BLOCKCHAIN · SMART CONTRACT AUDIT

CREST-Certified Blockchain and Smart Contract Audit for UK Web3 Businesses

Smart contract security audit covering Solidity, Vyper, Move, and Cairo. Manual review of reentrancy, access control, oracle manipulation, gas optimisation, integration risk, and economic / game-theoretic attack vectors. Audit-grade reports accepted by exchanges, listing committees, and DeFi insurance.

Scope a Smart Contract Audit → View Pricing

CREST Member · Verify ↗

Smart Contract & Blockchain Audit

SOLIDITY · VYPER · MOVE

EVM · Solana · Aptos · Cairo

AUDIT-GRADE REPORT

Exchange · Listing · DeFi Insurance

CREST

Approved Provider

SMART

Contract Audits

FREE

Retest Included

24h

Scope to Active Test

$3B+

lost in DeFi exploits annually. Most exploits are findable through manual smart contract audit. Automated tools alone miss 60-70% of high-impact issues.

Solidity scanners catch reentrancy. They don’t catch business-logic flaws.

Slither, Mythril, and similar tools catch the classics — reentrancy, integer overflow, unchecked external calls. They cannot tell you whether your AMM’s pricing curve has a flash-loan-driven manipulation path, whether your governance token allows vote-buying via just-in-time liquidity, or whether your oracle aggregator gives an MEV bot the chance to front-run liquidations.

Our smart contract audit combines automated tooling with manual review by engineers who have written and exploited DeFi protocols. We model economic / game-theoretic attacks, validate integration assumptions, and check business logic across the full call graph. Reports are accepted by major exchanges, listing committees, and DeFi insurance underwriters as evidence of pre-launch security review.

SMART CONTRACT AUDIT COVERAGE

What We Audit in Smart Contracts

Twelve audit areas spanning code, economic, integration, and operational risk.

SC-1

Reentrancy & Race Conditions

Classic and cross-function reentrancy, read-only reentrancy, ERC-777 callbacks, ERC-721/1155 hook abuse, race-condition exploits.

SC-2

Access Control & Privilege

Modifier audit, role-based access, owner-only functions, privileged role escalation, time-locked admin actions.

SC-3

Oracle Manipulation

Price-feed manipulation via flash loans, AMM TWAP attacks, oracle update lag exploits, multi-oracle aggregation flaws.

SC-4

Economic / Game Theory

MEV exposure, sandwich-attack vulnerability, JIT liquidity, governance vote-buying, validator collusion paths.

SC-5

Gas & DoS

Gas-limit DoS attacks, unbounded loops, expensive storage operations, gas-griefing on receivers.

SC-6

Integration Risk

External-protocol assumption review (Aave, Uniswap, Chainlink, Curve), upgradability path audit, hookable callback risk.

SC-7

Storage & Layout

Storage collision in upgradable contracts, packed-struct mistakes, transient storage misuse, slot-aliasing attacks.

SC-8

Cryptographic Issues

Signature replay attacks, weak nonce handling, Merkle proof flaws, EIP-712 typing mistakes.

SC-9

Token Standards

ERC-20 / ERC-721 / ERC-1155 / ERC-4626 spec compliance audit, edge-case behaviours, fee-on-transfer / rebasing token integration.

SC-10

Upgradability

Proxy pattern review (Transparent, UUPS, Beacon), initialiser audit, upgrade authorisation chain, storage slot migration plans.

SC-11

Centralisation Risk

Admin-key analysis, multisig threshold review, timelock parameters, emergency pause authority.

SC-12

Off-chain Components

Bridge security review, off-chain oracle infrastructure, signing service exposure, MEV-relay configuration.

FOUR-PHASE METHODOLOGY

Smart Contract Audit — From Code to Attestation

Combined automated tooling + manual expert review. Economic and integration attacks modelled. Audit-grade report accepted by exchanges and DeFi insurance.

Code Walkthrough

Codebase familiarisation, dependency audit, deployment script review, automated tool baseline (Slither, Mythril, Aderyn).

Manual Code Review

Line-by-line review by smart-contract security specialist. Business logic, access control, integration assumptions, economic exposure.

Exploit Development

Foundry / Hardhat exploit POCs for high-severity findings. Mainnet-fork testing where applicable. MEV-aware test harness.

Report & Mitigation

Audit-grade report with severity scoring, exploit POCs, recommended mitigations, free retest after remediation.

Verified Accreditations Auditors Accept

Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.

COMPLIANCE READY

Smart Contract Audit Reports Accepted Across Web3

Audit reports accepted by exchanges, listing committees, DeFi insurance underwriters, and emerging UK / EU crypto regulators.

Exchange Listing

Major UK and global exchanges (Binance, Kraken UK, OKX, Coinbase) typically require a smart contract audit for token listing review.

DeFi Insurance

Nexus Mutual, Sherlock, and other DeFi insurance protocols use third-party audits as primary underwriting evidence.

UK FCA Crypto Asset Promotions

UK FCA financial promotion requirements for crypto assets benefit from documented technical security review.

EU MiCA

Markets in Crypto-Assets Regulation requires technical evidence for stablecoin and crypto-asset service provider authorisation.

SOC 2 Type II

SOC 2 audits for crypto custodians and infrastructure providers — smart contract audits provide CC7.1 evidence for blockchain components.

Bug Bounty Augment

Audit reports complement (not replace) ongoing bug bounty programs on Immunefi, Code4rena, Sherlock.

TRANSPARENT PRICING

Transparent Smart Contract Audit Pricing

All tiers include automated + manual review and audit-grade reporting. Price varies by codebase complexity, line count, and integration breadth.

SIMPLE PROTOCOL

£8,000 – £20,000
Depends on contract complexity

Single contract or simple multi-contract system, ≤500 lines of Solidity, basic ERC-20 / ERC-721. Typically 5-7 day audit.

✓Free retests included
✓Free rescheduling
✓No cancellation fees
✓24-hour scope to active testing
✓Live findings to client portal
✓Executive + technical report
✓60-min walkthrough call
✓Letter of attestation

MOST COMMISSIONED

DEFI / INTEGRATION

£20,000 – £50,000
Depends on contract complexity

DeFi protocol with oracle integration, AMM curve, lending mechanics, or governance system. 500-2,000 lines. Typically 10-15 day audit.

✓Free retests included
✓Free rescheduling
✓No cancellation fees
✓24-hour scope to active testing
✓Live findings to client portal
✓Executive + technical report
✓60-min walkthrough call
✓Letter of attestation

COMPLEX / L2

£50,000+
Depends on contract complexity

Complex DeFi protocol, L2 / rollup contracts, cross-chain bridge, custom VM, formal verification components. Typically 20+ day audit.

✓Free retests included
✓Free rescheduling
✓No cancellation fees
✓24-hour scope to active testing
✓Live findings to client portal
✓Executive + technical report
✓60-min walkthrough call
✓Letter of attestation

Smart Contract Audit by Sector

Different blockchain use cases face different attack surfaces. We tailor audit depth to your protocol’s actual risk profile.

FINTECH

Fintech

DeFi protocols, regulated stablecoins, on-chain banking integration, FCA financial-promotion compliance.

SAAS

SaaS

Web3-enabled SaaS, on-chain identity providers, DAOs, NFT-gated services, token-utility compliance.

HEALTHCARE

Healthcare

Healthcare data on chain (rare), patient-consent tokens, supply-chain tracking, NHS innovation pilots.

INSURANCE

Insurance

On-chain insurance, parametric coverage, smart-contract claim-settlement, DeFi insurance underwriting.

LAW FIRMS

Law

Legal tech tokens, contract automation, IP-rights tokenisation, blockchain-based escrow, smart-contract estate planning.

PUBLIC SECTOR

Public Sector

UK public-sector blockchain pilots, voting systems, supply-chain transparency, Land Registry pilots.

What You Actually Get

Five things that distinguish our service from automated scans and box-tick competitors.

🎯

What You Get From Smart Contract Audit

Manual code review by smart-contract security specialists, automated tool baseline, exploit POCs, audit-grade report, and free retest.

🔬

Manual + Automated Combined

Slither / Mythril / Aderyn for breadth. Manual review for depth. Foundry exploit POCs for verifiability. Economic attacks modelled.

💰

Economic / Game-Theory Modelling

We model MEV exposure, governance attacks, oracle manipulation, JIT liquidity. Findings most automated tools cannot reach.

📋

Exchange-Acceptable Reports

Audit reports formatted for major exchange listing committees, DeFi insurance underwriters, and FCA financial promotion submissions.

🇬🇧

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. UK-based smart-contract security team with practical DeFi protocol experience.

Frequently Asked

What is a smart contract audit?

A smart contract audit is a manual security review of blockchain smart contracts (Solidity, Vyper, Move, Cairo) by specialist auditors. It identifies bugs, business-logic flaws, economic attack vectors, integration risks, and gas / DoS exposure before deployment to mainnet. Audits are typically required by exchanges, DeFi insurance, and listing committees.

How long does a smart contract audit take?

Simple protocol (single contract, ≤500 LOC): 5-7 working days. DeFi / integration audit (oracle, AMM, lending, 500-2,000 LOC): 10-15 days. Complex / L2 protocol (cross-chain, 2,000+ LOC, custom VM): 20+ days. Audit duration is determined during scoping based on lines of code and complexity.

How much does a smart contract audit cost in the UK?

Simple protocol: £8,000-£20,000. DeFi / mid-complexity: £20,000-£50,000. Complex / L2: £50,000+. UK day rates for smart-contract security specialists are £1,500-£2,500 per day.

What languages do you audit?

Solidity (most common, EVM-compatible chains), Vyper (Ethereum-focused), Move (Aptos, Sui), Cairo (Starknet). Other languages on request — we maintain a network of language-specialist subcontractors for niche L1s.

Do you audit DeFi protocols?

Yes. DeFi protocols are a major sector for us. We have specific experience with AMMs, lending protocols, yield aggregators, options / perpetuals, governance systems, and bridge contracts. Economic and game-theoretic attacks are core to our DeFi audit methodology.

Will an exchange accept your audit report?

Major UK and global exchanges (Binance, Kraken UK, OKX, Coinbase) accept third-party audit reports as part of their listing review process. While exchanges do their own technical review, an external audit substantially de-risks the listing decision.

Do you audit upgradable contracts?

Yes. Upgradable contracts (Transparent / UUPS / Beacon proxies) require additional review of the proxy pattern, initialiser, upgrade authorisation chain, and storage slot migration. Diamond proxy (EIP-2535) audits also supported.

Do you provide bug bounty preparation?

Yes. Pre-bug-bounty hardening review is offered as a separate engagement or bundled with audit. We identify the issues bounty hunters would likely find, allowing you to remediate before opening the bounty publicly. Substantially reduces bounty payout exposure.

Do you audit cross-chain bridges?

Yes. Cross-chain bridge audits are particularly complex due to multi-chain state assumptions, signing infrastructure, validator integrity, and message-passing security. Our team has audited several major cross-chain bridges and is comfortable with this scope.

Can you provide formal verification?

We coordinate formal verification through specialist subcontractor relationships (Certora, Runtime Verification) where required. Most audits don’t need formal verification — manual review + symbolic execution + exploit POCs is sufficient evidence for typical protocols.

Are your auditors UK-based and what experience do they have?

All smart-contract auditors are vetted UK or international engineers with practical DeFi / Web3 protocol development experience. Relevant background: published research, Code4rena / Sherlock contest wins, mainnet protocol launches, plus traditional pen-test certifications (CREST CRT).

Do you sign NDAs?

Yes. Standard NDA before any code review. Smart-contract audits often involve highly confidential pre-launch business logic — we operate under custom MSAs that include source-code IP clauses, embargo periods, and disclosure timing.

READY TO SCOPE

Book a Smart Contract Audit Scoping Call

30 minutes with a CREST + smart-contract security specialist. Fixed-price quote within 24 hours. No sales pipeline.

Book a Scoping Call → View Pricing Guide