A smart contract audit report is the written output of an audit. It is the document your community, your investors, and (sometimes) your regulators will read to decide whether the protocol is safe to use.
A credible report contains:
- A scope statement: which contracts, which commit hash, which functions, and what was out of scope. Read this first. Most exploit post-mortems trace back to something the audit explicitly excluded.
- A methodology section: manual review by named senior auditors, the automated tooling used (Slither, Mythril, Echidna, Foundry invariants), and the threat model the auditors built.
- Findings, ranked critical → high → medium → low → informational, each with: description, impact, attack scenario, code reference, severity rationale, remediation guidance, and a status field updated after the re-audit.
- Re-audit results: which findings were fixed, which were partially fixed, which were accepted as out-of-scope risks.
- An executive summary for non-technical stakeholders.
Three quality signals to look for:
- Specific findings, not generic best-practice recommendations.
- Proof-of-concept exploit code for high-severity findings.
- Public-summary section the protocol can publish. Credible auditors don't gate this.
Reading audit reports critically is a skill: see our guide on how to read one without being misled.