Nadim KobeissiJul 28, 2023
After 7 years of cryptography and security audits, I've weathered my fair share of criticism, particularly on severity assignments and perceived superfluous issues in some of my reports. But let's talk about the state of smart contract audit reports, where this sort of problem appears to exist on a completely higher dimension. Small thread: 1/3
Show threadNadim KobeissiJul 28, 2023

The alarm bells ring when audit firms boast about the unverifiable billions they've "saved". It feeds into a hype cycle where exaggerated claims like "100B USD+ in safeguarded token value" become the norm.

Audit report "findings" are another area of concern. Common "issues" include:

- Writing 10000000000 instead of 1e10? That's an issue!
- Spot a typo in your codebase or tests? Each one's an issue.
- Used redundant parentheses? That's a finding, too.

Show threadNadim Kobeissi

This practice of inflating reports with trivialities is harmful:

- Clients drown in low-quality reports bloated with trivial "findings".
- Auditors (like me) feel pressured to mimic this trend. If not, our succinct reports may be misconstrued as less thorough.

Ironically, only the auditing firms engaging in this practice benefit, bragging about "100,000+ disclosed issues", without revealing the percentage of those were typos.

Enough with the noise, can we focus on quality over quantity?

Jul 28, 2023 at 8:21amWeb
Show threadReversityAug 10, 2023

@nadim My solution is usually to find at least one critical so they have nothing to complain about. :)

However, a customer basically told me: We preferred the previous auditor. He never found anything serious and we could check the regulatory box. You on the other hand are a massive PITA, you keep finding critical vulns.