為什麼區塊鏈審計如此昂貴：深入探討導致高昂價格標籤的因素

一家開發公司在初步市場調查中報價 30 萬美元用於安全審計，這讓外行人感到震驚。然而，熟悉區塊鏈世界來龍去脈的人對高昂的價格一點也不感到驚訝。

Blockchain audits are notoriously expensive, with some firms quoting up to $300,000 for a preliminary market survey. However, those familiar with the ins and outs of the blockchain world were not surprised by the hefty price tag in the least. A number of factors necessitate the high costs, including the extreme scarcity of audit teams with the required expertise.

區塊鏈審計的費用是出了名的昂貴，一些公司的初步市場調查報價高達 30 萬美元。然而，熟悉區塊鏈世界來龍去脈的人對高昂的價格一點也不感到驚訝。許多因素導致了高昂的成本，包括極度缺乏具備所需專業知識的審計團隊。

For example, Atom Accelerator recently ran an RFP that culminated in a grant of $440,000 for Zellic to engage as an audit partner of Cosmos Hub over a period of two years. Zellic has performed audits for Cosmos Hub numerous times, including the Inactive Validator Set, Permissionless ICS, and Liquid Staking Module (engaged by Atom Accelerator).

例如，Atom Accelerator 最近發起了一項 RFP，最終為 Zellic 提供了 44 萬美元的資助，讓其在兩年內擔任 Cosmos Hub 的審計合作夥伴。 Zellic 已多次對 Cosmos Hub 進行審計，包括非活動驗證器集、無許可 ICS 和 Liquid Stake 模組（由 Atom Accelerator 參與）。

The Inactive Validators set involved a third-party audit of the codebase with the same name. Zellic conducted the audit in two weeks for a total ask price of $59,500, which included Simply Staking’s fee as an intermediary. This entity also performed mediation for the Permissionless ICS third-party audit, which enabled anyone to create an optional consumer chain without a governance proposal, aimed at launching chains faster and with less friction. Zellic’s quote was $90,000 and a 25% price buffer to account for ATOM token volatility during the voting period. The total price, including Simply Staking’s fees, was $121,500.

非活動驗證器集涉及對同名程式碼庫的第三方審核。 Zellic 在兩週內進行了審計，總要價為 59,500 美元，其中包括 Simply Stake 作為中介的費用。該實體還對無需許可的 ICS 第三方審計進行調解，使任何人都可以在沒有治理提案的情況下創建可選的消費者鏈，旨在更快、更少摩擦地啟動鏈。 Zellic 的報價為 90,000 美元，並有 25% 的價格緩衝，以考慮投票期間 ATOM 代幣的波動性。總價（包括 Simply Stake 的費用）為 121,500 美元。

Cosmos Hub spent $327,000 on one-off feature audits in the past year and a half, coming to an average of $26,000 for each week in which audits took place. The grant engages Zellic based on a 20 audit-week contract, which costs 16% less per week than Cosmos Hub paid, thanks to Atom Accelerator’s efforts.

在過去的一年半中，Cosmos Hub 在一次性功能審核上花費了 327,000 美元，每週審核的平均費用為 26,000 美元。這筆補助金根據 20 週審計週的合約聘用 Zellic，由於 Atom Accelerator 的努力，每週的費用比 Cosmos Hub 支付的費用低 16%。

A smart contract audit can take up to a month

智能合約審核可能需要長達一個月的時間

The project’s size and complexity are the primary factors in determining how long a smart contract audit will take. While auditing a single token contract takes a couple of days, this goes up to a week for a decentralized application with complicated tokenomics. More advanced smart contract security audits are performed in up to a month.

專案的規模和複雜性是決定智慧合約審核所需時間的主要因素。雖然審核單一代幣合約需要幾天的時間，但對於具有複雜代幣經濟學的去中心化應用程式來說，這可能需要長達一周的時間。更高級的智能合約安全審核最多需要一個月的時間。

The length also depends on whether the developer team wants a full security audit or only an interim report. It’s generally a better idea to audit the smart contract that has been deployed, not the one on GitHub. It minimizes the risk of code churning and malicious last-minute bugs and conveys a message of transparency to the user community.

長度還取決於開發團隊是否需要完整的安全審核或僅需要中期報告。一般來說，審計已部署的智慧合約是一個更好的主意，而不是 GitHub 上的智慧合約。它最大限度地減少了程式碼攪動和惡意最後一刻錯誤的風險，並向用戶社群傳達了透明的訊息。

The audit’s duration is also affected by whether it’s manual or automated. Reviewing individual functions in the code manually is time-intensive. However, manual audits are more efficient because they reduce the risk of false reports. They involve checking the code line-by-line to help identify hidden issues in its architecture and logic.

審核的持續時間也受到手動或自動的影響。手動檢查程式碼中的各個函數非常耗時。然而，手動審核效率更高，因為它們可以降低虛假報告的風險。它們涉及逐行檢查程式碼，以幫助識別其架構和邏輯中隱藏的問題。

Binary analysis and cryptographic algorithm verification

二進制分析和密碼演算法驗證

Smart contract auditors perform a binary analysis to make sure the code is free from backdoors, i.e. hidden mechanisms attackers use to access a system without authentication. To this end, the team makes sure no unauthorized entities gain administrative access and inspects the transcoding and bonding protocols among participants. It also verifies cryptographic algorithms and enhances the overall security infrastructure.

智慧合約稽核員執行二進位分析，以確保程式碼沒有後門，也就是攻擊者用來在未經身份驗證的情況下存取系統的隱藏機制。為此，團隊確保沒有未經授權的實體獲得管理存取權限，並檢查參與者之間的轉碼和綁定協議。它還驗證加密演算法並增強整體安全基礎設施。

Product security audits require deep knowledge of programming languages

產品安全審核需要深入了解程式語言

Most software products integrate a user interface. Smart contracts frequently interact with a backend server in DeFi and Web3, whose code can be proprietary or open-source. The interface communicates with the backend server and uses Metamask or another local wallet to verify the user and sign transactions. There is often at least one database, such as PostgreSQL or MongoDB, and AWS Cognito, Auth0, or another OAuth2 authentication service.

大多數軟體產品都整合了使用者介面。智能合約經常與 DeFi 和 Web3 中的後端伺服器交互，其程式碼可以是專有的或開源的。該介面與後端伺服器通信，並使用 Metamask 或其他本地錢包來驗證用戶並簽署交易。通常至少有一個資料庫（例如 PostgreSQL 或 MongoDB）以及 AWS Cognito、Auth0 或其他 OAuth2 驗證服務。

Product security auditors verify that all components interact with each other as expected, each component performs its functions correctly, no information leaks are possible, system deployment procedures follow best practices, and unauthorized access is prevented. These tasks require a strong understanding of large software project architecture and the ability to navigate codebases written in different programming languages. Typically, the frontend is written in ReactJS, while the backend is a mix of Golang, NodeJS, Python, etc. The smart contracts are in Rust or Solidity. A wide range of tools is involved, including blockchain nodes and Docker container management techniques.

產品安全審核員驗證所有組件是否按預期相互交互、每個組件是否正確執行其功能、不可能發生資訊外洩、系統部署程序遵循最佳實踐，並防止未經授權的存取。這些任務需要對大型軟體專案架構有深入的了解，並且能夠導航用不同程式語言編寫的程式碼庫。通常，前端是用 ReactJS 編寫的，而後端是 Golang、NodeJS、Python 等的混合體。涉及廣泛的工具，包括區塊鏈節點和Docker容器管理技術。

Penetration testers are well-versed in network protocols and architecture

滲透測試人員精通網路協定和架構

Penetration testing focuses on external API endpoints Web2 backend services offer. Testing auditors mitigate security flaws by calling some of these APIs via unexpected syntax to obtain privileged access. This is a common attack vector, where cybercriminals trick the system into leaking private data or performing another unauthorized action. Auditors are well-versed in network protocols such as TCP/IP, HTTP/HTTPS, UDP, DNS, and SMTP, as well as architecture like firewalls, routers, switches, and their configurations. Familiarity with subnets and IP addressing (CIDR, NAT, VLANs, and VPNs) and tools like Wireshark to analyze packets

滲透測試重點在於 Web2 後端服務提供的外部 API 端點。測試審核員透過意外語法呼叫其中一些 API 來取得特權存取權限，從而緩解安全漏洞。這是一種常見的攻擊媒介，網路犯罪分子會誘騙系統洩漏私人資料或執行其他未經授權的操作。審核員精通 TCP/IP、HTTP/HTTPS、UDP、DNS 和 SMTP 等網路協議，以及防火牆、路由器、交換器等架構及其配置。熟悉子網路和 IP 位址（CIDR、NAT、VLAN 和 VPN）以及 Wireshark 等工具來分析封包