"How much does a smart contract audit cost?" is the most common question we get from founders and protocol teams. The honest answer is that it depends, but not in the evasive way most firms use that phrase. Audit cost is driven by a small number of concrete, measurable factors, and once you understand them, you can estimate your own budget before reaching out to any firm.
This guide covers real 2026 pricing data, the six factors that determine what you'll pay, and how to evaluate whether that spend is worth it relative to the risk of not auditing. We publish this because pricing transparency in the audit market is rare, and the lack of it benefits no one except firms charging premiums for undifferentiated work.
Smart Contract Audit Pricing in 2026: The Real Numbers
Audit pricing spans roughly two orders of magnitude depending on what you're building. Here are the ranges based on our own engagements and verified market data from Softstack's 2025 audit cost analysis:
| Project Type | Lines of Code | Typical Price Range | Timeline | Examples |
|---|---|---|---|---|
| Token / Simple Contracts | Under 500 LOC | $5,000 - $15,000 | 1-2 weeks | ERC-20 tokens, ERC-721 NFTs, simple staking, vesting contracts |
| DeFi / Protocol-Level | 500 - 5,000 LOC | $15,000 - $60,000 | 2-4 weeks | Lending protocols, AMMs, yield aggregators, custom DEX logic |
| Complex / Infrastructure | 5,000+ LOC | $60,000 - $200,000+ | 4-8+ weeks | L1/L2 chains, cross-chain bridges, ZK circuits, novel consensus mechanisms |
The lower bound of each tier assumes standard patterns with well-known libraries (e.g., OpenZeppelin), clean documentation, and a flexible timeline. The upper bound reflects custom logic, novel mechanisms, tight deadlines, or multi-chain deployments. Projects that combine multiple complexity factors (a cross-chain DeFi protocol with custom oracle logic and an aggressive launch timeline) will trend toward the top of their range or above it.
The industry-standard auditor day rate sits between $500 and $1,200, depending on firm tier, auditor seniority, and regional market. Most engagements involve two to four auditors working in parallel.
The 6 Factors That Drive Audit Cost
Every reputable firm evaluates the same core variables when scoping. Understanding these gives you leverage, both to budget accurately and to judge whether a quote is fair.
1. Lines of Code (LOC)
The primary cost driver. More code means more auditor-hours. But raw LOC is a crude metric. What matters is the volume of logic-bearing code. A 3,000-line contract with 2,000 lines of well-tested library imports and 1,000 lines of custom logic is a fundamentally different engagement than 3,000 lines of bespoke business logic with no test coverage.
Reputable firms exclude standard library code from the primary estimate and focus on novel logic, custom integrations, and areas where the protocol deviates from established patterns. If a firm quotes purely on LOC without evaluating logic density, that's a signal they're not examining the code deeply enough.
2. Protocol Complexity
A standard ERC-20 token with mint, burn, and transfer functions has a narrow attack surface. A lending protocol with dynamic interest rate models, liquidation mechanisms, oracle dependencies, and governance controls has an exponentially larger one.
Complexity isn't just about what the code does. It's about how many components interact and how many states the system can enter. The Euler Finance exploit ($197 million) targeted an interaction between a donation function and a liquidation mechanism that was syntactically correct in isolation but economically exploitable in combination. Auditing for this class of vulnerability requires understanding the protocol as an economic system, not just a codebase.
Protocols with any of the following will trend toward the upper end of their price range:
- Custom oracle implementations or multi-oracle fallback logic
- Flash loan compatibility or deliberate flash loan integration
- Upgradeable proxy patterns (UUPS, Transparent, Diamond)
- Cross-protocol composability (integrations with Aave, Uniswap, Curve, etc.)
- Governance mechanisms that can alter protocol parameters
- Novel mathematical models (bonding curves, dynamic fees, auction mechanisms)
3. Language and Chain
Solidity on Ethereum/EVM chains is the most mature audit market. Tooling is robust (Slither, Mythril, Echidna, Foundry), auditor supply is highest, and vulnerability patterns are well-catalogued. This generally means faster, more cost-efficient audits.
Other ecosystems carry a premium:
| Language / Chain | Audit Cost Premium | Reason |
|---|---|---|
| Solidity (EVM) | Baseline | Deepest tooling and auditor pool |
| Rust (Solana, Near, Cosmos) | 10-30% above baseline | Smaller auditor pool, different vulnerability classes |
| Move (Aptos, Sui) | 20-40% above baseline | Limited auditor availability, newer language |
| Cairo (Starknet) | 20-50% above baseline | Specialized ZK knowledge required |
| Huff / Yul (EVM assembly) | 30-50% above baseline | Low-level code requires senior auditors exclusively |
The premium reflects auditor scarcity and tooling maturity, not inherent language quality. As ecosystems mature, premiums compress. Solana/Rust auditing costs have dropped roughly 15-20% since 2023 as the auditor pool expanded.
4. Timeline Urgency
Standard engagement timelines range from two to six weeks depending on scope. Compressed timelines ("we need this done before our mainnet launch in 10 days") require firms to reallocate auditors, work extended hours, or staff more people in parallel.
The rush premium typically ranges from 25% to 100% above standard pricing. An accelerated audit requires the same or more coverage delivered in less calendar time, which means higher daily resource allocation.
The better approach: engage early. Start scoping when your contracts are 70-80% complete. This lets the firm schedule the engagement, begin architecture review, and avoid the rush surcharge entirely. It also surfaces design-level issues before they're expensive to fix.
5. Re-Audit and Remediation Scope
Every audit produces findings. Findings require fixes. Fixes require verification. This re-audit phase is distinct from the initial engagement, and firms handle it differently. Some bundle it into the initial quote, others price it separately, and some have no formal process at all. Ask before signing.
For teams planning ongoing development, retainer or re-engagement agreements typically cost 40-60% of the initial audit for a comparable scope review. Annual re-audits are strongly recommended for any protocol that ships upgrades, parameter changes, or new integrations.
6. Number of Auditors Required
Simple contracts can be effectively audited by one or two senior auditors. Complex DeFi protocols require three to four working in parallel, often with complementary specializations (one focused on economic logic, another on low-level EVM behavior, a third on integration risk).
Infrastructure-level engagements (L1 chains, bridges, ZK systems) may require five or more, including specialists in cryptography, consensus mechanisms, or cross-chain message verification.
More auditors means higher cost, but also broader coverage. Our analysis of the 100 largest DeFi hacks found that many exploited protocols had narrow audit coverage: single-auditor reviews that missed interaction-level vulnerabilities.
What's Included in a Comprehensive Engagement
Not all audits deliver the same thing. When evaluating proposals, compare deliverables, not just price.
Pre-Audit Phase
- Architecture review: Understanding system design, intended behavior, trust assumptions, and threat model before examining code. This is where business logic vulnerabilities get surfaced, the category responsible for the most costly exploits.
- Scope definition: Clear documentation of which contracts, functions, and integrations are in scope. Ambiguity here is where coverage gaps start.
- Documentation review: Evaluating specs, whitepapers, and technical documentation against actual implementation.
Audit Phase
- Manual code review: Line-by-line examination by senior auditors. Still the highest-signal component of any audit. Automated tools catch known patterns; manual review catches novel vulnerabilities, logic errors, and economic exploits.
- Automated analysis: Static analysis (Slither, custom detectors), symbolic execution (Mythril), and property-based fuzzing (Echidna, Foundry fuzz). Force multipliers, not replacements for human review.
- Business logic testing: Evaluating the protocol's economic model, governance mechanics, and operational assumptions. Does the liquidation math hold under extreme conditions? Can governance be captured through flash loan voting? Are admin keys a single point of failure?
- Integration analysis: How the protocol interacts with external dependencies: oracles, other DeFi protocols, bridges, token standards.
Deliverables
- Detailed findings report: Every issue classified by severity (Critical, High, Medium, Low, Informational) with proof-of-concept exploits where applicable, root cause analysis, and specific remediation guidance.
- Executive summary: Non-technical overview for stakeholders and investors.
- Remediation review: Verification that fixes address identified issues without introducing new vulnerabilities.
- Final published report: The deliverable your users, investors, and integrators will evaluate.
What Separates a Good Audit from a Checkbox Audit
The difference between a $15,000 audit and a $40,000 audit for the same codebase usually isn't the number of hours spent reading code. It's whether the firm invests time understanding your protocol as a business before reviewing it as code. Architecture review and threat modeling before the first line of code is examined. That's how business logic exploits like Euler's get caught.
The ROI Argument: Audit Cost vs. Exploit Cost
Audit pricing isn't an expense. It's a risk mitigation investment. The math is straightforward.
The Cost of Not Auditing
Chainalysis reported $2.2 billion stolen from crypto platforms in 2024 across 303 incidents. In 2025, that figure rose to $3.4 billion. The trend is accelerating.
Our analysis of the 100 largest DeFi hacks found that 80% of hacked protocols had not undergone a professional security audit. Audited protocols accounted for only 10.8% of total value lost across the 100 largest breaches.
| Scenario | Cost | Outcome |
|---|---|---|
| Comprehensive audit for a DeFi protocol | $30,000 - $60,000 | Vulnerabilities identified and fixed pre-deployment |
| Average DeFi exploit loss (2024) | $7.3 million per incident | Protocol funds drained, reputation destroyed |
| Median recovery rate post-exploit | Under 20% | Most stolen funds are never recovered |
A $50,000 audit that prevents even a modest exploit saves 100x or more. And the indirect costs (user trust destruction, token price collapse, regulatory scrutiny, legal liability) compound far beyond the direct theft.
Exploits That Audits Would Have Caught
Many of the costliest exploits targeted vulnerability classes with established detection methods:
- Ronin Bridge ($625M, March 2022): Five of nine validator keys were controlled by a single entity, Sky Mavis, after a temporary signing delegation was never revoked. An attacker compromised Sky Mavis systems and authorized two fraudulent withdrawals. A thorough access control and key management review would have flagged the concentration risk.
- Mango Markets (~$115M, October 2022): An attacker used $10M across two accounts to pump the MNGO spot price by 2,300%, then borrowed against artificially valued collateral and drained the protocol. Oracle manipulation review, specifically checking for spot price dependency instead of time-weighted averages, catches this pattern.
- Bunni DEX ($8.4M, September 2025): A rounding error in the withdrawal function. Trail of Bits had flagged precision issues in January. Cyfrin found 50+ issues in June and recommended more fuzz testing. The team ignored both recommendations and scaled anyway. The protocol died.
These aren't exotic zero-days. They're known vulnerability classes. The protocols that lost funds to them either hadn't been audited, or had been audited by firms that treated the engagement as a checkbox.
Why the Cheapest Audit Isn't the Best Deal
There's a persistent temptation to optimize for price. Teams compare quotes, pick the lowest number, and treat the resulting report as a credential rather than a security deliverable.
The Audit Quality Spectrum
At the bottom of the market, you'll find firms offering audits for 50-70% below industry averages. These engagements typically share characteristics:
- Junior-heavy teams: The audit is performed primarily by junior auditors with limited exposure to real-world exploit patterns. Senior review, if it happens, is cursory.
- Template-driven reports: Findings generated largely by automated tools with minimal manual analysis. The report looks professional but lacks depth on business logic and interaction-level vulnerabilities.
- No architecture review: The firm jumps straight to code without understanding what the system does or what the trust assumptions are.
- Narrow scope interpretation: Anything not explicitly in-scope is ignored, even if it represents a critical attack surface.
- No post-audit support: Report delivered, engagement over. No remediation review, no deployment verification.
The CertiK case studies illustrate this at scale. CertiK audited Merlin DEX, Swaprum, and Arbix Finance, all three subsequently exploited through rug pulls. In each case, CertiK's audit identified the centralization and upgradability risks but classified them as informational findings rather than critical blockers. The code was technically reviewed. The business risk was acknowledged and not acted upon.
A $10,000 audit that misses a critical vulnerability isn't a $10,000 savings. It's a $10,000 cost that bought false confidence.
What to Look For Instead
When evaluating proposals, weight these above price:
- Methodology depth: Does the firm describe how they'll learn your system before reviewing the code?
- Team composition: Who specifically will audit your contracts? What's their experience with your protocol type, language, and chain?
- Track record transparency: Every firm has audited protocols that were later exploited. The question is whether the exploit was inside or outside audit scope, and whether the firm adapted.
- Deliverable specificity: Will findings include proof-of-concept exploits, root cause analysis, and remediation guidance, or just severity labels?
- Post-engagement support: Does the firm verify fixes, review deployments, and stay available for questions?
For a deeper framework on evaluating firms, see our guide to choosing an audit firm.
When Should You Get an Audit?
Timing affects both cost and effectiveness.
Too early: Auditing contracts still in active development wastes money. Every change after the audit creates unreviewed code, which is how Nomad Bridge was exploited (only 18.6% of the deployed code matched the audited version).
Too late: Scrambling for an audit two weeks before mainnet triggers rush premiums and compresses the time for thorough review and remediation.
The sweet spot: Engage when contracts are feature-complete and test coverage is reasonably mature (70%+ line coverage). Start the scoping conversation at 70-80% development completion. This gives the firm time to schedule, begin architecture review, and deliver findings with enough runway for proper remediation.
For protocols already in production, annual re-audits should be standard, especially after significant upgrades, new integrations, or parameter changes. Re-engagement cost is substantially lower than an initial audit because the firm already understands the architecture.
How to Reduce Cost Without Reducing Quality
You can't negotiate away complexity, but you can reduce the overhead that inflates cost:
- Write comprehensive documentation: Specs, architecture diagrams, and threat model notes reduce the time auditors spend reverse-engineering intent from code. Directly reduces hours and cost.
- Maintain high test coverage: Robust test suites (unit, integration, fuzz) give auditors confidence in intended behavior, letting them focus on edge cases and adversarial scenarios.
- Use established libraries: Building on OpenZeppelin Contracts or other battle-tested libraries means auditors focus on your custom logic, not re-verifying standard patterns.
- Fix known issues first: Run Slither, Mythril, or similar tools on your code before engaging a firm. Addressing automated findings in advance means auditors spend time on the hard problems.
- Scope clearly: Define exactly which contracts, functions, and integrations you need reviewed. Ambiguous scope leads to over-scoping (higher cost) or under-scoping (coverage gaps).
- Plan ahead: Book 4-6 weeks in advance. Avoiding rush timelines avoids rush pricing.
In our experience, these steps reduce cost by 15-30% without compromising coverage. They also produce better outcomes because auditors can allocate more time to high-risk areas.
Getting Started
If you're evaluating whether your protocol needs an audit: it does. The data is unambiguous. Unaudited protocols account for 80% of hacks and 89.2% of value lost. The question isn't whether to audit, but how to audit well.
- Estimate your tier: Use the pricing table above to approximate where your project falls based on LOC and complexity.
- Start the conversation: Reach out with your repository (or a description of your system if pre-repo), your target timeline, and any specific concerns. We'll provide a scoping estimate within 48 hours.
We don't charge for scoping calls. We don't require NDAs to discuss pricing. And we don't pad timelines to inflate cost.
For more on evaluating audit firms, see our guide to choosing an audit firm. For what to have ready before your engagement starts, see our pre-audit checklist.
