Decentralized Finance (DeFi) assurance: early evidence

Abstract

Decentralized finance (DeFi) has emerged to offer traditional financial services such as lending, borrowing, and trading without intermediaries (e.g., banks). DeFi transactions are typically executed using a special digital class of contracts called smart contracts. These contracts are self-executing and hard-coded directly on a blockchain. We observe the emergence of a new class of voluntary audits that evaluate the integrity of these contracts. Using a hand-coded sample of about 8,500 smart contract audit reports, we provide some of the first evidence showing that (1) these audits are pervasive, (2) the audit firm market is composed of new technical audit firms, (3) the scope of these audits can span a variety of contract features, (4) the audit inputs and outputs differ substantively from those of conventional financial audits, and (5) the market reacts positively to the release of these audit reports, suggesting that these reports are value-relevant. These findings highlight the demand for novel assurance services driven by blockchain technology.

1 Introduction

Auditing adds credibility to disclosed information, which in turn facilitates transactions (Watts and Zimmerman 1983). While audit research has focused mainly on financial statements, shifts in technologies have created a demand for a new class of audits that go beyond financial statements (Knechel 2021; Bauer et al. 2023). In particular, as economic activity has increased in blockchain-based markets, a set of applications known as decentralized finance (DeFi) has emerged that allows market participants to conduct transactions without third-party intermediaries. DeFi services execute transactions using a smart contract, which is digital code stored on the blockchain. We provide the first large-sample descriptive evidence on the emergence of auditing for smart contracts.

Following the language used by practitioners, we refer to the client engagements in our sample as smart contract audits. We acknowledge that existing audit research uses the terms audit, assurance, and attestation to represent a variety of other types of client engagements. DeFi audits aim to identify and prevent vulnerabilities (e.g., security risks) contained in the code of smart contracts to provide assurance to various stakeholders. Smart contract audits by third parties emerged in response to the novel challenges that they present in the blockchain environment.

Transactions powered by smart contracts cannot be altered or reversed once executed. Thus, smart contracts should be written perfectly from the outset, for both security and economic reasons. Otherwise, the contracting parties will be exposed to the risk of hacks and other issues of contractual incompleteness (Harvey et al. 2021). Second, unlike traditional financial contracts, smart contracts typically cannot be contested in court (Werbach and Cornell 2017; Makarov and Schoar 2022). Third, nontechnical users of smart contracts have difficulty accurately determining the integrity and completeness of the code behind the contract. As smart contracts have become more common, auditing practices have emerged to evaluate and minimize those risks.

Since smart contract audits (hereafter SCAs) are new to the accounting literature, we start by providing a brief overview of the main similarities and differences between SCAs and both standard financial audits (SFAs) and internal control audits (ICAs). Unlike SFAs for public firms, SCAs are not mandated by legislation. SCAs resemble ICAs in that ventures must trade off the expected costs and benefits of voluntarily obtaining an audit.

SFAs are intended to inform investors, and reports tend to be bundled and publicly released in regulated filings. In contrast, the audience of ICAs is primarily internal, and reports are typically kept private. SCAs serve the dual purpose of informing both external and internal stakeholders. To that end, audit reports are disclosed publicly, but their release is often preceded by iterations between auditors and internal programmers to solve issues detected during the audit. In that sense, SCAs correspond to a mix of assurance and consulting services. This is possible because the market for SCAs is unregulated and no private or public standards impose a strict separation between auditing and consulting services.

In terms of items under audit, SFAs evaluate a management report containing financial statements, while both SCAs and ICAs opine on the integrity of a process. Financial statements are prepared following accounting standards, and internal controls are typically designed following a clear private framework (e.g., from the Committee of Sponsoring Organisations (COSO)). In contrast, no rules apply to the writing of smart contracts. However, in all three cases, the preparation of the item under audit is the responsibility of the firm. The audit process is performed in accordance with specific auditing standards for SFAs and ICAs, while no universal standards exist for SCAs. This means that processes and outputs can differ significantly for SCAs (Bauer et al. 2023).

Finally, the voluntary nature of SCAs incentivizes auditors to signal the quality of their services by differentiating themselves from other auditors through publicly available audit reports. This leads to substantial variation in audit opinions, which typically include details on the input and the output of the audit process. This contrasts with the coarse and standardized opinions contained in SFAs. All three types of audit reports contain disclaimers about their liability.

We next turn to an empirical examination of smart contract audits using our large sample of audit reports. To collect our sample of SCA reports, we rely primarily on DeFiYield (now called De.Fi), a DeFi service company that maintains the largest repository of DeFi ventures’ SCA reports. Using DeFiYield, we obtain a sample of 8,749 SCA reports covering 7,219 unique DeFi protocols performed between 2017 and mid-2023.¹ We then manually inspect each report and extract by hand a variety of data points pertaining to (1) the DeFi protocol being audited, (2) the audit firm, and (3) the content of the audit. We also supplement our data with market returns from CoinGecko and DeFiLlama, when available.

With respect to the types of DeFi protocols in our sample, the most populated categories include yield farming (depositing tokens into a liquidity pool to earn a return), platforms for creating and trading nonfungible tokens (NFTs), gaming applications, liquidity providers, and exchange platforms (decentralized and centralized exchanges). Ethereum is the most widely used blockchain in our sample, and our ventures have an average total value locked (TVL) of $120 million. Total value locked is a common measure of size in the DeFi market and represents the overall value of assets being used in a DeFi protocol (Metelski and Sobieraj 2022; Soiman et al. 2023).

Next we turn to the auditors. Our sample is composed of 99 unique audit firms, all of which originated as technical firms rather than firms with certified public accountants. This may raise the question of why CPA firms, with their expertise in evaluating controls and technology, are not well represented in this market. CPA firms may lack the expertise to perform SCAs, or they may consider this service too risky or not scalable due to a lack of universally accepted audit standards (Knechel 2021; Bauer et al. 2023). Our interviews with several leading SCA firms reveal that almost all of their employees have backgrounds in computer science, data science, or engineering. We also find that the market for SCAs is much more fragmented than the SFA market for public firms (e.g., Gerakos and Syverson 2015). Only two audit firms have 10 percent or more of the market share, and over 20 auditors perform 100 or more engagements in our sample.

We next turn to our findings on SCAs themselves. Because SCAs do not follow a universal standard, SCA reports look very different across auditors and clients. Consequently, the data we obtain for some SCAs may be unavailable for others. With this in mind, we note that over 70 percent of the audit reports in our sample provide information about the audit team and reveal that most audits are conducted by multiple auditors. About one-third of our audit reports mention the time needed to conduct the audit, and, in this subsample, virtually all audits are finished in a month or less. Almost two-thirds of our audit reports contain information about their methodology. Of these, approximately 58 percent mention using a combination of manual and automatic testing. Our interviews with auditors reveal that manual testing typically involves reviewing the code line by line and then testing the different functions in the code against all possible states to find errors and vulnerabilities. Automatic testing, by contrast, involves using software to analyze the code.

Next we examine the content of SCA reports. In contrast to SFA opinions that typically span a few pages and provide only a coarse opinion on whether the client’s financial statements and internal controls conform to local accounting standards, the SCAs in our sample often describe in detail the exact tests performed by the auditors and their outcomes. The reports in our sample also differ in length, with the average (median) report spanning 20 (16) pages and the first- and third-quartile reports spanning 11 and 45 pages, respectively. About 71 percent of the reports in our sample include a legal disclaimer similar to that contained in SFAs. The SCA reports in our sample are typically signed off by the audit firm at large, with only 8 percent of the reports referring to one or more specific individuals. Regarding the disclosed inputs to an audit, 73 percent of the reports list the exact tests the auditors performed. Conditional on providing such a list, the average (median) report contains 24 (21) inputs, and the first- and third-quartile reports contain 21 and 37 inputs, respectively. This variation is consistent with differences in the depth of the audit across engagements, reflecting the joint preferences of clients and auditors (Bauer et al. 2023).

Virtually all the SCA reports in our sample discuss the audit outputs, such as programming errors and security risks identified. These are typically referred to as “issues” and categorized as informational, minor, medium, major, or critical. The average SCA report lists 6.7 issues, with most considered minor and less than one classified as “major” or “critical.” About two-thirds of major issues are resolved by the client during the audit and before the audit report is released. About half of the reports in our sample contain direct recommendations for the audit client’s developers on how to further improve the smart contract. The results above also vary based on auditor quality, which we measure using a third-party rating of audit quality from Boxmining.² Specifically, relative to the average SCA report, the average SCA report by a “top-quality” SCA firm identifies nine more issues and is an order of magnitude more likely to be signed off by an audit firm employee whose name is disclosed in the report.

Our last analysis examines the value relevance of SCA reports. On the one hand, we predict that those reports are value-relevant because the benefits should exceed the costs of those voluntary audits. On the other hand, market forces may not be able to discipline auditors and bring credibility to their audits in this nascent market, which lacks (self-)regulation. We test this prediction using the market reaction to the client around the release date of the SCA report. Our setting is particularly amenable to using this approach because SCAs are not typically bundled with the release of the information they are auditing (e.g., Gipper et al. 2019). We find that returns are positive and statistically significant across multiple return windows. The return magnitudes range from 2.8 percent to 4.6 percent, and adjusted returns range from 2.2 percent to 3.4 percent. In the cross-section, we find larger market reactions for audit reports referencing industry guidelines and for reports signed by an identifiable individual. Note, however, that return data are publicly available only for the very largest DeFi ventures, so we can conduct this test on only a small subset of our sample.

Our study contributes to the growing field of research on DeFi, which only recently began to analyze smart contracts (e.g., John et al. 2023).³ Makarov and Schoar (2022) note that the self-executing nature of smart contracts and the lack of legal mechanisms in DeFi markets increase the importance of writing these contracts as completely as possible upfront, which appears to be the reason DeFi ventures are turning to smart contract auditors. By exploiting the richness of audit reports, our study offers the first large-sample evidence of the role auditors play in DeFi.⁴

The positive market reaction to the release of SCA reports also suggests that these audit opinions are value-relevant, consistent with theories suggesting that information intermediaries can reduce adverse selection problems in markets (Admati and Pfleiderer 1990; Lizzeri 1999). This finding is also consistent with studies documenting that SCA reports are associated with increased total value of assets locked (TVL) in smart contracts (Knechel et al. 2023; Bhambhwani and Huang 2023; Rabetti 2023). It also complements studies examining the role of information intermediaries (like analysts) in the blockchain ecosystem (Bourveau et al. 2022; Lee et al. 2022; Barth et al. 2023).

More broadly, our study speaks to the literature on the evolution of the role played by audits and regulation in financial markets (Watts and Zimmerman 1983; Bourveau et al. 2023). It also complements studies that analyze the choice to receive voluntary financial statement audits (e.g., Allee and Yohn 2009; Lennox and Pittman 2011; Minnis 2011; Lisowsky et al. 2017; Lisowsky and Minnis 2020; Kisseleva et al. 2024). In summary, we show that the demand for assurance services is expanding to areas beyond financial statements, as noted by Knechel (2021) and other researchers documenting the role of audits in ESG assurance (Asante-Appiah and Lambert 2023; Gipper et al. 2023, 2024) and cybersecurity controls (Schoenfeld 2024).

2 Institutional background

To explain how SCAs arose, we start with a short introduction to blockchain, DeFi, and smart contracts. A blockchain is a decentralized, distributed ledger that facilitates the ownership and transfer of assets without third-party intermediaries, such as banks or brokers. It became popular largely due to the emergence of Bitcoin. Bitcoin was created after the 2008 publication of a white paper (released under the pseudonym Satoshi Nakamoto) containing the model for a blockchain. The technology borrows from advances in cryptography that date back to the 1970s. In 2009, the first blockchain using a public ledger was launched using Bitcoin. This public ledger collects transactions known as blocks, which are connected in the form of a chain. This blockchain is updated in real-time with each transaction that occurs, and all records stored on the blockchain are secured through cryptography-based algorithms to preclude altering or modifying any records on the blockchain.

Blockchain technology has gained significant global attention for its association with cryptocurrencies like Bitcoin. However, its potential extends far beyond digital currencies. Recent studies document a growing focus on business applications, such as cybersecurity or applications that help increase the settlement speed of transactions, simplify operations, or automate compliance (e.g., Stratopoulos et al. 2022). The applications have begun spreading across multiple industries, such as financial services, retail, marketing and advertising, healthcare, and supply chain management.

The most advanced application of blockchain technology led to the emergence of Decentralized Finance (DeFi). DeFi broadly refers not only to decentralized alternatives to traditional financial services, such as lending, borrowing, and trading but also to nonfinancial applications, such as gaming or arts. DeFi is a system that operates on blockchain platforms, and it is powered by smart contracts. As the name suggests, it does not need a central authority, and it aims to disrupt traditional financial systems in several ways. First, it aims to promote greater financial inclusion by providing financial services to people who do not have access to traditional financial services (e.g., unbanked households). Second, it reduces the need for intermediaries, which can lower costs and accelerate transactions. Lastly, DeFi introduces new financial products and services, such as flash loans.⁵ Other prominent DeFi applications include Uniswap, a decentralized exchange where crypto-traders can exchange crypto-tokens using smart contracts that manage the order book and execute trades; Aura Finance, a yield aggregator that offers compensation for providing liquidity and other actions; and Aave, which offers the ability to lend and invest in debt using smart contracts that automatically execute loan terms.⁶⁷

DeFi applications leverage smart contracts on blockchain platforms like Ethereum.⁸ This is one of the primary ecosystems where smart contracts are used to eliminate transaction costs, such as the costs generated by transaction intermediaries, such as banks, brokers, and exchanges (Makarov and Schoar 2022; Appel and Grennan 2023). Smart contracts are self-executing financial agreements whose terms are written directly into digital computer code. Put differently, a smart contract is the code (also called functions) and the data (also called states) located in a blockchain. Smart contracts work by following simple “if/when ... then ...” statements. Nick Szabo, who conceptualized the idea of smart contracts in 1994, compared a smart contract to a vending machine: money + snack selection = snack dispensed. In other words, specific inputs provide a certain guaranteed output. Like other blockchain transactions, those performed by smart contracts are verified by the network and irreversible once completed. A key advantage of smart contracts over conventional ones is that they self-execute when specific conditions are met, which can save time and money and eliminate the need for third-party enforcement. However, since smart contracts cannot be altered once executed, they should be written perfectly from the outset. Otherwise, they involve the risk of exploits and other issues of contractual incompleteness.

In their recent textbook summarizing the current state of DeFi, Harvey et al. (2021) note that the use of smart contracts exposes DeFi service providers and users to two key operational risks: (a) logic errors in the code and (b) economic exploits, where attackers leverage a vulnerability in the code to steal from or inflict financial damage on ventures (e.g., withdrawing funds without permission). Indeed, there are numerous examples of high-profile DeFi exploits. In April 2023, 0VIX lost over $4.3 million in an attack. Hackers benefited from a vulnerability in the code executing the flash loan and manipulated the price of the underlying token.⁹ Another concern that affects both smart and conventional contracts is that some situations cannot be fully anticipated or contracted upon. Moreover, while parties to conventional contracts can rely on the legal system to adjudicate contract disputes, smart contracts—with their terms embedded in irreversible computer code—are designed specifically to be out of reach of the legal system (Werbach and Cornell 2017; Makarov and Schoar 2022). In addition, the anonymity of parties to smart contracts inhibits the identification of whom to sue and in what jurisdiction, which underscores the importance of writing a smart contract perfectly upfront.

Given the above-mentioned concerns, several leading public and private organizations, such as the Federal Reserve, the Federal Bureau of Investigation, and the Organisation for Economic Co-operation and Development, have called for independent third-party audits of smart contracts (e.g., Federal Reserve 2022; OECD 2022). These audits are designed to help identify and possibly rectify vulnerabilities to mitigate risks before user funds are lost and the DeFi protocol’s reputation is damaged. According to the auditors who we interviewed, SCAs are typically initiated and paid for by the DeFi ventures, as DeFi ventures understand the importance of ensuring the security and reliability of their smart contracts before deploying them. Our interviews with auditors further reveal that potential capital providers also occasionally recommend that DeFi ventures obtain an audit. Finally, individual users are unlikely to engage in their own direct assessment of the integrity of the code, given its complexity. Thus, there is a substantial information asymmetry between sophisticated programmers and unsophisticated end users Makarov and Schoar (2022), a point raised by regulators in recent years.¹⁰

3 Smart contract audits versus other audits

In this section, we compare and contrast smart contract audits (SCAs) with two other prominent types of audits: standard financial audits (SFAs) and internal control audits (ICAs). We start with some terminology. SCAs are client engagements where a third-party company performs procedures to opine on the integrity of a smart contract’s code. SFAs are audits conducted to provide an opinion on whether a company’s financial statements are prepared in accordance with accounting principles and to assure that the financial statements give a true and fair view of the firm’s financial position and performance. Finally, ICAs are a broader range of audits conducted to ascertain the effectiveness of a company’s internal safeguards and controls.

SFAs are mandated by securities regulations for public firms across the world.¹¹ In contrast, SCAs and ICAs are not mandatory. Companies must trade off the expected costs and benefits of these audits when deciding whether to voluntarily receive one.¹² Absent a mandate, companies can also choose the frequency at which to obtain SCAs and ICAs, whereas SFAs must be conducted periodically. They are typically based on financial statements prepared annually. Our interviews with practitioners suggest that DeFi protocols usually seek SCAs before launching their service, after a major update of their technology (e.g., adding a new feature to their code), or before a fundraising campaign. In contrast, internal audits tend to be routinely conducted.

These three types of audits have different end users. SFAs are intended to serve primarily investors. Hence audit opinions are typically made public in regulatory filings (e.g., 10-K filings). Internal controls vary in their intended target audience. For example, system and organization controls audits are used to ensure the quality of internal controls in the context of contracting relationships with external stakeholders (e.g., customers). System and organization controls audit reports are typically kept private by the firm and shared only with specific contracting stakeholders. In contrast, internal frameworks, like the COSO framework, are geared toward the audited organization itself. They aim to help the organization design robust internal controls to prevent fraud. External audit reports are not public and are meant to be shared only with the audited company. SCAs, however, serve both external and internal stakeholders. Our interviews with multiple leading SCA firms suggest that SCA reports are used by DeFi service providers primarily to build trust with existing and prospective users of and investors in their services. In this regard, these audits can be seen as a costly signal by DeFi ventures to add credibility to their technologies (Spence 1973). Hence audit reports are typically released publicly. However, our interviews revealed that the venture’s team members also use SCAs to minimize logic errors in their code and prevent future economic exploits.

Next we briefly discuss similarities and differences between SCAs, SFAs, and ICAs in terms of the nature of, responsibility for, and preparation of the items under audit. The object of assurance for SFAs is a written management report containing specific financial information. Financial statements are prepared following detailed and mandated accounting standards, such as IFRS or U.S. GAAP. In contrast, the object of assurance for both ICAs and SCAs is a process and not a written management report. For ICAs, this process depends on how companies choose to internally structure the flow and the stock of data. In practice, companies rely on a few software providers to set up their processes in accordance with the frameworks used to get their processes audited. For example, the COSO framework provides guidance for establishing an enterprise risk management (ERM) program to implement and maintain effective internal controls across the organization related to financial statements.¹³

For SCAs, DeFi ventures do not have to follow any specific format when writing their smart contracts, although there are various best practices including some languages and a broader open-source smart contract development framework. Solidity, for example, was created by Ethereum developers and is a language with a syntax resembling that of JavaScript. Truffle is a popular smart contract development framework that offers a suite of tools for managing the entire development process, from writing the contract code using the Solidity language to deploying and testing it. Another example is the open-source code provided by OpenZeppelin to provide initial guidance to coders.¹⁴ Also note that any guidelines used for SCA audits have emerged within the industry and without any regulatory intervention. One similarity the three types of audits share is that the preparation of the items under audit is strictly the firm’s responsibility. Companies are responsible for preparing their own financial statements, setting up their own internal processes, and writing the code of their own smart contracts.

We now review similarities and differences between SCAs, SFAs, and ICAs in terms of audit process, audit standards, and audit opinion. A common component of SCAs, SFAs, and ICAs is that the audit process entails gathering relevant information from the client and performing manual and automatic analytical procedures. The use of extensive manual and algorithmic testing should not hide the differences in the rules governing those audits. In the United States, SFAs are performed in accordance with generally accepted auditing standards (GAAS) for private firms and in accordance with PCAOB standards for public firms. Similarly, internal control audits are ruled by private standards that are shared by auditors across audit firms and client organizations. For example, the American Institute of Certified Public Accountants (AICPA) created the system and organization controls (SOC) audit standards.

Our interviews revealed that, even in the absence of private and public standards, smart contract audits generally had a similar structure across firms. Auditors request access to the entire code of the smart contract and any internal documentation about the code and its purpose.¹⁵ SCAs then move to the testing phase, which involves evaluating whether every function in the smart contract is performing as intended. This process includes manual line by line, automatic software-based evaluations of the code, or both as well as scenario analysis, whereby the contract is run using as many different inputs as possible. While no formal audit standards exist for SCA, some private initiatives within the Ethereum ecosystem have emerged to provide guidelines to code developers (Soud et al. 2023; Zheng et al. 2024). For instance, the Enterprise Ethereum Alliance maintains a database of known vulnerabilities and bugs, labeled Smart Contract Weakness (SWC) or Common Weakness Enumeration (CWE, hereafter). This list of known issues is organized through a formal classification. Each entry systematically provides at least (i) a high-level description of the issue, (ii) some high-level remediation, and (iii) detailed examples of codes that address the vulnerability. These guidelines are primarily meant to help programmers minimize vulnerabilities. Auditors may refer to these guidelines in their report when detailing the input, output, or both of their audit process. It is common for both SFAs and SCAs to provide recommendations to their clients through the form of audit adjustments and code (re-)writing suggestions, respectively. This allows the client to obtain a clean opinion/report with minor to no remaining issues.

The differences in standards across audits have implications for the content of the audit opinion. In terms of output, all three types of audits produce an audit report, but these reports differ substantively. For SFAs, auditors must follow the format defined by the generally accepted auditing standards (GAAS). SFA reports are typically short and describe the auditor’s role, the management’s role, the scope of the audit, and the audit opinion. The type of audit opinions (e.g., unqualified or qualified) is also governed by GAAS. Critics argue that this homogeneous type of blanket statement prevents external stakeholders from properly valuing financial audits. In contrast, the voluntary nature of internal audits and SCAs provides an incentive for auditors to signal the quality of their work in their reports. Thus SCA and ICA reports are usually much longer than SFA reports. Our interviews with SCA firms suggest that auditors take advantage of the flexibility provided by a lack of standards to use their reports to create a reputation for quality and expertise in the market. SCA reports typically contain a summary of the number of issues found (pending or fixed, if any) along with an assessment of their severity. Unlike SFA reports, however, they do not contain a predefined, standardized section that contains a summary of the opinion.

The lack of regulation in the smart contract audit market leads to a final major difference between SFAs and the other types of audits. To prevent conflicts of interest, public or private regulations prevent audit companies from providing non-audit services to a given client. The same usually holds for ICAs. For example, SOC audits follow the AICPA’s guidance, which asks auditors to refrain from advising their clients regarding operational decisions. While some smart contract audits simply opine on the integrity of the code, other audits include a mix of auditing and consulting services. These consulting services take the form of an iterative process whereby the external auditors identify problems and suggest how best to solve them. Audit reports then typically contain a list of the number of issues solved along with a list of pending unresolved issues (if any). Nonetheless, our interviews with auditors suggest that reputation plays a similar role in the market for SCAs and SFAs (DeAngelo 1981). Smart contract auditors understand that the credibility of their services rests on their reputation, which they argue is typically assessed in the market based on whether the protocols they audit experience hacks. (Details on hacks are widely available to market participants on REKT, an online database tracking crypto hacks and scams.) All three types of audits include disclaimers in their audit reports, most likely to shield the audit firm from legal liability related to the audit.

When it comes to labor market considerations, financial accounting and auditing is a regulated profession. This means that individuals need to undergo rigorous training in the subject matter. The training requirements vary across jurisdictions worldwide and across states in the United States (e.g., Barrios 2021). After earning their license, accounting professionals pursue continuing education to maintain their status, and they are subject to various rules enacted by public regulators, private standard-setters (e.g., state boards or the AICPA), or both. Internal auditing is less regulated. However, private certifications have emerged to set standards in the profession (e.g., certified internal auditor). By contrast, smart contract auditors typically have computer science backgrounds, and, to date, no official training or certification is required to become a smart contract auditor. Table 1 summarizes the above comparison between SCAs, SFAs, and ICAs.

Table 1 Comparison of Smart Contract Audits (SCA) to financial statement audits (FSA) and internal control audits (ICA)

4 Data

We collect data on SCAs from January 2017 to the end of June 2023 using DeFiYield, a website that maintains the largest historical repository of DeFi ventures’ SCA reports.¹⁶ DeFiYield’s self-declared purpose in publishing the audit report database is to help protect users and investors. Reviewing audit reports allows them to assess the risk of security issues for DeFi protocols. In that sense, audit reports signal the quality and safety of the DeFi protocol’s underlying technology.¹⁷ It is important to stress again that the label “smart contract audit” is consistent with the language widely used by practitioners in the DeFi market. For example, CoinDesk, a leading news site specializing in Bitcoin and digital currencies, refers to smart contract audits as “the process of comprehensively analyzing the code used by developers to create a smart contract.” We acknowledge that terms such as audit, assurance, and attestation are used in auditing research to denote various other client interactions.

We begin our data gathering from the year 2017 because there are only a few audit reports in DeFiYield’s database before then. The audit reports we collect are in PDF format, so we perform an extensive hand-collection to create our database of audit report characteristics, including information on the ventures, the auditors, the audit process, and the audit outcomes. A subset of the variables we collect includes the audit report release date, who performed the audits, the number of audit firm employees working on each audit, the days spent on the audit, the inputs and outputs provided in the audit report, the audit methodology, the disclosed disclaimer, whether an audit standard was referenced, the number of major/minor/pending issues found, whether the report was approved by a specific employee, and whether a pass score was reported. Our final sample consists of 8,531 unique audit reports for which the release date was identified.

To provide more detail on how we hand-code our data, Appendix B presents a representative example of an audit report from our sample: the audit of Merlin conducted by Hacken, a leading SCA firm, in May 2021. This audit report was released on May 15, 2021. It is 10 pages long and includes a disclaimer that the auditor provides no contractual guarantee based the content of the report. It does not refer to external guidelines (e.g., SWC). In terms of the audit process, it explicitly refers to both manual and automatic audit methods. In terms of inputs, the report lists 26 unique items checked; in terms of outputs, it mentions a total of four issues detected.

We collect returns from CoinGecko.com, focusing on CoinGecko’s list of the top 438 DeFi coins. Our final sample consists of 303 audit-venture events. This analysis thus has significant sample attrition because detailed returns data are not available for all our ventures, which is common in this literature.¹⁸ An alternative option is to focus on the small subset of larger protocols. This is exactly the approach adopted by Knechel et al. (2023). Focusing on larger protocols, they collect additional information that allows them to properly model the determinants of audit adoption at the venture level. They further use variation in the timing of the audit to convincingly evaluate the impact of voluntary SCAs on the value of the assets locked in a given contract.

We chose instead to focus on the entire sample of audit reports collected by DeFiYield because our primary goal is to provide evidence on the emergence of audit practices rather than on the value of auditing per se. To that end, we prefer to maximize our sample of audit reports (8,500+) from the largest online historical repository to gather variation in audit practices across and within audit firms.¹⁹ We also collect data on DeFi cyber attacks for the ventures in our sample using the REKT Database. Appendix A provides the exact formulas for all the variables.

5 Overview of DeFi ventures and audit firms

5.1 Overview of DeFi ventures in our sample

DeFi ventures, or so-called protocols, encompass a range of financial and nonfinancial applications built on blockchain networks. Many applications provide financial services to users that can run without the need for intermediaries, such as banks or traditional financial institutions (i.e., they are “trustless” or “permissionless”). These applications enable various web-based financial transactions, such as lending, borrowing, and trading of financial instruments, or other nonfinancial activities, such as gaming. Table 2 Panel A shows that the most common venture protocol categories in our study consist of yield farming (15.1 percent), NFT ecosystems (13.2 percent), gaming (9.8 percent), liquidity use cases (8.7 percent), and exchanges (8.3 percent), including both centralized and decentralized exchanges. Appendix C contains the exact definitions of those categories. The number of DeFi protocols available for audit at any time varies due to product launches, product updates, and the discontinuation of protocols. This variation impedes establishing empirically the number of all DeFi ventures.

Table 2 Panel B shows that the ventures in our sample receive 1.18 audits on average. Our interviews with practitioners suggest that this result may be due to auditors advising ventures to seek second opinions and a new audit each time they change their code. Table 2 Panel C shows that most of the ventures in our sample operate on either the Binance blockchain or the Ethereum blockchain. Given our many DeFi protocols, this is the only client-level characteristic that we collected aside from industry classification.

Table 2 Overview of DeFi ventures

5.2 Overview of audit firms in our sample

5.2.1 Universe of audit firms and market structure

Table 3 Panel A provides a list of all the audit firms in our sample arranged alphabetically. We manually inspect the origins of these firms and find that they have specialized in SCAs from the outset, and their founders typically have backgrounds in computer science and engineering. None of these firms were established by one of the large financial statement audit firms (e.g., Big Four). Nonetheless, some financial audit firms are entering this space through acquisitions, with two of the 99 auditors in our sample having been acquired by large accounting firms. Specifically, in 2021, PwC Switzerland acquired ChainSecurity (but sold it in 2022), and in 2021, Deloitte acquired Root9B.²⁰

Consider the following short case studies. Hacken, a large audit firm in our sample, was founded in 2017 and specializes in SCAs. It has about 100 employees, and its CEO, Dyma Budorin, is a former Deloitte employee. One of Hacken’s notable clients is CoinGecko, which is a leading cryptocurrency data aggregator serving over 50 million users. Hacken has performed several audits of CoinGecko’s smart contracts and application processing interfaces. Like most SCAs, Hacken’s audits involve a thorough examination of code, and Hacken provides its clients with detailed reports on identified issues and recommendations. Similarly, Certik, another large audit firm in our sample, was founded in 2018 by professors from Columbia University and Yale University and former software engineers from Google and Facebook. Certik offers such services as smart contract security assessments, on-chain monitoring, project team identification, and other formal verification services. One of Certik’s notable clients is Binance, a leading digital asset exchange.

Table 3 Overview of DeFi auditors

Table 3 Panel B shows that the audits in our sample are distributed across the years 2017 to 2023, with the bulk of our observations coming in 2021 and 2022.²¹ Table 3 Panel C shows the market share of the 20 largest auditors in our sample. The largest audit firm, TechRate, accounts for around 20 percent of the engagements, followed by InterFi with over 11 percent. The next three largest audit firms combined hold only about 15 percent of the market share, with Certik alone accounting for 6 percent. Over the sample period, only four audit firms have more than a 5 percent share of total engagements. These findings indicate that the market for SCAs is not as highly concentrated as the traditional financial statement audit market.²² We acknowledge, however, that measuring market concentration through the number of engagements rather than the market capitalization of the portfolio of clients underestimates the actual concentration in the market. Unfortunately, as discussed in Section 4, no public database allows us to obtain data on market capitalization or total assets for all the DeFi protocols in our sample.

5.2.2 Audit pricing

Since DeFi ventures are not obligated to disclose their audit fees, we gather information about audit pricing from our interviews with audit firms and other institutional sources. Our interviews with SCA firms suggest that pricing is mainly a function of the length and complexity of the smart contract code. SCA firms with more expertise and experience can also charge more, and code customization and unique features within a smart contract may also impact pricing. According to the DeFi Security Alliance, the SCA firms Quantstamp, OpenZeppelin, and Trail of Bits start their fees at $5,000, while Hacken’s fees start at $9,000. TechRate, widely considered a low-cost auditor, offers audits starting at $250, similar to InterFi, which charges $300 for a standard SCA.

5.2.3 Audit warranties

Like SFAs, SCAs do not provide a guarantee against data breaches, thefts, or other issues. While SCAs aim to identify vulnerabilities, programming errors, and deviations from best practices, they cannot and are not designed to eliminate the risk of hacks and other problems. It is ultimately management’s responsibility to adopt good security measures and protocols to minimize the risks associated with smart contracts. As we describe further in Section 6, many of the SCA reports in our sample provide legal disclaimers, with some even advising clients and users to obtain additional third-party opinions on the smart contract code (for example, by using a different auditor or via bug bounty contests). Insurance is also becoming more popular in this space. For example, in 2023 Certik introduced a plan that would compensate its clients up to $2 million for any hack-related losses incurred after one of its audits.

6 Smart contract audit process and report

We next use our large-sample data to provide empirical evidence on the actual audit practices, including details on SCA inputs and outputs.

Table 4 Overview of the DeFi audit process

6.1 Audit process

We start by providing statistics for the audit process collected from our full sample of 8,531 audit reports. We report our results in Table 4. Table 4 Panel A shows that most audits with nonmissing data in our sample are conducted by a team of auditors consisting of two or more individuals. As our interviews suggest, having multiple auditors review the code and compare their findings minimizes the likelihood of overlooking errors. Only 202 audits are performed by just one individual. Regarding the duration of the audit, Table 4 Panel B shows that 63.3 percent of the audit reports in our sample do not mention the time spent to complete the audit. Among the remaining reports with nonmissing data, around two-thirds of the audits are completed within a week (with just a few completed within a day), and another third are completed within a month. Only a handful of engagements in our sample took over a month to complete.

Table 4 Panel C shows that over 57 percent of the audits in our sample combine manual and automatic methods, while only 4 percent use only a manual or an automatic method. (Thirty-eight percent do not report this information.) An example of a manual method is looking for errors in the code line by line, and an example of an automatic method is using computer software, including AI-supported software tools, to scan the code. Certik, for instance, built a proprietary static analysis tool that scans the code of smart contracts to search for specific issues. Using automated tests is a convenient and expeditious approach to identifying bugs during a secure SCA. According to our interviews, auditors usually begin by using automated bug detection software to scan smart contracts for potential vulnerabilities.²³ Since these automated tools are still new, they are susceptible to reporting false positives. Therefore auditors augment automated procedures with line-by-line manual code reviews.

Manual inspections are necessary not only to uncover additional vulnerabilities but also to determine the intended functionality. In the spirit of stress testing, auditors also test different attacks on the code that may result in significant breaches. Certik, for example, tested the AICON’s smart contract against common and uncommon attack vectors, including so-called buffer overflow.²⁴ Also, automated testing may fall short of understanding the developer’s intentions and thereby lead to code that lacks the desired functionality, even though it is bug-free. Thus experienced auditors ensure that the code behaves as intended by verifying mathematical accuracy, access control, and permission management.

We next examine the cross-sectional variation in audit characteristics based on whether the smart contract was audited by a top-quality auditor according to Boxmining. Boxmining ranks audit firms using a formula that considers the size and popularity of the audited projects in the portfolio, the expertise of the auditor in specific blockchains, and the production of high-quality audit reports that comprehensively address identified issues during the audit.²⁵ We find that, in general, top-quality auditors provide more detailed audit reports; they are more likely to report information on their audit team size, methods used, and days spent on the audit. We also find that top-quality auditors are more likely to use audit teams of five or fewer people, use a combination of manual and automatic processes about 88 percent of the time, and conduct longer audits, as measured in days. We later examine whether these differences mean that top-quality auditors identify more issues in their audits.

6.2 Audit report: inputs and outputs

Financial statement auditors typically conduct an audit to provide assurance as to whether the firm’s management has prepared financial statements in accordance with local accounting standards. Historically, this process was summarized in a coarse audit opinion. Recent regulatory interventions have led to a new generation of expanded audit reports that now include disclosures about significant matters in a company’s financial reporting and its audit (e.g., Minutti-Meza 2020). The goal of these expanded audit reports is to increase the information content and usefulness of audit opinions and help stakeholders better monitor auditors and managers. Similarly, system and organization control audits, which are AICPA-regulated technology audits of a cloud provider’s entire client-facing operations, also provide significant detail about the nature and outcome of the audits. In terms of length and detail provided, SCA reports resemble expanded financial audits and system and organization control audits.

With respect to audit report length, Table 5 Panel A shows that the average SCA report in our sample is 19.6 pages. This is much longer than expanded financial audit reports, which in the United Kingdom are only about 1.5 pages (Gutierrez et al. 2022). The length of SCA reports also exhibits considerable variation, with these reports being 11 pages at the \(25^{th}\) percentile and 25 pages at the \(75^{th}\) percentile of the distribution. Also, 71 percent of the SCA reports in our sample include a legal disclaimer.

Table 5 Overview of the DeFi audit reports

With respect to reported audit inputs, our data reveal that 73 percent of the reports in our sample contain a list of audit inputs. Audit inputs are defined as details regarding which aspects of the smart contract are being audited. For example, a typical audit report that provides inputs would list the exact tests that were conducted. For example, in Appendix B, Hacken’s audit report on Merlin lists 26 items organized into two broad categories: code review and functional review. According to our discussions with several SCA firms, audit firms consider important trade-offs when choosing whether to include inputs in their audit report. On the one hand, detailing the list of inputs can act as a commitment device and signal the audit team’s effort, helping establish trust with the users and investors. On the other hand, the auditor may not want to publicly reveal its inputs and audit methodology, as doing so might compromise its competitive advantage or help hackers understand any weak points in the audit. In our sample of reports with nonmissing data, the average number of items checked in an SCA is 24.2, while the numbers of items checked at the \(25^{th}\) and \(75^{th}\) percentile are 21 and 34, respectively. Overall SCA reports are much more granular in their structure than SFA opinions.²⁶

We next consider variations in inputs within and across auditors. Figure 1 shows the percentage of audit reports with a list of inputs for each of the 25 largest audit firms by the number of reports audited in our sample.²⁷ Two patterns emerge. First, most auditors disclose inputs in their reports. Second, auditors who include a list of inputs in their reports do this across all of their reports. Using the same sample of audit reports from the 25 largest audit firms, Fig. 2 shows that the number of inputs in each audit report varies both within and across auditors. While there is some variation across auditors, with the mean number of items checked ranging between nine and 45 items for reports with nonmissing data, a significant part of the variation occurs within auditors. This variation presumably reflects differences in (1) code length and complexity across engagements and (2) clients’ and auditors’ preferences on the depth of the audit (Bauer et al. 2023).

Fig. 1

Top 25 auditors—percentage of reports per auditor with non-missing inputs. This figure shows the percentage of reports with non-missing inputs for the top 25 auditors (based on the number of reports in the sample for a given auditor). Non-missing inputs are defined as the reported number of items checked in each report

Fig. 2

Top 25 auditors—number of items checked per auditor. This figure shows the disclosed number of items checked for the top 25 auditors (based on the number of reports in the sample for a given auditor). The box plot provides the distribution of the number of items checked. Mean values are denoted by white circles, and the error bars indicate the standard deviation

Another dimension on which audit inputs vary is in their reference to best practices developed by industry players in the Ethereum ecosystem. While the audit report in Appendix B does not refer to these guidelines, Certik’s audit report on 12Ships in August 2019 provides a list of guidelines, a so-called smart contract weakness classification (SWC), and a statement that the evaluation of the smart contract code was conducted in adherence to industry standards and best practices. Our data reveal that 31 percent add direct references to SWC or other similar guidelines.

Third, we focus on the outputs of the audit process disclosed in the reports. Like financial audits, SCA reports do not guarantee the integrity of a smart contract. In fact, SCA reports often emphasize that audits should not be used as investment advice. About 71 percent of the reports in our sample contain some legal disclaimer and state that the auditor has not necessarily performed a product team verification or check of the off-chain business model.²⁸ Most SCAs in our sample are signed or approved explicitly or tacitly by the audit firm itself. Only 8 percent of the SCA reports in our sample are approved by a specific employee at the audit firm. Most SFAs are also signed or approved by the audit firm (although some new laws require that a specific partner approve each audit).²⁹

SCAs differ from SFAs in the nature and depth of the issues found during the audit and revealed in the report. For SFAs, Lennox et al. (2023) document that expanded audit reports from UK audit firms focus on a few different classes of material misstatements whose origins derive from public audit standards. In SCA reports, by contrast, issues are normally categorized according to their severity, with auditors creating their own classification schemes. The example in Appendix B shows that Hacken adopted a five-level scale of issues by severity. Certik’s audit of 12Ships in 2019 proposes three categories of risk level: critical, medium, and low. Peckshield provides a “vulnerability severity classification” in its 2020 audit report of 88MPH’s smart contract. This classification is a two-dimensional matrix based on the likelihood of an issue occurring and its potential impact.

Table 5 Panel A shows that 98 percent of the SCAs in our sample provide a detailed list of such audit outputs, whereas SFAs typically provide only a coarse audit opinion. Table 5 Panel A also shows that the SCA reports in our sample identify 6.68 issues on average, with 0.65 of those being major issues.³⁰ Interestingly, Fig. 3 documents that our reports contain tremendous variation among auditors in terms of total issues found.³¹ For example, on average, audit reports from Certik identify 12 issues in total, while some others, like TechRate, do not report any issues. Most of these issues appear to be resolved by the client, as the average number of major pending issues is only 0.17. About 3 percent of the SCA reports in our sample provide a numeric passing score, with higher scores typically representing cleaner audit results. Those reports with a score, on average, provide a high score of over 80 percent. Importantly, we find that 51 percent of the reports in our sample provide some direct recommendations to the internal team on how to fix issues and improve the security of the smart contract. These results suggest that half of the engagements in our sample resemble an assurance engagement, while the other half are akin to a mix of assurance plus consulting services.

Fig. 3

Top 25 auditors—Number of total issues found per auditor. This figure shows the disclosed number of total issues found for the top 25 auditors (based on the number of reports in the sample for a given auditor). The box plot provides the distribution of the number of items checked. Mean values are denoted by white circles, and the error bars indicate the standard deviation

We conclude our examination of the content of the audit report by comparing audit reports in our sample based on whether the smart contract was audited by a top-quality auditor.³² Table 5 Panel B shows that top-quality SCA firms tend to produce slightly longer audit reports. About 91 percent of these reports contain a legal disclaimer as opposed to only 67 percent of the other audit reports. Audit reports from top-quality auditors are less likely to provide a detailed list of items checked and less likely to refer to industry guidelines. However, we find no differences in the number of items checked, conditional on disclosing that list. The differences in output are striking. Top-quality auditors identify over nine issues on average, whereas other auditors identify less than one. Furthermore, top-quality auditors identify 0.6 more major issues. Top-quality reports are more likely to provide an audit score. They are also 10 times more likely to provide direct approval of the report by an employee and twice as likely to include recommendations geared primarily to the client’s internal development team. Given that the number of reported items checked does not differ across the two groups (for the reports with nonmissing data), this means that the yield, that is, the number of issues identified per items checked, is higher for top-quality audit firms.³³ Overall top-quality auditors appear to produce more detailed reports and conduct more rigorous audits, which leads to more material discoveries.

7 Event-study returns tests

Having empirically analyzed the inputs and outputs of SCA reports, we conclude our exploration of the emergence of auditing in the DeFi market by examining the value relevance of these reports to stakeholders. The value of auditing in the DeFi market cannot be inferred from the results of standard financial audits for two main reasons. First, securities regulations around the world typically mandate audits of public firms’ financial statements. In contrast, smart contract audits are voluntary, and DeFi ventures decide whether to release the audit report. Thus SCAs involve different economic incentives. Voluntary financial audits exist mostly for private firms without liquid trading of equity, so the value of those audits must be assessed indirectly through the financing frictions they alleviate (Minnis 2011; Kausar et al. 2016). One benefit of our setting is that we have liquid price data for a subset of unregulated ventures purchasing voluntary audits. Second, there are substantive differences between the institutional features of our setting and those of previously studied audit settings (see the discussion in Section 3).

Given the voluntary nature of smart contract audits, we predict that reports should, on average, bring value to the venture, as ventures purchase auditing services only if the expected benefits exceed the expected costs. This prediction is not without tension for multiple reasons. First, the unexpected timing of the release of smart contract audit reports coupled with the lack of a visible centralized repository might mute any market reaction, as in the context of voluntary sustainability reports (e.g., Haley et al. 2023). Second, given that smart contract auditing is in its infancy, it is unclear that market mechanisms are mature enough to lend credibility to smart contract audits. First, the lack of (self-)regulation and potential conflict of interest between auditors and programmers can reduce the value of auditing. Second, in the absence of legal enforcement of contracts and clear auditor liability, it is unclear concern about reputation disciplines auditors and thereby lends credibility to their work.

To measure the value of SCA reports, we adopt a widely used method from prior studies on SFAs, which typically examines the client’s stock price reaction on the release date of these reports.³⁴ Menon and Williams (2010), for example, examine returns to going-concern audit opinions over the three days beginning with the event date. Following this approach, we hand-collect the release dates from the SCA reports and examine venture returns on this date and over the following few days. One benefit of our setting is that the audit report is disentangled from other ventures’ business-related reporting. In contrast, publicly listed firms typically disclose a management report containing both financial statements and the audit opinion about those statements.³⁵

We first measure returns at the project level associated with the SCA report over the windows of [0, +1 day], [0, +3 days], and [0, +5 days], where day 0 is the release date of the audit report. We examine both unadjusted venture returns and adjusted venture returns, that is, venture returns less the contemporaneous return of Bitcoin, which we use as a proxy for the market return following the recommendation of Ramos et al. (2021).

Our returns analysis has significant sample attrition from the main sample because detailed returns data are unavailable for all the ventures in our sample. Such attrition is common in this literature. For example, Howell et al. (2020, Table 1) lose about 60 percent of their sample in an analysis of 1,520 initial coin offerings due to the lack of available returns data. This attrition has multiple origins. First, the decentralized nature of the market is such that there is no comprehensive dataset on prices. Second, many ventures do not attempt to get their tokens listed on an exchange platform, or they try but fail to do so. Keep in mind that the ability to list on exchanges is not random (Howell et al. 2020; Bourveau et al. 2022); thus our sample of protocols with available pricing data is likely biased in favor of larger and higher-quality ventures (Knechel et al. 2023).

Table 6 presents the empirical results on the venture price reaction to the release of SCA reports. The table shows that the mean project returns are positive and statistically significant for each event window, with magnitudes ranging from 2.8 percent to 4.6 percent (1 percent to 5 percent significance level). The magnitudes of the mean returns account for a meaningful proportion of the standard deviation of project returns (10 percent to 15 percent, depending on the window), which attests to the economic significance of the results.³⁶ Given a mean (median) market capitalization of $395 ($37) million, an audit report release is associated with an increase in value of $11.1 ($1) million based on unadjusted returns around the [0, +1 day] period. This magnitude is consistent with the results of Bhambhwani and Huang (2023), who find an average increase in total value locked of $35 million for the first audit and $9 million for any additional audits. To further confirm the plausibility of our return magnitudes, we compare them to other blockchain-related findings. For example, Joo et al. (2020) find negative abnormal returns of around 25 percent in the week following the announcement of negative events for the Ethereum blockchain (e.g., hacks or regulatory threats). Moreover, we compare our results to Ramos et al. (2021)’s findings of negative cumulative abnormal returns after cyber attacks, which range from minus 27 percent for Bitcoin, to minus 36 percent for Ethereum, to minus 31 percent for Ripple. To further put our magnitudes into perspective, we note that Menon and Williams (2010) find negative returns of about 4 percent over similar return windows for public firms releasing going concern SFA opinions. Table 6 also shows that the project-adjusted returns (project returns less Bitcoin contemporaneous returns) are positive and significant (5 percent to 10 percent level significance), except for the [0, +3 days] window. Overall these findings suggest that the market generally reacts positively to the release of SCA reports.

Table 6 Smart contract audit report event returns

We next turn to cross-sectional variation in the returns. Our first cross-sectional test examines whether returns vary according to whether ventures have experienced a cyber attack before the audit. Companies that experience an adverse event (e.g., a restatement of their financial statements) tend to change auditors to restore their lost reputational capital (e.g., Mande and Son 2013). Table 7 Panel A shows that ventures that experienced such an attack see lower returns for their SCAs: on average, their returns do not differ statistically from zero. Firms that have not experienced such an attack see larger returns for their SCAs: on average, their returns exceed the returns from the overall sample average reported in Table 6. One interpretation of this result is that, after a venture experiences an attack, trust in that venture is largely lost, and even an independent audit cannot help the venture regain it. One caveat to this interpretation is that the lack of results on ventures that experienced an attack might reflect low statistical power.

Table 7 Cross-sectional tests of smart contract audit report event returns

Our second cross-sectional test compares the returns for SCAs that refer to a specific guideline (like SWCs) or best coding practices with the returns for those that do not. Unlike SFAs, SCAs do not need to abide by a universal standard or protocol issued by a formal body. However, as discussed in Section 3 and documented in Section 6, some firms refer to protocol guidelines issued by third parties. Table 7 Panel B shows that only audits that refer to such industry best practices experience returns that are statistically significant and different from zero. This finding suggests that disclosing the use of externally developed guidelines could be a necessary condition for the perceived value relevance of smart contract audits. While our tests do not allow us to disentangle multiple potential mechanisms, the most likely explanation is that the use of common standards (1) increases the credibility of the report and (2) reduces the users’ information processing costs (Blankespoor et al. 2020).

Our third cross-sectional test focuses on SCAs that are approved by a specific employee at the audit firm versus those that are not. This test is analogous to examining SFAs that are signed by a specific partner as opposed to the audit firm itself (Doxey et al. 2021; Aobdia et al. 2024). Table 7 Panel C shows that returns are higher for audit reports that are approved by a specific employee at the audit firm than they are for audit reports that do not name a specific person, although the differences between the two groups are not statistically significant. This nonetheless is consistent with the idea that naming a specific employee at the audit firm adds value to the report, especially given the importance of the auditor’s reputation in an unregulated market.³⁷

We also perform several additional cross-sectional tests to assess how variations in the content of the audit report affect returns. In untabulated analyses, we fail to find a difference in returns around the release of the audit report when we split our sample at the mean or median of the number of issues detected in the report. Given the nonrandom sample attrition, we define our mean and median cutoff points using alternatively our full sample and our sample of protocols with prices. The lack of difference is not necessarily surprising. In SFAs, a qualified open is a negative signal. To the extent that it brings new information to market participants, it should translate into lower returns. In SCAs, ventures choose to obtain an audit, and then DeFi ventures and audit firms jointly agree on the scope of the audit and the criteria to evaluate the subject matter (Bauer et al. 2023). Hence reports containing issues might also reflect a more in-depth analysis of the underlying code. In other words, in an equilibrium where the expected number of issues detected is endogenously determined by the two contracting parties as a function of the depth of the audit, there is no clear prediction about differential market responses to clean versus qualified audit opinions.

We chose to assess the value relevance of smart contract audits by examining changes in prices around the release of audit reports. Note that an alternative approach is possible. Other studies examine whether market participants value SCAs by focusing on the total value of assets locked (TVL) into a given smart contract. This use of the total value locked resembles the banking literature’s use of bank deposit levels to proxy for consumer confidence in a bank. Bhambhwani and Huang (2023) document a positive cross-sectional association between the existence of an audit and the total value locked. Exploiting granular time series and variations within and across firms in the timing and frequency of audits, Knechel et al. (2023) find that past smart contract audits are associated with a subsequent large increase in the total value of assets locked. Interestingly, they also find that market participants lose trust when the credibility of a recent audit is called into question by a breach, which leads to a significant drop in the total value locked. We view both approaches as presenting challenges and opportunities. In theory, event studies using returns over short windows provide cleaner identification. However, this conclusion rests on the assumption that prices are the best measure to assess the value of auditing in the DeFi markets. This is not necessarily the case, given that tokens are primarily meant to be traded against (financial) services and not simply trading. In that sense, the total value locked offers a valuable alternative to measure the trust in a given protocol. That said, the total value locked can also be a noisy measure of a project’s value because the value locked fluctuates with the value of the underlying currency for reasons not related to the DeFi protocol per se.³⁸ In any event, we view our results using returns as complementing and triangulating the cross-sectional findings of Bhambhwani and Huang (2023) and the within-protocol findings of Knechel et al. (2023).

To summarize, we provide some of the first evidence that returns are consistently positive and economically significant around the release of the SCA reports in our sample. This finding suggests that SCAs add value to the clients that receive them. More broadly, it is consistent with theories suggesting that information intermediaries, such as auditors, reduce adverse selection problems by certifying the quality of a product (Admati and Pfleiderer 1990; Lizzeri 1999). This finding complements studies on the blockchain ecosystem that document the information verification role of analysts in the context of initial coin offerings (e.g., Bourveau et al. 2022; Lee et al. 2022).

8 Conclusion

Smart contracts play an increasingly important role in structuring and executing common DeFi financial transactions, such as loans and venture capital funding, with more than $200 billion now locked in such contracts (OECD 2022). A major risk when using smart contracts is that theft can result from programming errors and incomplete contracts (Makarov and Schoar 2022). We observe that DeFi ventures commonly use smart contract audits (SCAs) to mitigate these issues. Using a large hand-collected sample of SCAs, we find that (1) these audits are pervasive, (2) the audit firm market is composed of new entrants (as opposed to CPA firms), (3) these audits assess the security of the smart contract’s underlying code, (4) the audit inputs and outputs differ substantively from those of conventional financial audits, and (5) the market reaction to the release of the audit reports is positive and economically significant. SCAs are thus an important example of how blockchain technology is affecting the demand for audit services.

Overall our research speaks to recent critiques of the accounting literature that emphasize the need to broaden the understanding of the market for audit services by analyzing new settings and new data (e.g., Bloomfield et al. 2016; Gow et al. 2016; Knechel and Willenborg 2016; Gerakos and Syverson 2017). Studying other areas of the evolving DeFi market where external verification plays a role may be a fruitful path for future research.

Future research could also elaborate on the real effects of DeFi audits related to user and investor outcomes, the issues of scalability and performance improvements of DeFi auditors facing supply side issues, the role of capital providers in helping to fund top-quality auditors, and the features of these audits that help generate trust in the unregulated DeFi ecosystem. Future research could also examine the emergence of different types of audits in the DeFi markets, like proof-of-reserves independent audits that verify the liquidity of a custodian.

Appendices

Appendix A: Variable definitions

Variable	Definition	Source
Venture	DeFi project that gets audited. The terms project and venture are used interchangeably.	DeFiYield
Audit report	Smart contract audit report in PDF format.	DeFiYield
Auditor	Firm or individual that conducts the audit.	DeFiYield
Release date	The date the audit report was made public; taken from the audit report.	audit report
Page number	The total number of pages of an audit report.	audit report
Total share of inputs provided	Indicator variable that is based on the disclosed number of total items checked in an audit report (input), taking the value of one if a report includes the number of items checked and zero otherwise.	audit report
Number of items checked provided	Number of total items in an audit report that are checked during the audit (input). If not reported, it is marked as “Missing”.	audit report
Guidelines disclosed	Indicator variable that equals one when the audit report refers to an audit guideline, and zero otherwise. Examples of guidelines include SWC (Smart Contract Weakness Classification), CWE (Common Weakness Enumeration), and EIP (Enterprise Integration Patterns).	audit report
Disclaimer with no guarantees provided	Indicator variable that equals one when the audit report contains a disclaimer, and zero otherwise.	audit report
Total share of outputs provided	Indicator variable that is based on the disclosed number of total items found in an audit report (output), taking the value of one if a report includes the number of items found and zero otherwise.	audit report
Number of total issues found	Number of total issues found during the audit (output). If not reported, it is marked as “Missing”.	audit report
Major issues reported	Number of major issues found during the audit, including issues deemed to be high, major, or critical. If not reported, it is marked as “Missing”.	audit report
Minor issues reported	Number of minor issues found during the audit, including issues deemed to be minor, informational, or medium. If not reported, it is marked as “Missing”.	audit report
Pending major issues	Number of major issues found during the audit and not resolved. If not reported, it is marked as “Missing”.	audit report
Passing score disclosed	Indicator variable that equals one when the audit report contains a passing score, and zero otherwise.	audit report
Actual passing score	Passing score value reported in the audit report. If not reported, it is marked as “Missing”.	audit report
Recommendations provided	Indicator variable that equals one when the audit report contains recommendations, and zero otherwise. If not reported, it is marked as “Missing”.	audit report
Reports approved	Indicator variable that equals one when an audit report is approved by one or more specific individuals, and zero otherwise. If not reported, it is marked as “Missing”.	audit report
Number of days an audit is performed	Length of the audit measured in days. If not reported, it is marked as “Missing”.	audit report
Team size	Number of employees from the audit firm who performed the audit. “Team” audits are when this number equals two or more. If not reported, it is marked as “Missing”.	audit report
Manual	Indicator variable that equals one when an audit report is performed by manual analysis, including line-by-line analyses of the smart contract code. If not reported, it is marked as “Missing”.	audit report
Automatic	Indicator variable that equals one when an audit report is performed by automatic analysis. If not reported, it is marked as “Missing”.	audit report
Manual & Automatic	Indicator variable that equals one when an audit report is performed by manual and automatic analysis. If not reported, it is marked as “Missing”.	audit report
Returns [0,+1 day]	Venture return over the window [0,+1 day], where day 0 is the audit report release date. Returns are winsorized at the 1 and 99 percent levels.	CoinGecko
Returns [0,+3 days]	Venture return over the window [0,+3 days], where day 0 is the audit report release date. Returns are winsorized at the 1 and 99 percent levels.	CoinGecko
Returns [0,+5 days]	Venture return over the window [0,+5 days], where day 0 is the audit report release date. Returns are winsorized at the 1 and 99 percent levels.	CoinGecko
CAR [0,+1 day]	Cumulative abnormal return (CAR) over the window [0,+1 day], computed as venture returns minus Bitcoin returns, where day 0 is the audit report release date. CARs are winsorized at the 1 and 99 percent levels.	CoinGecko
CAR [0,+3 days]	Cumulative abnormal return (CAR) over the window [0,+3 days], computed as venture returns minus Bitcoin returns, where day 0 is the audit report release date. CARs are winsorized at the 1 and 99 percent levels.	CoinGecko
CAR [0,+5 days]	Cumulative abnormal return (CAR) over the window [0,+5 days], computed as venture returns minus Bitcoin returns, where day 0 is the audit report release date. CARs are winsorized at the 1 and 99 percent levels.	CoinGecko

Appendix B: Coding example of a smart contract audit report

This exhibit provides an example of how we hand-collect and code our variables using the smart contract audit report of Merlin, released in May 2021.

Variable	Location - page	Coding value - data entry
Release date	Page 1	May 15, 2021
Page length	−	10
Days spent	Page 2	10
Team size	Page 6	Team
Audit method	Page 6	Both manual and automatic
Disclaimer with no guarantees provided	Page 10	1
Guidelines disclosed	−	0
Number of items checked	Pages 4-5	26
Number of total issues found	Page 6	4
Major issues reported	Page 6	0
Minor issues reported	Page 6	4
Pending major issues	Page 6	0
Passing score disclosed	−	Missing
Actual passing score	−	Missing
Recommendations provided	Page 8	1
Reports approved	Page 2	1

Appendix C: Overview of DeFi venture categories

	Category	Definition	Examples
1	Algo-Stables	Algorithmic stablecoins that maintain value through automated supply adjustments based on market demand.	bDollar, Dai Token, Terra
2	Asset Management	Decentralized management and investment for digital assets like cryptocurrencies.	PieDAO, Decentralized Data Assets Management, DeFi Saver
3	Bridge	Facilitates frictionless movement of assets across blockchains, fostering interoperability.	Ronin Bridge, PiBridge, Allbridge
4	CDP (Collateralized Debt Position)	Locks assets as collateral to mint stablecoins, reducing counterparty risk.	MakerDAO, Kava, Iron Finance
5	Cross Chain	Enables asset exchange between blockchain networks, enhancing interoperability.	Keep Network, Pnetwork
6	Derivatives (incl. Options)	Enables decentralized trading and investment in various financial derivatives and options.	DeriProtocol, Perpetual Protocol
7	Dexes or Cexes (exchanges)	Provide decentralized and centralized exchange platforms for digital asset trading.	AliumSwap, 1inch Exchange, ExoniumDEX
8	Gaming (incl. Gambling)	Decentralized gaming platforms for earning and trading digital assets.	Cowboy Zombies, Crypto Gaming United, Game1Network
9	Indexes	Diversified portfolio of digital assets using smart contracts for decentralized investing.	Indexed Finance, Fintropy, Index Coop
10	Insurance	Decentralized insurance products covering risks using smart contracts.	Dart Insurance, Riskharbour, Nexus Mutual
11	Launchpad	Platform for decentralized fundraising and launch of new digital assets.	BSCgems Launchpad, Depay Launchpad, Jeti Launchpad
12	Lending	Trustless (i.e., no third party) platform for borrowing and lending digital assets.	Based Loans, EasyFi, Nordloan
13	Liquidity Provider or Staking	Enables users to provide liquidity to decentralized exchanges or governance protocols.	Alpha Finance Lab, BICONOMY, Lido Finance
14	NFT Ecosystem	Platforms for creating, buying, selling, and trading NFTs using blockchain and smart contracts.	100NFT, OpenworldNFT, BEAST NFT TOKEN
15	Memes	Projects focusing on internet memes and viral trends in cryptocurrency.	ShibaNova, ShibaMoon, BabyCatCoin
16	Oracle	Provides decentralized sources of external data for smart contracts.	Chainlink, Band Protocol, Tellor
17	Payments	Decentralized payment solutions for sending and receiving digital assets.	Cashio.io, Flexa, Plasmapay
18	Privacy	Tools and services for protecting privacy and anonymity in DeFi.	Hush, Zcash
19	Services	Offers DeFi services, portfolio tracking, tax reporting, and financial tools.	Fairside, Instadapp, Metronome
20	Reserve Currency	Stable and reliable currency for DeFi ecosystems, typically using stablecoins.	Kandyland, MoonDash, OlympusDAO
21	Stablecoins	Digital assets pegged to the value of other assets, providing stability.	Paxos, Tether, Universal Dollar Protocol
22	Synthetics	Digital assets representing the value of other assets, expanding financial product access.	Qian, Uma, Kalata
23	Yield Farming or Yield Aggregation	Optimizes returns on digital assets by leveraging various DeFi services.	AcryptoS, Alpaca Finance, Avalaunch
24	RWA (Real-world asset)	Engages in the tokenization and trading of real-world assets on the blockchain.	stUSDT, Ondo Finance, MatrixDock
25	Others	Various DeFi projects and applications, including charity, food, and philanthropy.