A smart contract audit is an independent review of on-chain code, deployment configuration, and related documentation. Auditors look for logic errors, unsafe access controls, economic design flaws, and gaps between documented behavior and actual implementation. The goal is to reduce preventable risk before users interact with a protocol—not to certify that code is risk-free.
What auditors typically review
- Core contract logic, state transitions, and permission models
- Admin keys, upgrade paths, pausing mechanisms, and timelocks
- Token economics, fee flows, and oracle or bridge dependencies
- Test coverage, deployment scripts, and change-management records
- Documentation accuracy compared to deployed bytecode
What an audit is not
No audit report can guarantee fund safety or eliminate all future bugs. Audits are point-in-time reviews with scope limits. Residual risk remains from upgrades, integrations, governance changes, and novel attack patterns discovered after publication.
How to use audit reports in due diligence
- Confirm the report matches the deployed contract addresses and version you plan to use.
- Read unresolved findings and severity ratings—not only the executive summary.
- Check whether critical issues were fixed and re-reviewed before launch.
- Review admin controls, upgradeability, and external dependencies separately.
- Prefer protocols that publish remediation status and ongoing monitoring plans.
Before you hire auditors
Teams that prepare scope documents, threat models, test suites, and deployment records receive more actionable findings. Use the fieldbook audit readiness section on the home page to organize materials before engaging a firm.