Smart Contract Audit Pricing: Per Line, Per Contract, or Per Risk?

Security leaders are starting to wonder: what's the best way to get assurance--should we go by the line of code, by the engagement, or focus on outcomes instead? Here’s a straightforward, number-focused guide to help you plan, negotiate, and effectively schedule smart contract audits for 2025-2026.

---

Why audit pricing strategy matters now

• It looks like losses are on the rise again. CertiK’s 2024 “Hack3d” report revealed that over $2.3 billion was stolen from a whopping 760 on-chain security incidents. Meanwhile, Chainalysis noted about $2.2 billion in crypto hacks for 2024, highlighting the ongoing risks that are still very much present. These eye-popping numbers are really pushing institutions to seek out reliable, audit-backed security signals. (globenewswire.com)
• These days, boards and DAOs are really leaning into having a solid security runway in place. That means they’re looking for a mix of pre-launch audits, ongoing assurance, and incident coverage. As a result, buyers find themselves juggling cost certainty on a per-contract basis with the breadth of testing they need from risk-based contests and the depth of checks on critical invariants, which might include some formal verification add-ons.

---

The three dominant pricing models

1) Per line (or “per module”) pricing

What it is

So, here’s the deal: we’re talking about quotes that are based on code size, like $/LOC or those brackets you often see, such as “<1k LOC” or “1-5k LOC.” This kind of approach is pretty popular among budget firms and some content-marketing standards, and you’ll find it in a lot of mainstream explainers too. While it can help you get a quick idea of what you might be facing, keep in mind that it’s not the best predictor of actual risk. Check out more on this over at techtarget.com.

Typical quotes in the wild:

• “For simple contracts, if you're looking at under ~1k lines of code (LOC), expect to pay in the low five figures. If you’re in the 1-5k LOC range, that can go up to about $50k. And for contracts with over 5k LOC, it could be anywhere from $50k to over $100k,” according to TechTarget’s industry roundup. (techtarget.com)

Why teams still think it’s a good idea:

• It really speeds up budgeting, especially when you’re still in the pre-MVP phase and mostly using standard libraries (like ERC-20/721) with only a little bit of custom logic.

Where it breaks:

• When it comes to complex risk, there’s not much connection to just counting lines of code. For instance, things like cross-chain messaging, oracle design, and upgradeability patterns can really mess with the numbers. Pricing based on lines can end up underestimating those intricate but brief contracts, while it might inflate the cost of standard boilerplate contracts. So, if you're using this for appearances when listing on exchanges, be careful! It's not a safe bet when dealing with new logic.

When to use:

• Do a "sanity check" on a floor budget for straightforward, well-structured scopes. Once that’s done, switch gears and use a more detailed model for anything that’s holding TVL or engaging with external protocols.

Emerging Adjustment

• A few buyers are taking those more advanced models and converting them into a “shadow” $/LOC for vendor comparison. However, they’re putting just as much emphasis on depth and coverage, rather than just focusing solely on the unit price.

2) Per contract engagement (time‑boxed or retainer)

What it is

Basically, you’re purchasing expert weeks from a specific team. The vendor promises to provide experienced professionals and dedicated time on the calendar. This setup is pretty standard for top-tier firms and trusted researcher networks.

Here are some real, up-to-date numbers you can use as a benchmark:

• OpenZeppelin’s ongoing security partnership for Venus is set for 24 weeks of research spread over six months, costing $554,400 (in USDC). This breaks down to about $23,100 per auditor per week. It’s a pretty unique public data point from a leading firm’s retainer deal. (community.venus.io)
• Spearbit’s proposal for Arbitrum outlined blended weekly costs of around $48,000 for a team of 4 to 5 people (including one lead, seniors, associates, and juniors). So, you might want to use ~$48k/week as a solid benchmark if you're looking at high-quality research teams. (forum.arbitrum.foundation)
• Quantstamp’s 2025 retainer with Venus proposed 450 “audit-hour” credits for $130,000, paid out over four months. That comes to about ~$289 per hour, with at least two auditors involved and fix reviews included. This can be really handy for converting quotes into hourly rates. (community.venus.io)

Why It’s Favored

• You get predictable planning and can work directly with specific engineers, making it a breeze to schedule those iterative fix-review cycles. Plus, there's solid credibility when it comes to working with institutional partners.

Caveats:

• Don’t forget to keep an eye on scope creep. Make sure you lock in those code freeze and remediation windows in the Statement of Work (SOW). Also, it’s a good idea to ask for the staffing mix--like what the senior to junior ratio will be--and get clarity on explicit deliverables, such as coverage notes, test artifacts, and re-audit counts.

Add‑on: Formal Verification Retainers

• Certora’s engagements approved by the DAO give us a solid idea of what you might expect to spend on continuous formal verification for larger protocols:
  • For Aave v4, they’re looking at a budget of $2.39M for about 4.5 full-time equivalents (FTEs) spread over the year (2025). That’s a pretty good benchmark if you're aiming for “enterprise-grade” invariants and rule writing on an actively maintained codebase. (governance.aave.com)
  • Looking back at some earlier proposals from Aave and Compound, they were quoting weekly professional service rates around $70k-$80k, with total annual costs landing somewhere between $1.5M and $3.4M. This info can really help you figure out where formal verification fits in your overall strategy. (governance.aave.com)

When to Use

• For complex DeFi projects, bridges, staking/validator workflows, upgradeable systems, or anything that involves customizable settings and governance features that need ongoing review and close collaboration with vendors.

3) Per risk (outcome‑based) pricing

What it is: You contribute to a prize pool or premium that rewards validated discoveries or helps with risk transfer, instead of paying for hours worked.

Two Concrete Options:

• Competitive audit contests (Code4rena, Zellic-run events, CodeHawks, etc.):
  • Public Budgets: You can find some significant numbers here: $200,000 for Size in 2024, $103,250 for GTE Perps in 2025, and quite a few contests fall in the $75k-$150k range. These figures are real procurement-grade datapoints that can help you figure out what to expect for prize pools. Check it out here.
  • Zellic’s Approach: They talk about a great deal where 96% of the "conditional" pool gets refunded if there aren't any High or Medium issues found. This means you primarily pay for actionable vulnerabilities, and judges' fees are separate. It's a solid pay-for-results model. More info can be found here.
• Exploit Cover/Insurance:
  • Sherlock's Offering: Sherlock provides audit-linked protocol cover, with premiums usually around 2.0% for public contests and 2.5% for private ones, based on the covered amount--up to $10M. The pricing depends on factors like risk, TVL, and audit history, which helps convert some of that lingering risk into a more manageable OPEX line. You can explore more here.

When to use:

• If you’re aiming for a wide range of reviewers and some creative tension after a structured review, or if you’re looking to offload catastrophic tail risk before going live on the mainnet.

Caveats:

• Contests can bring up a lot of issues, and sorting through them while keeping an eye on bandwidth can be a real challenge. Make sure to set aside some budget for internal engineering cycles and plan for at least one re-audit to handle those critical fixes. And when it comes to coverage, it’s super important to have clear definitions for things like “covered code,” triggers, exclusions, and who’s on the payout committees.

---

A side‑by‑side budget example (realistic 2025 scenario)

Your Scope:

• You’ll be diving into 7 contracts with around 2,200 lines of Solidity code. This includes some custom AMM math, fee routing, upgradability features, and handling oracle reads.
• Plus, you'll be working with external interactions related to an L2 bridge.
• The goal is to hit a Total Value Locked (TVL) of between $60 to $100 million in the first year.

Option A -- Per-contract time-boxed

• Target team: 3 seniors + 1 associate, working for 3 weeks
• Spearbit-like blended cost: About 3 weeks × $48k/week gives us roughly $144k
• Re-audit (1 week): Adds another $48k
• Total: Around $192k; this comes with solid teamwork and a dedicated crew. (forum.arbitrum.foundation)

Option B -- Hybrid: time‑boxed + outcome‑based

• Structured review: 2 weeks × $48k = $96k (let's tackle those critical issues first)
• Contest budget: Usually falls between $100k-$150k; judging can run you about ~$3k-$15k depending on the specs. For our model, let’s go with $120k + $10k = $130k
• Re‑audit pass: 1 week × $48k = $48k
• Total: Around $274k; this way, you’re covering both depth (with the structured review) and breadth (thanks to the contest).

Check it out for more details: (outposts.io)

Option C -- Retainer + Cover

• Quantstamp-style credits: You can snag 450 hours for $130k. Here’s the breakdown: allocate 300 hours before launch and save 150 hours for any upgrades or fixes down the line. This shakes out to about ~$289 per hour.
• Add Sherlock cover for post-launch protection. For instance, consider a $5M cover at around 2% per year, which brings you to approximately $100k. Don’t forget to tweak this based on total value locked (TVL) and your audit history.
• Total for year one: Roughly $230k, which includes a bit of risk transfer. Check out more details here.

Option D -- Formal Verification Add-On (Critical Invariants Only)

• For a focused FV sprint, expect about 2 to 3 weeks dedicated to writing rules and doing proof work at market benchmarks, costing around $70k-$80k per week. This means you’re looking at an extra $140k-$240k on top of A/B.
• This is especially useful when you're dealing with financial logic that has some tricky edge cases. Check it out here: governance.aave.com

Takeaway: When it comes to protocols that are actually moving real TVL, “hybrid” (B) is the way to go for the best coverage. It starts with structured depth, then checks contest breadth, and finally includes a targeted re-audit. Plus, you can throw in exploit cover to help limit any tail risk.

---

What actually moves your quote (and how to control it)

• Codebase Quality and Freeze Discipline: Keeping your repositories stable and well-documented can really speed things up--think 20-40% less time on the calendar. On the flip side, trying to refactor stuff in the middle of an audit can seriously drag things out, adding weeks to your timeline.
• External Dependencies: If you're dealing with bridges, oracles, and cross-chain messaging, you're widening your attack surface. Make sure to budget some extra time from senior developers or consider planning a focused FV sprint.
• Language and Ecosystem: When it comes to cost, Solidity on the EVM tends to be pretty reasonable. However, if you're venturing into Rust (like with Solana) or ZK circuits, be ready for a price hike because there’s less available expertise.
• Timeline Pressure: If you’re looking to get started in under two weeks, be prepared for a 20-50% premium on your costs. For top-notch vendors, it's smart to plan at least 4-8 weeks ahead. (blockchainappfactory.com)
• Re-audit Cycles: The more serious teams usually set aside budget for 1-2 re-audits, which can add about 10-30% on top of your base costs. If you haven't included that in your budget yet, definitely add it to your total cost of ownership (TCO). (hashultra.com)
• Continuous Monitoring and Incident Response: Some firms offer “always-on” security as part of their monthly retainers, which is something to consider. Pairing that with exploit coverage can really help keep loss volatility in check. (sherlock.xyz)

---

Market benchmarks you can cite to your CFO

• Security Loss Context: In 2024, about $2.3 billion was lost through 760 different incidents. That’s a big reason why exchanges and integrators are looking for solid audit trails these days. (globenewswire.com)
• Top-Tier Retainer Math: OpenZeppelin and Venus are teaming up, costing around $554,400 for 24 weeks, which breaks down to about $23.1k per auditor per week. (community.venus.io)
• Researcher-Network Weekly Cost: When it comes to Spearbit, you’re looking at roughly $48k a week for a team of 4-5 people. (forum.arbitrum.foundation)
• Credits Model: Quantstamp offers a deal with 450 hours for $130k, which comes out to about $289/hour, with a minimum of two auditors and fix reviews included. (community.venus.io)
• Contest Budgets: For 2024, the budget stands at $200k (Size), $103k (GTE Perps 2025), and several contests ranging from $75k to $150k; plus, Zellic’s 96% conditional pool primarily rewards validated High/Medium issues. (github.com)
• Exploit Cover Pricing: According to Sherlock, the pricing sits around 2.0%-2.5% of the covered amount (up to $10M), and it really depends on the risk, TVL, and audit history. (opencover.com)
• Formal Verification at Scale: Certora's agreements with Aave and Compound suggest that professional services can range from $70k to $80k weekly, with annual programs between $1.5M and $3.4M. Plus, there's a 2025 Aave v4 package priced at $2.39M for about 4.5 FTEs. (governance.aave.com)

---

Best‑in‑class sequencing (what the leading protocols do)

1. Pre-audit hardening (2-3 weeks internal)

• Time to get serious about fuzzing those critical paths, adding invariant tests, and turning on eventing for state changes. Don't forget to nail down your upgrade strategy and lock in a code freeze. This will help boost the signal-to-noise ratio for your external auditors.

2) Structured Audit with a Named Team (2-4 Weeks)

• Bring on 2-3 senior reviewers who can collaborate with you to design test scenarios. You should anticipate having to go through some quick feedback loops for fixes and a focused re-audit afterward.

3) Competitive contest (10-20 days)

• Set up a prize pool that fits your risk tolerance (these days, a pool of $100k-$200k is pretty standard for serious protocols). Make sure you've got a solid judging spec in place. This not only broadens your coverage but also helps to uncover those "quirky" attack paths that more structured reviews might overlook. (github.com)

4) Re-audit pass and launch gating

• Make sure we’ve got “all Highs addressed and Mediums either mitigated or accepted.” Keep track of this in a public changelog for our partners and integrators.

1. Post-launch risk cap

• Grab some exploit coverage that matches your launch Total Value Locked (TVL), like in the range of $5M-$10M with an annual premium of about 2%. As your TVL increases and your security gets stronger, you can scale up your coverage. (opencover.com)

6) Continuous Assurance

• Make sure to have a credit or retainer buffer ready for upgrades and emergency responses. You could set this up as a credits pool--think Quantstamp style--or go for a weekly allocation under a longer retainer, like OpenZeppelin does. Check out more about it here.

---

How to choose the right model for your stage

• Before reaching PMF, with low TVL (less than $1M): Start by using a small per-line/per-module quote to establish a baseline. However, lean towards a quick, time-limited review by a specific senior member. It’s also a good idea to run a targeted micro-contest (with prizes between $25k and $50k) before hitting the mainnet.
• Growth-stage DeFi (aiming for a TVL of $10-$100M): We're looking at a hybrid model here. First off, plan for a structured audit lasting about 2-3 weeks, followed by a re-audit. After that, kick off a contest that runs for 10-20 days with a prize pool of $75k-$150k. To give yourself a safety net, consider adding $5M-$10M in coverage for the first 90-180 days after launching. Check out more details at (outposts.io).
• Enterprise/DAO with regular upgrades: Set up a retainer plus formal verification. Plan for quarterly check-ins with specific researchers; leverage formal verification to validate invariants related to liquidation, accounting, or cross-chain settlement. Aim for a budget of about $48k per week for researcher networks, and $70k-$80k per week for focused formal verification sprints. (forum.arbitrum.foundation)

---

RFP checklist that gets you better quotes

Include these in your request to cut down on padding and take on tougher teams:

• Scope artifacts:
  • We need to cover the threat model, the invariants we want to keep intact, the admin model (like EOA vs Safe), the upgrade pattern (whether it’s UUPS, Transparent, or Beacon), and the external call graph (think bridges, oracles, and routers).
• Code hygiene:
  • Let’s make sure we have tests that cover everything, fuzz seeds for those tricky edge cases, a reproducible Foundry/Hardhat setup, deployment scripts, and a stable tag or commit to work from.
• Deliverables you expect:
  • I’m looking for named team members with the right seniority, a thorough manual review process, a list of tools (you know, Slither, Echidna, fuzzers, and any custom harnesses), the exact number of re-audit passes, and a complete artifact set that includes PoCs, coverage notes, and differential reports.
• Contest spec (if applicable):
  • We should clarify the severity rubric, how we’ll handle duplicates, the PoC requirements for High and Medium severity, the reproduction environment, and who’s judging.
• Post-launch:
  • Let’s outline the cover options and what’s excluded, the incident response SLA, and a set number of credits or hours for reviewing any hotfixes.

---

Negotiation tactics that actually work

• Convert quotes to common units:
  • Change everything to auditor-weeks or $/hour equivalents (like, for example, Quantstamp credits are about $289/hour) so you can really compare apples to apples without just looking at raw LOC. (community.venus.io)
• Fix the re-audit ambiguity:
  • Make sure to include 1-2 re-audit passes in the SOW along with turnaround SLAs that are linked to your launch gate.
• Calendar, not just cost:
  • Be aware that top vendors often book out weeks ahead of time. If you can sync up with their available slots (and commit to a hard freeze), you might be able to swap some time flexibility for a better price or more experienced staff.

---

Frequently asked buyer questions, answered with data

• “Is a single audit enough?”
  Definitely not for high-impact systems. Regular public reviews show that vulnerabilities often slip by in one audit but get flagged when different methods are used (think adversarial approaches versus a thorough structured audit). These contest budgets, usually between $100k-$200k, have become a standard layer for serious launches. (github.com)
• “How much should we budget before mainnet launch?”
  If you're aiming for a total value locked (TVL) of over $10 million in the first 90 days, it's pretty standard to set aside around $200k to $300k for audits, contests, and any necessary re-audits. This approach is not only reasonable but also reassuring for potential investors and partners. Don’t forget to use retainer credits for any post-launch fixes that might come up. (forum.arbitrum.foundation)
• “Do we really need formal verification?”
  Use it wisely. If your value growth hinges on some tricky accounting or math--like in AMMs, lending, liquidations, or interest rate models--then investing a couple of weeks in a formal verification sprint to validate those invariants can really pay off. And if you're dealing with constant changes on a big scale, check out what DAO-level FV programs, like Aave and Compound, are doing. You can find more about it here.
• “What’s the deal with insurance or coverage?”
  With products like Sherlock’s, you can snag discounts when you have completed audits and a clean record. Just budget about 2% of the covered TVL (and remember, it’s capped!). Make sure to read through those triggers and exclusions thoroughly. While it’s no replacement for solid engineering, it does help manage tail risk. Check it out here: (opencover.com)

---

Putting it together: a 6‑step, risk‑adjusted buying plan

1. Get ready for the audit: Make sure you have a solid freeze, set up those invariant tests, and jot down any external dependencies.
2. Schedule a dedicated team for 2-3 weeks: Make sure to include one re-audit in the Statement of Work (SOW).
3. Host a contest for 10-20 days ($75k-$150k) with a clear spec and required Proofs of Concept (PoCs) for High/Medium. Check out this link for more info: (outposts.io).
4. Launch only after fixing all High vulnerabilities and addressing Medium ones: Once that's done, don't forget to publish your changelog!
5. Invest in $5M-$10M exploit coverage for 3-6 months: Keep an eye on those premiums as your Total Value Locked (TVL) changes. You can find more details here: (opencover.com).
6. Have a credit/retainer buffer ready: Aim for around 150-300 hours for upgrades and incident response. Check out more about it here: (community.venus.io).

---

Key sources you can reference in your board memo

• Losses context (why this spend matters): In 2024, the CertiK Hack3d report revealed a staggering $2.3 billion lost due to scams and hacks, while Chainalysis reported around $2.2 billion in losses as well. You can check it out here.
• Retainer/time-boxed pricing: OpenZeppelin teamed up with Venus for a solid deal--$554.4k for 24 weeks. On the weekly front, Spearbit's blended costs run at about $48k. Plus, Quantstamp is offering credits for 450 hours at $130k. You can dig deeper into this here.
• Outcome-based pricing: Check out Code4rena's public prize pools, which total $200k, with additional pools of $103k and $75k+. There's also Zellic’s conditional pool to consider. More info can be found here.
• Formal verification at scale: Certora offers weekly and annual rates, plus DAO approvals from projects like Aave and Compound. You can explore this further here.

---

Final word

There isn’t just one “right” way to handle audit payments, but the order you follow can really depend on your risk situation. For anything with real capital at stake, think of per-line quotes as your starting point. From there, grab a dedicated team for more in-depth coverage, add an adversarial contest to widen your perspective, and finally, protect yourself against any leftover risk with extra coverage and credits. This is how the top teams in 2025 are turning their security budgets into more reliable launches--while steering clear of those unwanted headlines. (forum.arbitrum.foundation)

---

7Block Labs: Your Go-To for Practical Solutions

At 7Block Labs, we’re all about helping founders and businesses bring their ideas to life. Whether it’s making sure your engineering is audit-ready, picking the right vendors, crafting contest specs, handling procurement, or being on standby for incident response, we’ve got your back. If you’re looking for another perspective on your project’s scope and budget, just reach out--we’re here to lend a hand!