frequently asked questions
How much does an audit with Solidified cost?
The cost is determined by the complexity of smart contracts and how many experts you’d like to verify the code. For a standard tokensale based on OpenZeppelin contracts, the price is 3-5 ETH per auditor. For custom platforms and services, the expert cost is in the range of 8-12 ETH. Solidified takes a 10% fee for the service.
Verification of fixes post-audit is a much smaller fee, typically 1-2 ETH, since we use the same auditors that performed the initial audit who are already familiar with the code.
Running a bounty program is an optional final step, but highly recommended, in which case additional bug payouts may occur.
Sample use-case: You are doing a tokensale audit with 3 experts and verifying the fixes. The total might be: 3*4 ETH + 1 ETH fixes + 1.3 ETH fee = 14.3 ETH.
Sample use-case: You are doing an audit of a securities platform with 3 experts, verifying the fixes and running a bounty program. During bounty campaign, 1 Major issue was discovered. The total might be: 3*9 ETH + 3 ETH fixes + 3 ETH fee + 6 ETH = 39 ETH.
What is the audit process like?
Securing your smart contract is a multi-step process. Solidified is the only platform where the entire technical due diligence lifecycle is performed. What does this mean:
Phase 1: Multi-expert Audit
Several highly-competent Solidity auditors perform an isolated and unbiased review of your contract. Each of them sits down 1:1 with the contract and prepares an audit report. After each auditor finishes their individual report, they enter into a group debrief. During the debrief, they discuss the validity of each found issue and cross-check each other for quality. From the group consensus, the final combined report is prepared and delivered to the client. The report contains issues in different categories and recommendations on how to fix each issue. You can view our past reports here.
Phase 2: Fixes and Verification
Client addresses the issues found and submits the updated version of the contracts. Solidified uses the same auditors as assigned in Phase 1 to verify that the issues have been fixed and no new vulnerabilities have been introduced. After the verification is complete, the audit report is amended, stating which issues have been addressed, and final version is sent to the client. (We will soon be offering an additional service, where the auditors can implement the fixes for the issues found on behalf of the client.)
Phase 3: The Bounty program
The client posts their contract on Solidified bounty platform where it is put in front of the entire verified expert community (150+). This is an optional, but highly recommended step, especially for more complex smart contracts. Client selects incentives for Critical, Major and Minor bugs found and funds the escrow account with the total bounty pool. After this, the contract goes live on bounty and recommended to stay there for at least 2 weeks. If a bug is found and approved (either by client or through community arbitration) the reward is automatically released from the escrow to the bounty hunter.
Phase 4: Bug Prediction Market (coming late 2018)
To further show confidence and transparency in the security of your code, a prediction market is automatically opened for your smart contract on whether a bug will be found in the deployed code within timeframe X. This feature is currently in development.
How long does the audit take?
Tokensales: 4-5 days for initial audit, 1-2 days for verification of fixes.
Custom platforms: 1-2 weeks minimum.
Additionally, add 2 weeks for the bounty program.
What is required to start the audit?
- a) Final version of your smart contracts
- b) Spec of Intended Behavior
For ICOs, you can view example specs here:
For custom platforms, you can take a look here:
How does a Solidified audit compare with other auditing firms, Quanstamp, et al.
Most auditing firms will charge more.
Most auditing firms dedicate 1 auditor to verify your code.
Most auditing firms perform only a part of the entire audit process (i.e. initial audit report).
Most auditing firms will do a private audit (we publish our audit reports publicly here).
Automated tools and formal verification efforts (Quantstamp, Fujitsu, et al.) are much needed efforts, but are 3-5 years away from being relied upon for a full security audit of a multi-million dollar project. We believe these tools to be a good initial check for low-hanging bugs.
Does Solidified provide a security guarantee after the audit?
We currently do not provide a security warranty or guarantee following an audit, but
are in talks with several insurance providers to offer this service in the near
future at additional cost.
If you are an insurance provider, you may contact us here.
How long has Solidified been operating?
Solidified has been operating since November 2017.
How many audits has Solidified performed?
We’ve performed over 50 audits for some of the well-known clients like Polymath, Wyvern, Restart Energy, Iconiq Lab, Well Inc, EZToken and others securing over 30,000 ETH.
How many experts are in Solidified network?
Our network comprises Auditors, Bounty Hunters and Expert-level Solidity developers.
Total there are currently over 150 experts in our network.
What are your experts’ qualifications?
Our experts come from one of 3 backgrounds:
- Solidity Auditors (must have track record of past audits)
- Solidity Bounty hunters (must show bounties won)
- Expert-level Solidity devs (must be contributor to at least 2 major Ethereum projects).
Are the experts employees of Solidified?
No, they are not.
What is the process of becoming an auditor with Solidified?
Every expert must submit an application on our site. We verify relevant track record, which must include either past audits, bounties won or prominent contributions to Ethereum projects.
We then review past and current work history to make sure there is no conflict of interest. Finally, we take the recruit through a test audit with an experienced member of Solidified network and evaluate the skill level. We make the final decision as a result.
I want a Solidified t-shirt, what can I do?
Solidified tee is an exclusive swag. You can get it either by becoming a Solidified auditor and performing your first audit, or filing an approved bug during the bounty.
I love the project, how can I contribute?
We were born from the community and consider our members to be of most importance. If you’d like to help, we are currently needing help from Solidity developers, economists, game theory specialists, bloggers and Ethereum community organizers. Email us here