November 16, 2023

The Process of Cardano Smart Contract Audits

Albert Kim

The Process of Cardano Smart Contract Audits

As mentioned in a previous blog on why decentralized applications (dApps) need smart contract audits, there is no standardized process to perform a smart contract audit as the methodology is designed and tailored by the auditors upon review of the dApp.

Additionally, an audit can change from dApp project to project. The work is tailored to the type of blockchain dApp project and the scope of the audit. All of these factors make each smart contract audit unique to each specific project. 

In this blog, we’ll go over some of the decisions that influence a smart contract audit of a Cardano dApp. We also describe a series of steps that are common to most audits. 

As Cardano grows as an ecosystem, more and more dApp projects continue to launch on the network. So, being able to understand how Cardano smart contracts audits work is important for Cardano dApp builders and developers to protect their users and products.

Scope of a Cardano dApp audit

The audit scope is the first item of importance. In previous articles, we have discussed how Cardano dApps are divided between the on-chain and off-chain code. 

Additionally, we also learned about the back-end, front-end, and other pieces of the tech stack of a dApp.

The first order of business for a blockchain smart contract auditing firm is to define the parts it’ll review. The length of the audit, the complexity, and the cost are all defined by this decision. The auditing firms normally don’t make this call and it is the dApp project’s developers who decide the course of action. 

Yet, one portion of a Cardano dApp is always up for review, the on-chain code. 

This is because it is the logic the Cardano network evaluates and executes when users interact with a Cardano-based dApp. For this reason, the on-chain code is always the piece on an audit that cannot be overlooked. 

The choices for the developers are the off-chain, website, and any back-end the dApp may utilize. Each of these is optional as none of them are exposed to the users, but there could be bugs or mistakes in that code.

Types of dApp vulnerabilities

Once the scope of the audit is determined, the audit team starts going through the code using automated tools and manual checks. The process is meant to identify all the vulnerabilities that can compromise the workings of dApps.

These are then grouped according to the severity. Each audit firm may have a unique set of categories for vulnerabilities, but in general, the most common classification is:

  • Critical vulnerabilities present an immediate risk for a dApp.
  • High vulnerabilities have the potential to compromise a large portion of the dApp.
  • Medium vulnerabilities present problems for the proper working of a dApp but are not immediate security threats.
  • Low vulnerabilities affect the performance of a dApp but are not security threats. 

All vulnerabilities found on the code audited by the firm should fall into one of these categories. Of course, if the scope of the audit only applies to the on-chain code, vulnerabilities on other portions of the dApp are not the responsibility of the auditors. 

Fixing dApp vulnerabilities

Once the list of vulnerabilities is compiled, the development team has to address them for the final report. The smart contract audit is generally a public document that is meant to be read by users, developers, and participants of all levels of knowledge.

This means that if the vulnerabilities identified are not addressed, the audit becomes a roadmap for a possible attack. This is especially true for those that fall under the categories of either ‘critical’ or ‘high’ as both classes have the potential to upend the security of a dApp.

It’s important to read how these vulnerabilities are corrected by the developer team. The results showcase that a dApp is secure to use and that both the auditors and developers have done a thorough review of the code. 

Additionally, audit reports are an excellent tool for learning. They provide live examples of how dApp logic works and when it has mistakes. They are an excellent source of information for those looking to jump into the world of blockchain development. 

The Cardano dApp ecosystem is expanding rapidly. Projects are being launched constantly and the pace of development is not slowing down. It’s one of the best moments to jump into the network and see it grow. 

Of course, that means that all these dApps require proper security audits. The blockchain industry is unique because, by its very nature, it has become a giant target for criminal action. Auditors and developers must work hand in hand to ensure all the assets are kept safe.

Cardano is one of the examples of excellence in this field. As it stands there have not been any major hacks, exploits, or large sums of money lost for any project launched on Cardano. This is a record to celebrate but also one that must be guarded fiercely by all those in the community.

Want to know more about Cardano? Follow EMURGO on X
EMURGO Follow Banner

Cardano is one of the largest blockchain ecosystems in the industry with many DeFi and NFT dApps in use. 

Whether you’re a builder wanting to learn more about building dApps on Cardano, a builder looking for funding, a developer wanting to contribute to the Cardano network, an individual community member, or otherwise, EMURGO has content for you.

Follow EMURGO on X for the easiest way to get updates, content, and other necessary information about the Cardano ecosystem.



You should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by EMURGO to invest.

Related articles