101 - State of Audits
Web3 projects seem to increasingly rely on external audits as a stamp of security approval. This is typically justified by the lack of sufficient in-house security expertise. While the optics of this approach seems to falsely convince speculators, this approach is untenable for several reasons:
-
Audits currently are very expensive because demand is much greater than supply for top-rated audit teams that have the experience and reputation to analyze complex projects
-
Audits are typically commissioned once at the end of project development just before production release
-
Upgrades to projects go unaudited for commercial or logistical reasons
-
The expectation (from the project team and users) is that audits are a panacea for all vulnerabilities and that the project is “bug-free” after a short audit (typically few weeks)
- External Assessment
- Security Assessment X -> Stamp of approval
- In-house X -> Expertise
- External Audit Firms
- Unreal expectations
- Very expensive
- Demand >> Supply
- Increase/Train Auditors