Crypto Due Diligence
How to Read a Crypto Audit Report: Scope, Findings, Fixes, and Gaps
2026-07-10 · BlockMind Research Team
Key takeaway: An audit report is evidence that a defined scope received a defined review during a defined period. It is not a safety certificate. Verify the auditor-hosted report, exact commit and files, chain and deployed addresses, methodology, unresolved findings, remediation evidence, privileged controls, and changes made after the review. If the audited code does not match the current deployment, the logo is not meaningful coverage.
What does a crypto audit report actually prove?
A smart contract audit report documents what one or more reviewers examined, the methods they used, the issues they identified, and the project’s response within a stated engagement.
It can support claims such as:
- A specific code revision was independently reviewed
- Reviewers used manual and automated techniques described in the report
- Particular findings were reported with stated severity
- A follow-up revision addressed or acknowledged findings
It cannot, by itself, prove:
- The current deployment matches the reviewed code
- Every vulnerability was found
- Economic design and oracle assumptions are sound
- Admin keys are secure
- Front ends, bridges, dependencies, and off-chain services are safe
- The team is honest
- Future upgrades will be audited
Ethereum.org explicitly advises against treating audits as a silver bullet and notes that they may miss bugs (ethereum.org). That limitation should appear in every serious audit interpretation.
Scope and assumptions: This guide helps non-auditors inspect public smart-contract security reports. It does not reproduce a security review, certify code, or replace qualified technical analysis. Never interact with a contract solely because it has an audit badge.
This is research, not financial advice. BlockMind’s agent cannot transact, approve contracts, withdraw, or move funds.
An audit review belongs inside the complete pre-buy crypto due diligence process; it cannot replace team, tokenomics, liquidity, governance, and deployment checks.
The audit coverage equation
Think of usable coverage as an intersection:
Usable audit coverage
= verified report authenticity
∩ exact code scope
∩ matching deployment
∩ resolved or accepted findings
∩ no material unaudited changesIf any part is missing, describe the gap. Do not collapse the result into “audited” or “not audited.”
Step 1: verify the report is authentic
Find the report on the auditor’s official domain or official repository, not only on the project’s website.
Record:
- Auditor legal or project name
- Report URL
- Publication and engagement dates
- Final versus draft status
- Named project and product
- Report version
- Auditor signature, hash, or official repository reference if provided
A logo carousel is not a report. A screenshot of an executive summary is not a report. A report uploaded only by the client deserves additional confirmation from the auditor.
Step 2: map the exact scope
Extract the scope before reading the findings.
| Scope field | What to record |
|---|---|
| Repository | Canonical URL and organization |
| Revision | Commit hash, tag, or archive hash |
| Files | Included directories/contracts |
| Exclusions | Tests, dependencies, front end, scripts, oracle, bridge, deployment |
| Chain | Network and execution environment |
| Assumptions | Trusted roles, external services, invariants |
| Duration | Review period and person-days if disclosed |
| Methodology | Manual review, tests, static analysis, fuzzing, formal methods |
Then ask what was not reviewed. Many important failures sit at system boundaries: price feeds, key management, deployment configuration, upgrade process, and external integrations.
Step 3: match audited source to deployed code
Source-code verification and formal verification are different. Ethereum.org explains that source verification checks whether published source compiles to the bytecode at an address, whereas formal verification tries to prove specified correctness properties (ethereum.org). A “verified” explorer badge does not mean “audited” or “correct.”
For each live contract:
- Record chain and address from current official documentation.
- Confirm explorer source verification.
- Determine whether it is a proxy.
- Resolve the current implementation address.
- Compare implementation source with the audited commit.
- Record constructor or initializer parameters.
- Identify linked libraries and external dependencies.
- Check deployment date against audit date.
If exact bytecode reproduction is beyond your ability, mark the match unverified and seek a reproducible build or technical review. Do not infer equivalence from matching filenames.
Proxy and upgrade checks
For an upgradeable system, capture:
- Proxy and current implementation addresses
- Proxy admin or upgrade authority
- Multisig threshold and signer disclosure, if public
- Timelock delay
- Emergency pause authority
- Upgrade events since the audit
- Whether each implementation revision was reviewed
An old audit may still cover unchanged components, but the current system needs a component-by-component map.
Step 4: interpret finding severity correctly
Severity usually combines impact and likelihood, but each auditor defines categories differently. Read the report’s own rubric.
Common labels include:
- Critical
- High
- Medium
- Low
- Informational or note
Do not compare counts across firms without aligning definitions. One report may classify centralization or specification issues as informational; another may assign severity.
For every finding, record:
| Field | Question |
|---|---|
| ID/title | Can you track it across revisions? |
| Affected code | Is it still deployed? |
| Preconditions | What must be true to exploit it? |
| Impact | What can be lost, changed, or blocked? |
| Likelihood | How reachable are the preconditions? |
| Recommendation | What did the auditor ask for? |
| Client response | Fixed, acknowledged, disputed, accepted risk? |
| Retest evidence | Did the auditor verify a revised commit? |
| Residual risk | What remains after the fix? |
“Resolved” should mean more than a client comment. Look for the fix commit and auditor retest status.
Step 5: distinguish remediation statuses
Use precise statuses:
- Fixed and retested: Auditor reviewed the change and marked it resolved
- Fixed, not retested: Client supplied a change, but no auditor confirmation is shown
- Partially fixed: Some exposure remains
- Acknowledged: Client accepts the observation without changing code
- Risk accepted: Client knowingly leaves the behavior
- Disputed: Client and auditor disagree
- Not applicable: The finding does not apply under a documented design assumption
- Open: No adequate resolution is documented
An acknowledged high-severity issue is not “closed” in the same sense as a retested fix.
Step 6: inspect privileged and economic controls
Security is broader than reentrancy and arithmetic.
Ask:
- Who can mint, freeze, pause, upgrade, or rescue assets?
- Can an admin change fees, collateral factors, oracle, or withdrawal rules?
- Is there a timelock, and can it be bypassed?
- Can governance be captured by concentrated voting power?
- What happens if an oracle halts or returns a bad value?
- Are rate limits, caps, or circuit breakers enforced?
- Can external calls or tokens behave unexpectedly?
- Does the system assume honest keepers, relayers, sequencers, or validators?
The Solidity documentation maintains a current list of security considerations and known pitfalls, including external calls, gas limits, authorized proxies, and failure-handling concerns (Solidity docs). Use it as a prompt list, not evidence that a particular contract is vulnerable.
Step 7: look for defense in depth after the audit
An audit is one layer. Stronger evidence includes:
- Unit, integration, invariant, and fuzz tests
- Formal specifications for critical properties
- Independent reviews by different teams
- Public bug bounty with meaningful scope
- Monitoring and incident-response plan
- Timelocks, pause mechanisms, caps, and multisigs
- Reproducible builds and verified source
- Transparent disclosure of incidents and postmortems
Ethereum.org recommends combining testing approaches and independent review because no single technique finds everything (testing guide).
Worked hypothetical: “Delta Vault”
Delta Vault is fictional. This is not a real audit assessment or endorsement.
The project page displays “Audited by SecureCo.” The final SecureCo report is authentic and lists:
- Repository:
delta/vault - Commit:
a1b2c3 - Scope: vault accounting and withdrawal contracts
- Excluded: oracle adapter, deployment scripts, front end
- Findings: one high, two medium, five low
Verification finds:
- The high-severity accounting issue is fixed in
d4e5f6and marked retested. - One medium finding about privileged fee changes is “acknowledged,” not fixed.
- The live vault is a proxy deployed after the report.
- Its current implementation maps to
h7i8j9, three releases after the retested commit. - The later release changed the excluded oracle adapter and withdrawal queue.
- A two-of-three multisig can upgrade immediately; there is no timelock.
Responsible conclusion:
The audit is authentic and provides evidence for the scoped contracts at the retested revision. The current deployment contains material later changes and an excluded oracle component, so full deployment coverage is unverified. A medium privileged-control issue remains acknowledged, and immediate two-of-three upgrades create residual admin risk.
“Audited” would have hidden every important detail.
An audit report reading template
REPORT IDENTITY
- Auditor-hosted final URL:
- Dates and version:
- Project/product:
SCOPE
- Repository:
- Commit/tag/hash:
- Included files:
- Excluded components:
- Methodology and timebox:
- Stated assumptions:
DEPLOYMENT MATCH
- Chain and addresses:
- Proxy / implementation:
- Verified source:
- Audited revision match:
- Post-audit changes:
FINDINGS
- Critical/high/medium/low counts under auditor rubric:
- Open or accepted findings:
- Fixed and retested findings:
- Residual risks:
PRIVILEGED CONTROLS
- Upgrade authority:
- Multisig threshold:
- Timelock:
- Pause/freeze/mint/rescue powers:
DEFENSE IN DEPTH
- Tests/formal methods:
- Bug bounty:
- Monitoring/incident response:
- Additional audits:
CONCLUSION
- What the audit supports:
- What it does not support:
- Unresolved verification tasks:Audit red flags
- No full report or auditor-side confirmation
- Report marked draft or preliminary
- Scope has no commit, tag, files, or hash
- Audit predates a major deployment or upgrade
- Current addresses are missing from official docs
- Explorer source is unverified or only partially matched
- Proxy implementation has changed since review
- Findings are called “resolved” based only on client statements
- High-impact observations are “acknowledged” without residual-risk explanation
- Auditor’s disclaimers and exclusions are omitted from marketing
- Audit covers a token contract while the value-bearing protocol is unaudited
- Multiple audits all review the same old revision
- No incident plan, monitoring, or bug bounty for a high-value protocol
Limitations and counterevidence
- A clean report may reflect good code, a narrow scope, a short timebox, or missed issues.
- A report with many findings can indicate weak initial code or a thorough review followed by strong remediation.
- Public readers may be unable to reproduce builds or assess exploitability.
- An auditor’s reputation is relevant but not a guarantee.
- Formal verification proves specified properties; a bad or incomplete specification can miss system risk.
- Bug bounties and multiple audits improve coverage but cannot eliminate risk.
Do not rank projects by finding count alone.
Using BlockMind to organize an audit review
A BlockMind agent can locate the auditor-hosted report, extract scope and findings, compare current documentation, and visit explorer and repository pages through its browser capability. It can save the scope map and unresolved checks in your Notebook.
Ask:
“Read this final audit report. Extract the exact scope, commit, exclusions, severity rubric, every non-retested or accepted finding, and all privileged-control assumptions. Then compare the current official deployment addresses and implementation revision. Mark anything you cannot verify as unknown.”
AI extraction can be wrong. Use the AI Crypto Analysis Verification Protocol, and include audit evidence inside the broader manual DYOR checklist.
The Bottom Line
A smart contract audit is a scoped review, not a transferable seal of safety. Verify the report’s authenticity, exact revision, included and excluded components, deployment match, remediation status, admin powers, and every post-audit change.
The right conclusion is specific: which code received which review, which findings remain, and whether that evidence still reaches the contracts users interact with today.