What is Audit Coverage? Why does it matter?

What is Audit Coverage? Why does it matter?

The role of cybersecurity in Web 3.0 cannot be underestimated, especially during the bearish market. Investors lose their money due to falling prices and they are afraid of experiencing extra losses due to security incidents. That is why crypto traders and investors try to allocate their assets to secure projects that do not neglect following basic security practices.

CER.live specialists have audited the security of Web 3.0 players and based on the findings we have compiled two separate ratings: security rating of crypto exchanges and the recently released security rating of cryptocurrencies. Each cryptocurrency is given its own security score based on the analysis of specified indicators. Security score is the answer to the question “How secure is this project?”. 

The results of security reviews of cryptocurrencies are integrated into CoinGecko and Baserank. One of the main criteria evaluated by CER.live is Audit Coverage. 

What is audit coverage?

Audit coverage is the criteria indicating what share of the project’s elements has been covered by platform audits. Most projects consist of much more than just one element. For example, a single project may include such elements as swap, farming, staking, lending, lottery, etc. 

Audit coverage results may vary between 0% and 100%. The more elements are covered by audits, the higher the result. The percentage result is then converted into points:

  • 100% – 10
  • >50% – 8 
  • 50% – 5 
  • <50% – 3
  • 0% – 0

Depending on a project type, the weight of audit coverage in the final security score may vary between 0.2 and 0.3. 

Example: Venus Protocol

Venus Protocol (Venus) is an algorithmic-based money market system designed to bring a complete decentralized finance-based lending and credit system onto ​Binance Smart Chain. According to CoinGecko, the market capitalization of Venus is >$65M

Venus has the CC security ranking. The project does not have any ongoing bug bounty program and there were hack cases in the history of Venus. According to the Rekt Database, Venus Protocol experienced two security incidents in its history – in May 2021 ($77M lost) and in May 2022 ($1.35M lost). Both incidents were attributable to exploits. 

Venus Protocol has token and platform audits as well as insurance. However, the platform audits do not cover all elements resulting in audit coverage equalling only 80%. 

Let’s analyze the latest platform audit of Venus performed by Peckshield. When opening the audit report, we can see that the list of audited components can be found under the “ec22556” commit. 

Link to the repository with the audited files: https://github.com/hyperbch/venus-protocol/tree/ec2255691e275b86061e793145fdc30230c5a1c9/contracts

At the same time, the list of all components used by the project is available at: https://github.com/hyperbch/venus-protocol/tree/ec2255691e275b86061e793145fdc30230c5a1c9/contracts

When comparing these two lists, we can see that only 28 out of 88 files are not audited. In terms of the scope, this accounts for 20% of non-audited elements. 

Why does audit coverage matter?

Just the fact of the platform audit availability does not mean anything in terms of security. Only when all or at least the majority of elements are covered by an audit, then the project may be viewed as secure for users. The use of the audit coverage indicator prevents possible manipulations by projects when they just put a label of a reputable cybersecurity vendor on their website without any additional information. As a result, users do not know what is covered in this audit and whether the findings are relevant. 

That is why, under the CER.live cryptocurrencies rating methodology, audit coverage is among the most important indicators of the project’s security.  

More articles