Private Audit Pricing

[0xArowana]

This is just a general question on how auditing firms (including Cyfrin) typically arrive at a total price for an audit or other services and what the current rate as of today looks like.

I understand that the first general step is just scoping out the work and coming up with a time estimate based one lines of code and maybe a complexity score, but then is the price basically just an hourly rate times the number of hours? If so, what is a typical ballpark rate in today's market (I realize this probably varies wildly based on the firm's reputation)? Are there any add-ons/upsells that are typically sold? Also, what is a typical maximum number of auditors working simultaneously on a codebase and how would a firm determine if/when to put multiple auditors on a codebase?

I realize this is a lot of questions all at once but I'm just looking for a better understanding on how the industry works - thanks so much in advance!

[0xArowana]

On a related note, are there any other engagements that crypto security firms typically offer? Like extended periods of general security consulting during a protocol's development phase? Or being on call to help resolve an incident if one arises? Does Cyfrin offer any services like this that aren't just time-boxed audits?

[EngrPips]

I have never worked for a smart contract security firm as a security researcher to have an idea of all of this, so it is not my call to answer this. Maybe @PatrickAlphaC might want to say something when they are available.

[PatrickAlphaC]

There are a lot of security services firms offer:

• Fuzzing support
• Bug Bounties
• Red phones (on-call security)
• Monitoring
• Economic Risk assessment
• Retainers for continued audits

Lots of stuff :)

To answer your question on pricing, the answer is "it depends" on a lot of things. Maybe your team is familiar with the code so they go cheaper, maybe you have to learn a new skill, maybe you have 2-3 auditors on it...

Every team is different, and you can "expect" anything from:

$100 -> $50,000 a week on an audit.

For context, you can look at the nSLOC per $ on CodeHawks, where the target is $20 per line of code or more.

[0xArowana]

@PatrickAlphaC Thanks so much for such an insightful response - super helpful as always!

I've got a few followup questions whenever you get a chance...

• With respect to monitoring and red phones, would these two usually go hand in hand? Is there anything that a firm would monitor for other than a hack that requires an immediate response (maybe something like providing regular reports of suspicious activity that's not necessarily a hack)? Can you recommend any good resources to learn more about how to monitor a protocol's activity and also how to respond in a war room situation?
• What does Economic Risk assessment entail? Do you have any good examples of this or other resources you can recommend?

Once again, thanks for everything you do!

[PatrickAlphaC]

With respect to monitoring and red phones...

Yes! They often would go hand in hand! Right now, monitoring services are really junior in the web3 space, and it's sort of an untapped market IMO. We are working on some curriculum to hopefully teach the space to get better at web3 DevSecOps.

Economic Risk assessment entail...

You can look at services like gauntlet and chaos labs:

• https://www.gauntlet.xyz/
• https://chaoslabs.xyz/

They essentially do stuff like "If Aave sets the collateralization ratio of DAI to 75% from 70%, what are the risks with that?" or "Eigenlayer building an AVS for IPFS would have x, y, and z economic risks"

[0xArowana]

@PatrickAlphaC Thank you so much once again for all of this invaluable info!