In a smart contract audit, the audit scope is a formally documented agreement that precisely outlines the components under review. This includes the specific smart contract files, their deployed addresses, associated libraries, and any off-chain infrastructure or oracles that interact with the system. Crucially, it also defines exclusions, such as economic or game theory risks, front-end applications, or dependencies outside the specified version control commit hash. A clear scope prevents misunderstandings and ensures both the audit team and the project developers have aligned expectations for the security assessment.
LABS
Glossary
Audit Scope
Audit scope defines the specific code, functions, and systems a security review will examine, including smart contracts, dependencies, and access controls.
Chainscore © 2026
definition
BLOCKCHAIN SECURITY
What is Audit Scope?
The audit scope defines the specific boundaries and objectives of a smart contract security review, detailing what will and will not be examined.
Establishing a precise scope is critical for audit effectiveness and efficiency. It allows auditors to focus their manual review and automated analysis tools—like static analyzers and fuzzers—on the correct codebase. For complex protocols, the scope may be divided into phases, targeting core contracts first before moving to peripheral modules. Key elements detailed in the scope document are the code commit hash or release tag to be audited, the specific functions and security properties to be tested (e.g., access control, financial logic, upgrade mechanisms), and the depth of analysis for any integrated third-party code.
A well-defined audit scope directly impacts the audit report's reliability and the actionable nature of its findings. Vague or overly broad scopes can lead to missed vulnerabilities, while overly narrow scopes may ignore critical integration points. For example, auditing a DeFi lending protocol's core logic without including its price oracle integration would be a critical oversight. Ultimately, the scope serves as the foundational reference for the entire engagement, guiding the testing methodology and forming the basis for the final attestation of the code's security posture within the examined parameters.
how-it-works
BLOCKCHAIN SECURITY
How is an Audit Scope Defined?
The audit scope is the formal, documented agreement between an auditor and a client that precisely outlines the boundaries, objectives, and limitations of a smart contract security review.
An audit scope is defined through a collaborative process initiated by a Request for Proposal (RFP) or a detailed project kickoff. The client provides the auditor with critical materials, including the source code repository, technical documentation, architecture diagrams, and a list of specific concerns or high-risk functions. This initial dataset allows the auditor to understand the system's complexity and propose a tailored review strategy. The scope explicitly states what is and, crucially, what is not covered, such as excluding front-end interfaces, peripheral scripts, or economic model analysis unless specifically requested.
The formal scope document typically specifies several key dimensions: the codebase version (e.g., specific Git commit hash) to be examined, the testing methodologies to be employed (e.g., manual review, static analysis, dynamic/fuzz testing), and the depth of review (e.g., full or partial, line-by-line analysis). It also defines deliverables, such as an initial report, a mitigation review, and a final certificate. Clear exclusions are vital—common exclusions include audits of oracle data sources, centralization risks of admin keys, and the security of any underlying blockchain or virtual machine itself.
A well-defined scope aligns expectations and prevents scope creep. It ensures the audit team focuses its resources on the agreed-upon components, such as core smart contracts for a DeFi protocol's lending pool, while not being responsible for unaudited factory contracts or user interface code. The process often involves negotiating priorities; for instance, a client may request focused attention on a novel algorithm or the upgradeability mechanisms of their proxy architecture, which would be explicitly called out in the scope.
Finally, the scope is not static. It may be amended through change orders if significant issues are discovered that require examining related, out-of-scope code, or if the client deploys new contracts mid-audit. The signed scope agreement serves as the foundational document governing the engagement, ensuring the audit's findings are valid only for the specified code version and components, which is a critical disclaimer for users and investors relying on the audit report.
key-components
AUDIT SCOPE
Key Components of an Audit Scope
An audit scope is a formal document that defines the boundaries, objectives, and methodology of a smart contract security review. It ensures alignment between the client and the auditing firm on what will be tested and what is considered out-of-scope.
01
Codebase Definition
This component specifies the exact smart contract source code to be reviewed, including repository links, commit hashes, and specific file paths. It defines the code freeze point, ensuring the audit is performed on a static version of the code. Out-of-scope elements like third-party libraries or front-end code are explicitly listed here to prevent scope creep.
02
Security Objectives & Focus Areas
This outlines the primary security goals of the audit, such as identifying vulnerabilities that could lead to fund loss, access control failures, or logic errors. It details the specific testing methodologies to be employed, including:
- Manual Code Review
- Static Analysis
- Dynamic Analysis / Fuzzing
- Formal Verification (if applicable) The focus areas prioritize critical functions like token minting, withdrawals, and admin controls.
03
Deliverables & Reporting
This defines the tangible outputs the client will receive. The core deliverable is the final audit report, which includes a severity classification (e.g., Critical, High, Medium, Low) for each finding, detailed descriptions, code snippets, and remediation recommendations. The scope may also specify the format (PDF, markdown), timelines for preliminary and final reports, and any post-remediation verification.
04
Assumptions & Limitations
This critical section establishes the contextual boundaries of the audit. It lists assumptions made by the auditors (e.g., certain privileged addresses are trusted, oracle prices are correct) and acknowledges inherent limitations. Key limitations often include:
- Economic/modeling risks are not financial advice.
- The audit is a snapshot in time and does not guarantee future security.
- Excluded components (e.g., centralized backend servers) are not assessed. This manages expectations and defines the audit's warranty.
common-in-scope-items
AUDIT SCOPE
Common In-Scope Items
A smart contract audit's scope defines the specific components and attack vectors that will be examined. These are the core elements typically analyzed to assess security, functionality, and economic soundness.
01
Core Protocol Logic
The primary focus is on the business logic of the smart contracts, including state transitions, access controls, and the correctness of mathematical operations (e.g., interest rate calculations, swap formulas). Auditors verify that the code's behavior matches its specification and intended design, ensuring there are no logic flaws that could lead to fund loss or protocol manipulation.
02
Access Control & Privileges
A critical review of administrative functions, owner privileges, and upgrade mechanisms. This includes analyzing:
- Role-based permissions and multi-signature requirements.
- Timelocks on sensitive operations.
- The security of proxy upgrade patterns (e.g., Transparent vs. UUPS).
- Risks of centralization and single points of failure.
03
Tokenomics & Economic Security
Evaluation of the system's incentive structures and economic attack vectors. Auditors model scenarios for:
- Flash loan attacks and oracle manipulation.
- Liquidity pool imbalances and arbitrage opportunities.
- Staking, reward distribution, and inflation mechanisms.
- Potential for governance attacks or vote manipulation.
04
External Integrations & Oracles
Analysis of dependencies on external systems, which are common attack surfaces. This covers:
- Oracle usage (e.g., Chainlink, Pyth) for price feeds and data reliability.
- Cross-chain bridges and layer-2 communication.
- Interactions with other DeFi protocols (composability risks).
- ERC-20 token compliance and callback handling.
05
Gas Optimization & Denial-of-Service
Review of code efficiency and resilience against block gas limit issues and Denial-of-Service (DoS) attacks. Auditors identify:
- Loops that could run out of gas or become prohibitively expensive.
- State variable packing and storage operation costs.
- Front-running vulnerabilities and transaction ordering dependencies.
06
Code Quality & Standards
Assessment of general software engineering best practices and adherence to established standards. This includes:
- Compliance with relevant Ethereum Improvement Proposals (EIPs) like ERC-20, ERC-721.
- Use of battle-tested libraries (e.g., OpenZeppelin Contracts).
- Code readability, documentation (NatSpec), and test coverage.
- Proper handling of overflows/underflows and use of SafeMath patterns.
common-out-of-scope-items
AUDIT SCOPE
Common Out-of-Scope Items
A smart contract audit is a targeted review, not a guarantee of perfection. These are typical areas explicitly excluded from standard security assessments.
01
Centralized Components & Oracles
Audits focus on on-chain smart contract logic. They do not assess the security or reliability of off-chain components like admin private keys, backend servers, or the data feeds provided by oracles (e.g., Chainlink, Pyth). A contract is only as secure as its weakest dependency.
02
Economic & Token Model Risks
Auditors verify code executes as written, not whether the underlying economic design is sound. This includes:
- Tokenomics sustainability and inflation schedules.
- Ponzi scheme mechanics or unsustainable yields.
- Market manipulation risks and liquidity pool imbalances.
- The fundamental business logic and incentive alignment.
03
Frontend & Client-Side Security
The audit scope is the smart contract itself, deployed on the blockchain. It does not cover:
- Website (dApp) vulnerabilities like XSS or phishing.
- Wallet integration issues or malicious browser extensions.
- User private key management and social engineering attacks. A secure contract can still be compromised via an insecure frontend.
04
Blockchain Protocol & Network Risks
The audit assumes the underlying blockchain protocol (e.g., Ethereum, Solana) operates as designed. It does not assess:
- Consensus mechanism failures (e.g., 51% attacks).
- Network congestion and high gas fee scenarios.
- Validator/node client bugs outside the EVM or runtime.
- Future hard forks or protocol-level changes.
05
Legal & Regulatory Compliance
A technical audit is not a legal review. It does not evaluate:
- Compliance with securities laws (e.g., Howey Test).
- AML/KYC (Anti-Money Laundering/Know Your Customer) obligations.
- Tax treatment of transactions or token distributions.
- Adherence to specific jurisdictional financial regulations.
06
Testing Exhaustiveness & Future Code
An audit is a point-in-time review of a specific codebase version. Key limitations include:
- Formal verification is not always performed; testing is often sample-based.
- Gas optimization suggestions are advisory, not exhaustive.
- Future upgrades or unaudited proxy implementations are not covered.
- The test coverage of the development team's own suite is assumed but not fully re-executed.
AUDIT STRATEGY
Narrow vs. Broad Audit Scope: A Comparison
A comparison of the core characteristics, trade-offs, and typical use cases for defining a focused versus a comprehensive smart contract audit scope.
| Characteristic | Narrow Scope | Broad Scope |
|---|---|---|
Primary Objective | Targeted review of critical functions or recent changes | Comprehensive security assessment of the entire system |
Code Coverage | Specific modules, functions, or diff from previous audit | Entire codebase, including dependencies and integrations |
Time to Completion | 1-2 weeks | 4-8 weeks |
Cost Estimate | $10K - $30K | $50K - $200K+ |
Depth of Analysis | Deep focus on specified areas; may miss systemic issues | Holistic view; identifies integration and architectural risks |
Best For | Post-audit fixes, limited upgrades, or budget-constrained projects | New protocol launches, major upgrades, or high-value DeFi applications |
Risk of Missed Issues | Higher for out-of-scope components | Lower, but contingent on auditor bandwidth and expertise |
Auditor Resource Allocation | Concentrated team effort on defined targets | Larger team or longer engagement covering all components |
importance
AUDIT SCOPE
Why is Defining Scope Critically Important?
The audit scope is the formal, agreed-upon boundary of a security review, detailing what is and is not included. Its precise definition is a foundational step that determines the audit's effectiveness, cost, and legal standing.
Defining the audit scope establishes the technical and functional boundaries of the review, explicitly listing the smart contracts, libraries, and dependencies to be analyzed, as well as any that are explicitly excluded. This prevents scope creep—the uncontrolled expansion of work—and ensures all parties have aligned expectations. A well-defined scope document typically includes the commit hash or deployment address of the code, the specific functions or modules in focus, and any assumptions about the underlying blockchain or oracle behavior.
From a resource and commercial perspective, a precise scope directly dictates the audit's timeline, cost, and the required expertise of the reviewing team. Auditing a full DeFi protocol with complex math is fundamentally different from reviewing a simple NFT minting contract. Without clear boundaries, auditors may inadvertently spend time on out-of-scope code, leading to budget overruns and delayed reports, or worse, miss critical in-scope vulnerabilities because assumptions were unclear.
The scope also defines the security objectives and testing depth. It specifies whether the review is for functional correctness, economic security (e.g., incentive misalignments), or centralization risks. Furthermore, it outlines the testing methodologies to be employed, such as manual review, static analysis, fuzzing, or formal verification. This ensures the audit targets the client's specific risk profile, whether for a nascent startup or a multi-billion dollar protocol undergoing a routine upgrade.
Legally and procedurally, the signed scope document serves as the governing agreement between the auditor and the client. It forms the basis for the audit report's limitations and disclaimers, legally bounding the auditor's liability to the reviewed code. If a vulnerability is later discovered in an excluded dependency or a function declared out-of-scope, the scope document provides clear recourse and responsibility attribution, protecting both parties.
security-considerations
AUDIT SCOPE
Security Considerations & Scope Gaps
An audit scope defines the specific components, contracts, and functionalities a security review will examine. A clearly defined scope is critical; gaps can leave critical vulnerabilities undiscovered.
01
What is Audit Scope?
The audit scope is the formal, documented boundary of a security review, specifying which smart contracts, libraries, and system interactions will be analyzed. It explicitly defines what is included (e.g., core protocol logic, upgrade mechanisms) and, by omission, what is excluded (e.g., front-end interfaces, oracle assumptions, third-party dependencies). A precise scope aligns auditor and client expectations and is the foundation for a thorough assessment.
02
Common Scope Gaps & Blind Spots
Critical vulnerabilities often reside in areas excluded from the initial audit scope. Common gaps include:
- Admin & Privileged Functions: Key management, multi-sig timelocks, and emergency pause mechanisms.
- Integration Points: Interactions with external oracles, bridges, and dependency contracts (e.g., token standards like ERC-4626).
- Upgradeability: Logic of proxy contracts, storage collision risks, and upgrade governance.
- Economic & Incentive Logic: Tokenomics, reward distribution, and slippage calculations that are often considered 'business logic' rather than security.
- Off-Chain Components: Front-end, relayer services, and backend keepers.
03
The Oracle & Dependency Problem
Smart contracts frequently rely on external data feeds (oracles) and imported libraries. If these dependencies are out of scope, the system's security depends on unverified external assumptions. For example, a lending protocol audited in isolation remains vulnerable if the price oracle it uses has a manipulable data source or a delayed update mechanism. Audits must either include these components or explicitly document the trust assumptions.
04
Scope Creep vs. Fixed Deliverables
Scope creep occurs when post-audit code changes or feature additions are not re-audited, invalidating the original security assessment. Conversely, a rigid fixed-scope audit may not cover vulnerabilities discovered in related code during the review. Best practice involves a clearly versioned codebase (e.g., a specific Git commit hash), a scope document, and a process for reviewing changes before mainnet deployment.
05
Multi-Stage & Continuous Auditing
For complex protocols, a single audit is insufficient. A multi-stage audit strategy is employed:
- Architecture Review: High-level design and threat modeling before code is written.
- Code Review: Line-by-line analysis of the implemented contracts.
- Post-Upgrade Review: Re-audit of any changes made after the initial report. Continuous auditing services and bug bounties help cover the evolving codebase and scope gaps in between formal engagements.
06
Reading an Audit Report: The Scope Section
The first section of a professional audit report details the scope. Analysts must verify:
- Repository & Commit Hash: The exact code version reviewed.
- Included Contracts: A list of every .sol file and its SHA-1 hash.
- Exclusions & Assumptions: Clear statements on what was not reviewed (e.g., 'Oracle price accuracy is assumed').
- Testing Methodology: Whether the audit included manual review, static analysis, fuzzing, or formal verification. The findings are only valid within this defined context.
AUDIT SCOPE
Frequently Asked Questions (FAQ)
Understanding the boundaries and focus of a smart contract security audit is critical for project teams and users. These questions address common inquiries about what an audit does and does not cover.
The audit scope defines the specific code, systems, and security properties that a security firm will review, typically including the core smart contracts, their dependencies, and the intended business logic. A formal scope document outlines the repository commit hash, the specific files and functions to be analyzed (e.g., Token.sol, StakingVault.sol), and the types of testing to be performed, such as manual code review, automated analysis, and functional testing. It explicitly excludes areas like front-end code, centralized backend servers, or economic model viability unless otherwise agreed. Defining a clear scope ensures the audit is focused, efficient, and sets proper expectations for what security guarantees are provided.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall