Many smart contract teams are wasting $100k+ per audit by treating it like a stamp of approval.

Audits are a mandatory security practice for good reason, but that doesn't mean that they should be treated like a checklist exercise.

Why internal reviews

Internal security reviews are an important practice that helps teams improve the security of their contracts and get much more value from audits that follow.

Here are some of the benefits:

1. Auditors never guarantee that they will discover all issues. Time and resource investment is always reasonably bounded. By doing an internal audit, you free up time for auditors to focus on more important issues. You may even discover higher severity bugs that the auditors would have missed.

2. In particular, re-auditing is time-consuming and expensive for auditors and having a large number of errors could lead to additional auditing costs and delays.

3. Internal security processes create useful documentation that can assist auditors and maximize their productivity.

4. Having an internal security process means that if something "slips through the cracks" it is treated more seriously by the developers and can lead to process improvements. In the absence of internal reviews, security issues are brushed off as human error.

5. Some individual auditors and firms are moving to “pay-per-vulnerability” model (see tweet by Owen Thurm below). If this gets more widespread in the future, there will be a direct monetary consequence to loose internal auditing practices.

This is not an esoteric idea, the best teams are already doing it for a long time.

In a post that dates back to 2019, the Maker Foundation wrote about using internal auditing to improve the security of Multi-Collateral Dai.

How to do internal reviews

There are important mindsets to doing internal security reviews well.

Be structured

Treat it like a formal audit: assign a team, time-box it, pick a commit hash and use the same tools & processes that auditors would use.

Don't silo the auditing team

Involve multiple people to foster a security-first mindset. Your smart contract engineers will learn to see problems in a new way.

Write down your findings

Write up an audit report and make sure to address all the issues. Writing down audit issues explicitly will help you fully address them. You should share internal audit reports with external auditing teams, they do wonders for helping auditing teams get up to speed quickly.

Build your auditing knowledge

Document your own internal process and what tools you used and how. Think of it as building an internal security capability.

Close the loop

After the external audit is completed, go back and close the loop. If any issues were discovered that were missed by the internal auditing process, make improvements in your process and documentation to make sure your internal auditing process is improving.

Build your security force

Having both internal and external review processes create a positive feedback loop where each process benefits the other over time.

Some of the most successful companies in the space are already building serious internal security teams.

Start now by doing an internal review.

Need help building a crypto product?

→ Twitter: Follow me for more frequent & casual insights on the crypto industry.

→ 1:1 Coaching: I help Seed stage crypto Founders design & ship highly-technical crypto products with proven systems. Book a free discovery call to see if I can help.

Respond to this e-mail if you have any feedback or questions.