为什么区块链审计如此昂贵：深入探讨导致高昂价格标签的因素

一家开发公司在初步市场调查中报价 30 万美元用于安全审计，这让外行人感到震惊。然而，那些熟悉区块链世界来龙去脉的人对高昂的价格一点也不感到惊讶。

Blockchain audits are notoriously expensive, with some firms quoting up to $300,000 for a preliminary market survey. However, those familiar with the ins and outs of the blockchain world were not surprised by the hefty price tag in the least. A number of factors necessitate the high costs, including the extreme scarcity of audit teams with the required expertise.

区块链审计的费用是出了名的昂贵，一些公司的初步市场调查报价高达 30 万美元。然而，那些熟悉区块链世界来龙去脉的人对高昂的价格一点也不感到惊讶。许多因素导致了高昂的成本，包括极其缺乏具备所需专业知识的审计团队。

For example, Atom Accelerator recently ran an RFP that culminated in a grant of $440,000 for Zellic to engage as an audit partner of Cosmos Hub over a period of two years. Zellic has performed audits for Cosmos Hub numerous times, including the Inactive Validator Set, Permissionless ICS, and Liquid Staking Module (engaged by Atom Accelerator).

例如，Atom Accelerator 最近发起了一项 RFP，最终为 Zellic 提供了 440,000 美元的资助，让其在两年内担任 Cosmos Hub 的审计合作伙伴。 Zellic 已多次对 Cosmos Hub 进行审计，包括非活动验证器集、无许可 ICS 和 Liquid Stake 模块（由 Atom Accelerator 参与）。

The Inactive Validators set involved a third-party audit of the codebase with the same name. Zellic conducted the audit in two weeks for a total ask price of $59,500, which included Simply Staking’s fee as an intermediary. This entity also performed mediation for the Permissionless ICS third-party audit, which enabled anyone to create an optional consumer chain without a governance proposal, aimed at launching chains faster and with less friction. Zellic’s quote was $90,000 and a 25% price buffer to account for ATOM token volatility during the voting period. The total price, including Simply Staking’s fees, was $121,500.

非活动验证器集涉及对同名代码库的第三方审核。 Zellic 在两周内进行了审计，总要价为 59,500 美元，其中包括 Simply Stake 作为中介的费用。该实体还对无需许可的 ICS 第三方审计进行调解，使任何人都可以在没有治理提案的情况下创建可选的消费者链，旨在更快、更少摩擦地启动链。 Zellic 的报价为 90,000 美元，并有 25% 的价格缓冲，以考虑投票期间 ATOM 代币的波动性。总价（包括 Simply Stake 的费用）为 121,500 美元。

Cosmos Hub spent $327,000 on one-off feature audits in the past year and a half, coming to an average of $26,000 for each week in which audits took place. The grant engages Zellic based on a 20 audit-week contract, which costs 16% less per week than Cosmos Hub paid, thanks to Atom Accelerator’s efforts.

在过去的一年半中，Cosmos Hub 在一次性功能审核上花费了 327,000 美元，每周审核的平均费用为 26,000 美元。这笔赠款根据 20 周审计周的合同聘用 Zellic，由于 Atom Accelerator 的努力，每周的费用比 Cosmos Hub 支付的费用低 16%。

A smart contract audit can take up to a month

智能合约审核可能需要长达一个月的时间

The project’s size and complexity are the primary factors in determining how long a smart contract audit will take. While auditing a single token contract takes a couple of days, this goes up to a week for a decentralized application with complicated tokenomics. More advanced smart contract security audits are performed in up to a month.

项目的规模和复杂性是决定智能合约审核所需时间的主要因素。虽然审核单个代币合约需要几天的时间，但对于具有复杂代币经济学的去中心化应用程序来说，这可能需要长达一周的时间。更高级的智能合约安全审核最多需要一个月的时间。

The length also depends on whether the developer team wants a full security audit or only an interim report. It’s generally a better idea to audit the smart contract that has been deployed, not the one on GitHub. It minimizes the risk of code churning and malicious last-minute bugs and conveys a message of transparency to the user community.

长度还取决于开发团队是否需要完整的安全审核或仅需要中期报告。一般来说，审计已部署的智能合约是一个更好的主意，而不是 GitHub 上的智能合约。它最大限度地减少了代码搅动和恶意最后一刻错误的风险，并向用户社区传达了透明的信息。

The audit’s duration is also affected by whether it’s manual or automated. Reviewing individual functions in the code manually is time-intensive. However, manual audits are more efficient because they reduce the risk of false reports. They involve checking the code line-by-line to help identify hidden issues in its architecture and logic.

审核的持续时间还受到手动还是自动的影响。手动检查代码中的各个函数非常耗时。然而，手动审核效率更高，因为它们可以降低虚假报告的风险。它们涉及逐行检查代码，以帮助识别其架构和逻辑中隐藏的问题。

Binary analysis and cryptographic algorithm verification

二进制分析和密码算法验证

Smart contract auditors perform a binary analysis to make sure the code is free from backdoors, i.e. hidden mechanisms attackers use to access a system without authentication. To this end, the team makes sure no unauthorized entities gain administrative access and inspects the transcoding and bonding protocols among participants. It also verifies cryptographic algorithms and enhances the overall security infrastructure.

智能合约审计员执行二进制分析，以确保代码没有后门，即攻击者用来在未经身份验证的情况下访问系统的隐藏机制。为此，该团队确保没有未经授权的实体获得管理访问权限，并检查参与者之间的转码和绑定协议。它还验证加密算法并增强整体安全基础设施。

Product security audits require deep knowledge of programming languages

产品安全审核需要深入了解编程语言

Most software products integrate a user interface. Smart contracts frequently interact with a backend server in DeFi and Web3, whose code can be proprietary or open-source. The interface communicates with the backend server and uses Metamask or another local wallet to verify the user and sign transactions. There is often at least one database, such as PostgreSQL or MongoDB, and AWS Cognito, Auth0, or another OAuth2 authentication service.

大多数软件产品都集成了用户界面。智能合约经常与 DeFi 和 Web3 中的后端服务器交互，其代码可以是专有的或开源的。该接口与后端服务器通信，并使用 Metamask 或其他本地钱包来验证用户并签署交易。通常至少有一个数据库（例如 PostgreSQL 或 MongoDB）以及 AWS Cognito、Auth0 或其他 OAuth2 身份验证服务。

Product security auditors verify that all components interact with each other as expected, each component performs its functions correctly, no information leaks are possible, system deployment procedures follow best practices, and unauthorized access is prevented. These tasks require a strong understanding of large software project architecture and the ability to navigate codebases written in different programming languages. Typically, the frontend is written in ReactJS, while the backend is a mix of Golang, NodeJS, Python, etc. The smart contracts are in Rust or Solidity. A wide range of tools is involved, including blockchain nodes and Docker container management techniques.

产品安全审核员验证所有组件是否按预期相互交互、每个组件是否正确执行其功能、不可能发生信息泄漏、系统部署程序遵循最佳实践，并防止未经授权的访问。这些任务需要对大型软件项目架构有深入的了解，并且能够导航用不同编程语言编写的代码库。通常，前端是用 ReactJS 编写的，而后端是 Golang、NodeJS、Python 等的混合体。智能合约是用 Rust 或 Solidity 编写的。涉及广泛的工具，包括区块链节点和Docker容器管理技术。

Penetration testers are well-versed in network protocols and architecture

渗透测试人员精通网络协议和架构

Penetration testing focuses on external API endpoints Web2 backend services offer. Testing auditors mitigate security flaws by calling some of these APIs via unexpected syntax to obtain privileged access. This is a common attack vector, where cybercriminals trick the system into leaking private data or performing another unauthorized action. Auditors are well-versed in network protocols such as TCP/IP, HTTP/HTTPS, UDP, DNS, and SMTP, as well as architecture like firewalls, routers, switches, and their configurations. Familiarity with subnets and IP addressing (CIDR, NAT, VLANs, and VPNs) and tools like Wireshark to analyze packets

渗透测试重点关注 Web2 后端服务提供的外部 API 端点。测试审核员通过意外语法调用其中一些 API 来获取特权访问权限，从而缓解安全漏洞。这是一种常见的攻击媒介，网络犯罪分子会诱骗系统泄露私人数据或执行其他未经授权的操作。审核员精通 TCP/IP、HTTP/HTTPS、UDP、DNS 和 SMTP 等网络协议，以及防火墙、路由器、交换机等架构及其配置。熟悉子网和 IP 寻址（CIDR、NAT、VLAN 和 VPN）以及 Wireshark 等工具来分析数据包