Heyo,

Jules here, from the Cyfrin team - with a new issue of your weekly web3 security newsletter!

The amount of stolen crypto assets increases every year by millions of dollars.

Projects are looking for audits as support - but the question remains: “which is better, private or competitive audits?”

Some definitions

• 🔒 Private Audits: a consultation by 2-4 security researchers conducting a smart contract review resulting in a detailed report.
  

• 🏁 Competitive Audits: auditing contests where auditors from around the world scrutinizing a codebase for a reward. CodeHawks is a great example of this.
  

• 🐛 Bug Bounties: an open-ended program where auditors only get a reward when they successfully discover a vulnerability.

Which audit type is best?

TLDR: Depends on the stage, timeline, complexity, and the budget.

🐣 Based on project’s development stage

• Private audits: Early on, private audits will provide a deep review to set a solid foundation for scaling. Also, if the project is deploying upgrades, having someone with continuous context like private auditors is best to provide a deeper review and report.

• Competitive audits: When the project is about to deploy to mainnet, competitive audits allow for more more auditors watching your codebase, translating into more bugs found.

• Bug bounties: After deployment, bug bounties will be your best bet in incentivize hackers to warn you before the hack occurs.

📆 Based on project’s launch timeline

If the product is soon to launch, a competitive audit will be the best since more auditors will look at the code at once and there’s no rush on audit scheduling.

Private firms often have retainer options though, which may help with continuous releases and quicker timelines.

👩🏻‍💻 Based on codebase complexity

Complexity is usually determined by the size of the codebase and how advanced the functionality is. This means that:

• Private audit for the deep dive review and report

• Competitive audit to find all possible vulnerabilities

The more complex the codebase, the more a hybrid approach is needed!

💰 Based on budget

Competitive audits offer flexible prize pools, catering to projects of varied sizes. These range from $10,000 to $100,000, with some complex ones up to ~$800k.

On the other hand, private audits can range anywhere from $40k-$60k a week, some leading up to ~$500k total.

Ultimately,  the more audits a codebase goes through, the less likely a hack will occur.  When deploying your codebase to mainnet, consider going through all the above to keep your users' assets safe.

— For a deeper review, check out our article here: https://www.cyfrin.io/blog/competitive-vs-private-audits-comparison

Get started with smart contract audits 🕵🏻‍♀️

Apply for Cyfrin Updraft early access to learn how to code and audit smart contracts!

We’re releasing a smart contract security course in the coming weeks. Stay tuned!

Keeping up with Web3 security

• Raft was hacked for 3.3M last week. Here’s how it happened.

• GPTs were all the rage last week, but could there be a backdoor risk in code interpreters? Seems so!

• Looking for a smart contract auditing firm but you’re unsure which ones are the best? Check out the top 10 best auditing firms here.

Let me know if you have any questions, happy to help!

Sending cyber love,

Jules 🤸🏻

update your preferences or unsubscribe