Recently, DEX Merlin on zkSync was hacked for over $1.1 million. The project was audited by CertiK, which oversees 70% of all audits.
Is an audit 100% certain that a project is safe?
Let's figure it out using the "REKT" database of the De.Fi service, which contains more than 3,000 records of hacks and exit scams in web3 since 2011.
//CertiK
This company accounts for the largest number of audits in web3. Of the 3,700 verified projects, 33 are in the "REKT" database, which means they were verified, but were still hacked.
The recent DEX Merlin hack has not yet been added to the database and makes this project 34 on the "audit failed" list.
//PeckShield Inc
It ranks second in the anti-rating with 18 cases of hacking and ragpules.
//DeFi Safety
The next contender with 12 hacks. Adding to the positivity is the fact that since 2021, this auditor has had no cases of projects audited or hacked.
Table with the ratio of audits to hacks
The one in the header of the post should not be considered the final truth about the success of audit firms, as it is too general. Each hacking case must be assessed individually.
The main idea we want to convey:
audits do not guarantee security.
Typically, an audit is carried out according to a generalized scenario of potential vulnerabilities. However, each company has unique code and architecture that require an individual approach.
Is it realistic to conduct an in-depth audit within a month? Big doubts about this.
Let's sum it up
An audit can help improve the likelihood that funds allocated to a particular smart contract are secure. And projects without audit are more susceptible to hacking and theft than with it.
Remember: there are no 100% guarantees anywhere, and the case with audits is no exception. Be careful, DYOR and diversify.