The best smart contract auditors ranked: A data-driven evaluation from Exponential
By Exponential Team
Published Mar 24, 2025
In a decentralized world where security is mission-critical, smart contract auditors are the unsung heroes, but not all auditors are created equal. Some have a proven track record of securing billions in assets, while others have missed critical vulnerabilities. So,how do you know which ones truly offer the best protection for your smart contracts?
To answer this, we conducted a data-driven analysis of the top smart contract auditors, evaluating their effectiveness based on key performance metrics. This analysis is used within Exponential Risk Ratings to assess the code quality of protocols, factoring in which auditors have reviewed their smart contracts as part of our overall protocol risk evaluation. By evaluating the auditors themselves, we provide a more complete picture of smart contract risk  — empowering investors, developers, and users to make informed decisions.
notion image

Auditor tiers

We classify smart contract auditors into three distinct tiers based on their experience, reputation, audit volume, and historical hack metrics:
  • Tier 1: Leading auditors with extensive experience, strong industry reputation, high audit volume, and minimal instances of security breaches or lost funds.
  • Tier 2: Established auditors with moderate experience, a solid reputation, a reasonable audit volume, and an acceptable track record regarding security incidents.
  • Tier 3: Emerging or lower-tier auditors with limited experience, a weaker reputation, fewer audits, or a history of security breaches and substantial funds lost.

Methodology

Each auditor is assessed across three core categories:
  1. Experience score (33% weight) - Evaluates the number of years in operation and total audits completed.
    1. 1 point: Auditor ranks above the 50th percentile for both years active and audits conducted.
    2. 0.75 points: Auditor ranks above the 50th percentile for one variable (either years active or audits completed) and between the 25th and 50th percentile for the other.
    3. 0.5 points: Auditor ranks between the 25th and 50th percentile for both variables.
    4. 0.25 points: Auditor ranks below the 50th percentile for one variable (either years active or audits completed) and between the 25th and 50th percentile for the other.
    5. 0 points: Auditor falls below the 25th percentile.
  1. Quality (33%) - Measures the effectiveness of audits based on the rate of security breaches (hack rate) and the average funds lost per audit.
    1. 1 point: Auditor has a hack rate and funds lost both below the 25th percentile.
    2. 0.75 points: Auditor ranks above the 25th percentile for one metric (either hack rate or funds lost) and below the 50th percentile for the other.
    3. 0.5 points: Auditor ranks between the 25th and 50th percentile for both metrics.
    4. 0.25 points: Auditor ranks above the 50th percentile for one metric and between the 25th and 50th percentile for the other.
    5. 0 points: Auditor ranks above the 50th percentile in both metrics.
  1. Trust (34%) - Assesses team backgrounds and social presence as indicators of credibility and industry reputation.
    1. 1 point: Strong team credentials and an active social presence.
    2. 0.5 points: Moderate team background and presence.
    3. 0 points: Minimal team information or engagement.

Scoring and tier assignment

The final auditor score is calculated as follows:
📐
Total score = (Experience score * 0.33) + (Quality score * 0.33) + (Trust score * 0.34)
Auditors are then categorized based on their percentile ranking:
  • Tier 1: Total score above the 50th percentile (top 50%)
  • Tier 2: Total score between the 25th and 50th percentile
  • Tier 3: Total score below the 25th percentile (bottom 25%)

Limitations

While this analysis aims to provide a comprehensive view of the auditor landscape, we want to be clear that our analysis is not perfect, and there are limitations:
  • Data accuracy: The total number of audits per firm was sourced from publicly available audit reports, GitHub repositories, De.Fi’s audit database and official auditor websites. However, some audits may not be publicly disclosed or published, leading to potential undercounting. Hack statistics were sourced from the Rekt Database, which tracks major exploits in DeFi. However, this dataset may not capture all security breaches, especially smaller ones or those not widely reported.
  • Trust score subjectivity: While social presence and team background were assessed using standardized criteria, evaluating an auditor’s reputation involves a degree of subjectivity. Reputation is based on publicly available information, but factors such as industry influence, community engagement, or private background can be more difficult to quantify.

Results

Our research found that half of the auditors in our dataset have at least six years of experience and have conducted over 69 audits. Among those with recorded exploits, the median hack rate is 5.88%, with half of the auditors’ protocols hacked for at least $29M.
For full transparency, you can access the dataset used in this analysis here.
Think we missed an auditor? Or found data inaccuracies? Help us refine our rankings by reaching out to [email protected]. Our goal is to provide the most reliable, up-to-date information on auditors so projects, investors, and users can rely on our rankings.

Appendix

The following charts and figures provide additional insights into the distribution of key performance metrics. These data points are used in our ranking methodology to assess experience and quality scores.

Experience metrics

notion image
  • P50 (median): Half of the auditors in our dataset have 6 years of experience or more.
  • P25: A quarter of the auditors have 4 years or less, while 75% have more.
  • P10: Only 10% of auditors have 3 years or less, with 90% having more.
notion image
  • P50 (median): Half of the auditors have conducted 69 or more audits.
  • P25: A quarter have completed 40 or fewer audits, while 75% have more.
  • P10: Only 10% have performed 20 or fewer audits, indicating that most auditors have significantly more experience.

Quality metrics (among auditors that have been hacked)

notion image
  • P50 (median): Half of the hacked auditors have 5 or more recorded incidents.
  • P25: A quarter have 2 or fewer hacks, while 75% have more.
  • P10: Only 10% have 1 or fewer recorded hacks, meaning most have faced multiple incidents.
notion image
  • P50 (median): Half of these auditors have a hack rate of 5.88% or higher.
  • P25: A quarter have a hack rate of 3.58% or lower, while 75% have a higher rate.
  • P10: Only 10% have a hack rate of 1.75% or lower, showing that hack rates above this level are common.
notion image
  • P50 (median): Among hacked auditors, half have lost at least $29M in total.
  • P25: A quarter have lost $4.6M or less, while 75% have more.
  • P10: Only 10% have lost $600k or less, indicating that most have suffered significantly larger financial losses.
notion image
  • P50 (median): Half of the auditors in this dataset have an average loss of $352k or more per audit.
  • P25: A quarter have an average loss of $69k or below, while 75% exceed this amount.
  • P10: Only 10% average $5k or less in losses per audit, suggesting that most auditors in this dataset have higher per-audit losses.