Credora is proposing an enhancement to the audit quality evaluation framework within the Smart Contract Custody Sub-Methodology. The current methodology adjusts a protocol’s Probability of Default (PD) based on the number of audits and the presence of bug bounty programs, without evaluating the depth or quality of the audits themselves. This enhancement introduces a structured framework to score audit content and remediation behavior, enabling more refined and differentiated risk assessments.
Current Framework
Under the existing model, adjustments to a protocol’s base PD are driven by:
-
Audit Count: Number of completed formal audits
-
Bug Bounty Program: Strength and funding of public bounty incentives
-
Protocol Maturity: Time since deployment or most recent unaudited upgrade
While effective for establishing directional adjustments, this model does not capture qualitative differences across audit reports or account for risk-reducing behaviors documented within them.
Proposed Enhancement: Audit Scorecard Evaluation
To address this gap, Credora has developed a standardized scorecard methodology to assess the strength and thoroughness of completed audits. Each audit report is evaluated across the following nine dimensions:
-
Audit Scope Completeness: Assesses whether the audit covered the full codebase and used varied methods (manual review, fuzzing, formal verification).
-
Codebase Maturity & History: Evaluates the audit’s description of how long the codebase has been under development and whether it shows a history of iterative improvement.
-
Developer Accountability: Measures transparency and track record of the development team, including whether roles are clearly defined and access is controlled.
-
Test Coverage & Methodology: Assesses the extent and rigor of the test suite supporting the protocol, including use of integration tests, fuzzing, or invariant checks.
-
Math Soundness & Oracle Use: Evaluates the presence of mathematically complex logic, correctness of calculations, and robustness of oracle design and integration.
-
External Dependency Risk: Reviews reliance on third-party protocols or infrastructure, with attention to whether dependencies are audited and validated.
-
Critical Bug Handling: Assesses whether high and critical issues were resolved or left open, and how effectively findings were remediated.
-
Documentation & Commenting: Measures the clarity and completeness of the system’s technical documentation, including inline code comments and architecture diagrams.
-
Decentralization & Upgrade Risk: Evaluates the protocol’s governance structure and ability to resist centralized control or unauthorized upgrades.
Each category is scored on a defined 0–3 scale, with standardized selection labels to ensure consistency across reviewers and protocols.
Integration with Protocol-Level PD
The enhanced scorecard will be incorporated into the Smart Contract Custody Sub-Methodology as part of the PD calibration process. Rather than relying solely on audit quantity and maturity, this enhancement enables the PD adjustment to reflect:
-
The number of audits completed and the depth and quality of each audit, as measured using the framework.
-
The maturity of the protocol, including time since deployment and upgrade cadence
-
The presence and strength of bug bounty programs
This shift is designed to produce a differentiated protocol-level PD that more accurately reflects exploit risk. It also ensures that high-scoring audits are rewarded, while limiting the ability for protocols to gain excessive credit from audit count or age alone.
Next Steps
Credora welcomes feedback from protocol teams, auditors, and risk professionals on:
-
The nine evaluation dimensions and their definitions
-
The balance of inputs considered in adjusting protocol PD
Join the conversation on the forum to shape how audit evaluation evolves within Credora’s rating methodology.