dataset entirely. This section's own source has exactly the kind of blind spot this section is about. "Not in the data" is not the same as "did not happen" — scrutinise a dataset's scope the same way you scrutinise an audit's.
The frequency trend is worth noting too: the same aggregation shows 138 incidents and $1,005,382,056 in 2026 through 16 July — more incidents in roughly six and a half months than in any complete prior year (the highest full-year count in the dataset is 97). April 2026 alone accounted for $644,849,950 across 27 incidents, led by Drift Trade at $295,000,000 on 2026-04-01, technique "Compromised Admin + Fake Token Price Manipulation." April's single largest loss was an admin compromise, not a contract bug. Current numbers live at DefiLlama's hacks database.
Who actually does this work (as of 2026-07-16)
Listing auditors from memory is how you end up presenting a wound-down business as current. Verified status:
| Firm | Status (as of 2026-07-16) | Official |
|---|---|---|
| OpenZeppelin | Operating. Audits Solidity, Cairo, Rust, Go. Publishes an explicit Fix Review step | openzeppelin.com/security-audits |
| Trail of Bits | Operating. Public reports on GitHub (repo last pushed 2026-07-15) | github.com/trailofbits/publications |
| Consensys Diligence | Operating, but moved: consensys.io/diligence now redirects to diligence.security (styled "Consensys Diligence") | diligence.security |
| CertiK | Operating. Formal verification plus audits; runs Skynet | certik.com |
| Quantstamp | Operating. Verify a project at certificate.quantstamp.com | quantstamp.com/audits |
| Sigma Prime | Operating (sigp/public-audits last pushed 2026-05-26; latest entry "Term Finance v2 review") | github.com/sigp/public-audits |
| Spearbit | Not a standalone firm. Now "Spearbit Services," a division inside Cantina | cantina.xyz |
| Sherlock | Operating. Audit contests still running at audits.sherlock.xyz | sherlock.xyz |
| Code4rena | ⚠️ Winding down. Its own site: "Code4rena is winding down. After 5 years of securing DeFi, Code4rena is closing its doors." Active competitions and bounties are being seen through to completion | code4rena.com |
Per The Block (2026-05-13), Code4rena said "After careful consideration, we've made the decision to wind down Code4rena," with Immunefi partnering to migrate its customers and researchers and to help protocols transfer bounty "scopes, rules and reward structures." Zellic acquired Code4rena in 2024 and said it would operate independently; Code4rena had raised $6 million from Paradigm in 2023.
Every performance figure those firms publish (TVL secured, vulnerabilities found, researcher counts) is self-reported marketing, not independently verified. Read them as claims.
An audit is a point. Bug bounties are the line that connects the points: Immunefi announced on 2024-06-20 that it had "surpassed $100 million in rewards paid to whitehat hackers," listing $10 million for a vulnerability in Wormhole among its notable payouts (alongside $6 million for Aurora and $2.2 million for Polygon). Note what that is and is not: the company's own selection of "notable payouts" — a non-exhaustive list, not a ranking. (Its site currently claims "$190B+ Protected" and "60k+ Security Researchers," as of 2026-07-16 — again, self-reported.) And as Euler demonstrates, a $1M bounty does not make a protocol safe either.
The 60-second check
- Is there a link to the actual report PDF? A badge or a logo carries zero information.
- Verify on the auditor's site, never the project's. CertiK says "you can verify all CertiK-audited and KYC-verified projects on Skynet" (skynet.certik.com); Quantstamp points to certificate.quantstamp.com.
- Compare scope and commit to what is deployed. Does the report's commit or address match the contract you are about to touch? Remember Nomad's 18.6%.
- Count statuses, not severities. Are there Acknowledged or Unresolved items at critical or high?
- Is the source code verified? Per ethereum.org, source code verification means "comparing a smart contract's source code and the compiled bytecode used during the contract creation to detect any differences" — it proves the published source compiles to the deployed bytecode, nothing more. ethereum.org distinguishes it from formal verification, which describes "verifying the correctness of a smart contract, meaning the contract behaves as expected." Verified is not a safety guarantee; unverified is a red flag — nobody, auditors included, can read what is running. (How to read a block explorer covers the mechanics.)
Red flags
- Forged audits. CertiK documents this itself: "a case in point is the Lymex scam, which led to around $300,000 in losses. Despite listing CertiK as an auditor, Lymex never received our services after failing our KYC verification." A logo is not evidence.
- Upgradeable contracts plus admin keys. Per DL News, Swaprum — a DEX on Arbitrum — was genuinely CertiK-audited and advertised it; on 2023-05-18 its developers used the contract's upgradability to drain about $3 million and laundered it through Tornado Cash. DL News reports that CertiK's report had highlighted the centralisation risk, but that it did not affect the report's score. The code you read today can be replaced tomorrow.
- An unknown firm, or an audit of a different contract or an old commit. Cross-check the table above and the firms' own public report repositories (
trailofbits/publications,sigp/public-audits).
The broader pattern-matching toolkit is in the scam defence guide.
One sentence to remember
"Is it audited?" asks almost nothing. The questions that carry information are: which code, at which commit, reviewed when, how many findings were actually fixed and re-reviewed — and is the thing running right now the same thing that was audited?
Not financial advice
This article is for information only and is not investment advice. Crypto assets are volatile and carry risks including hacking and total loss. Figures and rules change — always confirm the latest against the primary sources linked above, and only use money you can afford to lose.
Sources
- Quantstamp — Nomad audit report (PDF, 6 June 2022: scope, commit hash, QSP-19, disclaimer)
- Zellic — You Could Have Found the Nomad Hack (audit drift: only 18.6% of deployed Replica.sol matched the audited code)
- Trail of Bits — Balancer hack analysis and guidance for the DeFi ecosystem (TOB-BALANCER-004; "explicitly out of scope")
- Certora — Breaking down the Balancer hack (the limits of formal verification)
- Cetus Protocol — public audit report repository (MoveBit, OtterSec, Zellic)
- Vyper — security advisory GHSA-5824-cm3x-3c38 / CVE-2023-39363 (the compiler bug behind the Curve exploit)
- Euler Finance — War & Peace: Behind the Scenes of Euler's $240M Exploit Recovery (donateToReserves; $1M bounty)
- DefiLlama — DeFi Hacks & Exploits database (live tracker)
- DefiLlama — hacks API (all aggregate figures in this article were computed directly from this endpoint on 2026-07-16; the same pull confirmed 586 incidents and no Mt. Gox entry)
- Mt. Gox — Wikipedia (28 Feb 2014 civil rehabilitation filing in Tokyo; company reported losing almost 750,000 customer BTC plus ~100,000 of its own, "worth around $473 million near the time of the filing"; absent from DefiLlama's hacks dataset)
- Code4rena — official site (wind-down notice)
- The Block — Immunefi to absorb Code4rena bug bounty customers after shutdown decision (2026-05-13)
- CertiK — Misuse of the CertiK Brand: Fake Audits and Social Media Frauds (Lymex ~$300k; verify on Skynet)
- DL News — DeFi protocol Swaprum in $3m rug pull was Certik audited (2023-05-18; rug pull via upgradability)
- ethereum.org — Verifying smart contracts (source code verification vs formal verification)
- Immunefi — Immunefi Surpasses $100 Million in Whitehat Rewards (2024-06-20; "Notable payouts include" $10M Wormhole, $6M Aurora, $2.2M Polygon — a non-exhaustive list, not a ranking)
- OpenZeppelin — Smart Contract Security Audits (methodology, including the Fix Review step)
- Cantina — official site (Spearbit is now a service division within Cantina)
- Quantstamp — Audits (points to certificate.quantstamp.com to verify whether a project was really audited)
FAQ
- Does "audited" mean a protocol is safe?
- No. An audit is a record that specialists read one specific commit, within an agreed scope, over a fixed window. Quantstamp states plainly in its own reports that "a report does not indicate the endorsement of any particular project or team, nor guarantee its security." Nomad ($190M, 2022-08-01), Euler ($197M, 2023-03-13), Cetus CLMM ($223M, 2025-05-22) and Balancer V2 ($128M, 2025-11-03) were all audited before being drained (figures per the DefiLlama hacks tracker, as of 2026-07-16).
- What should I look at first in an audit report?
- Two things: the scope and commit hash (which code, reviewed when), and the status column on each finding. Quantstamp's Nomad report pins its window to 2022-04-12 through 2022-06-06 and its source to nomad-monorepo at commit 17f0557 — and of its 40 findings, only 16 were marked Resolved. Checking only "was it audited?" hides the fact that 24 findings were left unresolved.
- What does "Acknowledged" mean in an audit report?
- Per Quantstamp's own definitions, Acknowledged means the issue remains in the code as the result of an intentional business or design decision. It does not mean fixed — it is the single most misread field in an audit report. Nomad's finding QSP-19, "Proving With An Empty Leaf," was rated Low Risk and left Acknowledged; the auditor even recorded its disagreement with the team's reasoning. About two months later the bridge lost $190,000,000.
- Can I trust an audit badge on a project's website?
- No. CertiK's own blog documents brand misuse: "a case in point is the Lymex scam, which led to around $300,000 in losses. Despite listing CertiK as an auditor, Lymex never received our services after failing our KYC verification." Always verify on the auditor's own registry rather than the project's site — CertiK points to Skynet (skynet.certik.com) and Quantstamp to certificate.quantstamp.com.
- Is "verified source code" on a block explorer the same as an audit?
- No. Per ethereum.org, source code verification is "comparing a smart contract's source code and the compiled bytecode used during the contract creation to detect any differences" — it only proves the published source compiles to the deployed bytecode. ethereum.org distinguishes this from formal verification, which describes "verifying the correctness of a smart contract, meaning the contract behaves as expected." Verification enables review but guarantees nothing about safety. Unverified source, however, is a red flag: nobody can read what is actually running.
- What kinds of losses can a smart contract audit never prevent?
- Most of them, by dollar value. Aggregating the DefiLlama hacks API on 2026-07-16 (586 incidents, $16,712,372,055 all-time), Infrastructure failures — private key compromise, social engineering, admin compromise — account for $9,396,368,100, or 56.2% of all dollars lost across 124 incidents, versus $5,640,218,955 (33.7%, 340 incidents) for Protocol Logic contract bugs. Ronin Bridge ($624M, 2022-03-23), Coincheck ($534M, 2018-01-26) and DMM Bitcoin ($305M, 2024-05-31) were all key-compromise events. (Mt. Gox, which reported losing roughly 850,000 BTC around its February 2014 filing, is not in that dataset at all — a reminder that trackers have scope limits too.) Compiler-layer bugs are also out of reach: the Curve DEX exploit of 2023-07-30 stemmed from a Vyper compiler bug, exactly where Quantstamp's disclaimer says review does not extend.
This article is informational only and is not financial, investment, or trading advice. Prices are reference snapshots and may be outdated. Always do your own research.