With over 120 audits conducted and over 2 billion USD worth of digital assets secured since we were founded in 2017, Quantstamp is a leader in smart contract security and development. The purpose of this post is to explain the audit pricing process for our potential clients. Many factors contribute to the cost of a smart contract audit including, but not limited to:
- Audit complexity,
- The number of engineering hours it takes to conduct the audit,
- The timeline, and
- The depth of security services.
The varying complexity of an audit influences the cost of an audit. An example of a low cost audit is a token that strictly follows the ERC20 standard. The ERC20 token standard is one of the earliest design patterns in Ethereum smart contract development and is well understood at this point.
As the complexity of an audit increases, it requires more engineering hours, and therefore will lead to a higher audit cost. For example, a DeFi project that interoperates with several different DeFi smart contracts in patterns that have not been utilized before will require more time than an ERC20 audit.
Having clear documentation can also reduce the complexity of an audit. Sometimes, Quantstamp audits projects that have little to no documentation. This requires more time for our auditors to understand these systems and therefore puts upward pressure on the cost.
If a client requires smart contracts to be audited within a short timeline, they will be expected to pay a premium. The amount of time it takes to adequately audit a project varies based on complexity, so make sure to contact Quantstamp early in order to factor audit time into your development cycle.
Quote and Audit Process
In order to receive a quote, visit our audits page, click on the `Request a Security Audit` button, and fill out the required information. A Quantstamp business representative will contact you and then schedule a meeting between you, a lead auditor, and the business representative. After receiving all necessary documentation and artifacts, Quantstamp will assess the workload and provide a quote containing the cost of your audit.
Once accepted, 3 - 4 of our auditors will:
- Independently review your code and documentation,
- Check whether the code conforms to the provided specification,
- Perform automated analyses on the code,
- Run the test suite,
- Measure test coverage,
- Discuss any differences in their findings, AND
- Come to consensus on solutions and recommendations.
After these steps are complete, an initial report identifying vulnerabilities and other security information will be created and sent to your team. At this point, your audit is still not complete: your team will need to review the findings and send Quantstamp the fixes. Quantstamp will also review these fixes and then send you a final report once all findings and fixes are addressed.
Throughout the audit process, Quantstamp auditors and client developers will have open lines of communication.
After your audit is complete, you will receive a certificate such as the ones listed below. This certificate can be used to prove to your users that an official audit was conducted by Quantstamp.