How to Decide What Type of Security Review Your Project Needs

This guide compares different types of security reviews to help you choose the best approach for your project. The options include Private Team Security Review, Public Competition, Private Competition, Solo Review, and Formal Verification. Below is a comparison table followed by a summary of common practices and a budget-friendly alternative.

Comparison Table

Metric

Private Team Security Review

Public Competition

Private Competition

Solo Review

Formal Verification

Ability to Pick Auditors with Relevant Knowledge

High: You can select auditors with specific expertise tailored to your project's needs.

Low: Open to all, so expertise varies widely; you may get auditors unfamiliar with your tech stack.

Medium: You can invite auditors with relevant skills, but pool is limited to invited participants.

Medium: Depends on the individual auditor's expertise; limited by their knowledge scope.

High: Requires highly specialized auditors with formal methods expertise.

Filtering Garbage Issues

High: Professional auditors focus on high-quality, relevant findings with minimal noise.

Low: High volume of submissions, many low-quality or irrelevant, requiring significant filtering effort. Employing judges to sift through submissions increases costs.

Medium: Smaller pool reduces noise, but some irrelevant submissions may still occur.

High: Single auditor focuses on relevant issues, but quality depends on their skill.

High: Formal methods produce precise, verified results with minimal irrelevant findings.

Cost Efficiency to Attract Talent

Medium: Expensive due to hiring top-tier auditors, but targeted expertise justifies cost.

Medium: Requires large prize pools to attract skilled participants, increasing costs despite crowd-sourcing.

Medium: Moderate costs for prizes and platform fees, but less than private team reviews.

High: Low cost (single auditor), but limited by individual capacity and expertise.

Low: Extremely expensive due to specialized skills and time-intensive process.

Fixes Reviews

High: Auditors often provide actionable feedback and can verify fixes post-review.

Medium: Some platforms allow fix verification, but follow-up is less structured.

Medium: Similar to public competitions, with slightly better follow-up due to smaller group.

Medium: Depends on auditor's willingness to review fixes; less formal process.

High: Formal verification ensures fixes align with specifications, often including re-verification.

"Stamp" of a Known Brand

High: Reviews by reputable firms provide a trusted badge for community credibility.

Medium: Platforms like Code4rena or Immunefi are recognized, but less prestigious than top firms.

Medium: Similar to public competitions, but limited to invited auditors, slightly reducing visibility.

Low: No brand recognition unless the solo auditor is well-known.

High: Formal verification by a reputable team is highly respected in technical communities.

Scalability for Large Projects

High: Teams can scale with project size, handling complex codebases effectively.

Medium: Crowds can handle large projects, but quality control becomes harder.

Medium: Limited by invited participants, which may not scale well for very large projects.

Low: Single auditor struggles with large, complex codebases.

Medium: Scalable for critical components, but not practical for entire large systems.

Summary of Common Practices

Based on industry trends, projects often balance cost, expertise, credibility, and project size when choosing security reviews. The size of the project significantly influences the choice, as larger projects require more scalable approaches, while smaller projects can leverage simpler, cost-effective methods. Common approaches include:

  • Two Private Team Security Reviews: Many projects, especially larger ones, opt for two private reviews by different reputable firms to maximize expertise and issue coverage. This approach ensures high-quality findings, actionable feedback, and a trusted "stamp" for community confidence, though it comes at a higher cost. It is well-suited for large, complex projects due to its scalability.

  • One Private Team Review + One Public Competition: This hybrid approach leverages the expertise of a private team for thorough, targeted auditing and supplements it with a public competition to uncover additional issues through crowd-sourcing. It balances cost and coverage but requires effort to filter low-quality submissions from the competition. This is effective for medium to large projects where scalability and broad issue detection are needed.

Budget-Friendly Alternative

For projects with limited budgets, particularly smaller to medium-sized projects, a cost-effective strategy is:

  • One Private Team Security Review + One Solo Review: Combine a single private review by a reputable firm (for expertise and credibility) with a solo review by an experienced individual auditor (for cost savings). This approach maintains quality and a trusted "stamp" while reducing expenses compared to multiple private reviews or large competitions. Ensure the solo auditor has relevant expertise to maximize effectiveness. This is ideal for smaller projects where a single auditor can manage the scope effectively.

PreviousPre-DeploymentNextKey Considerations for Setting the Mainnet Deployment Date

Last updated