Developer Resources: So, you need a Clarity smart contract audit...
by Mitchell Cuevas on February 16, 2022
There are many reasons you might need a smart contract audit ranging from peace of mind, to satisfying the terms of your funding, to fulfilling a requirement from a potential partner. The reality is most builders stand to benefit from an audit of some kind and we generally recommend seeking one out, particularly for applications that will be handling large amounts of user funds.
As audits are widely needed and can initially be quite daunting (especially early in the progression of an ecosystem), the Stacks Foundation facilitates a number of important activities to ensure resources are available. We’re covering these below so you know what’s available and will happily update this post if you flag other great resources you’ve found.
Training of top auditors
To support the growing demand of smart contracts for Bitcoin, we’ve trained some of the top auditors in the industry on Clarity. We’re honored to have NCC, Least Authority, and Coinfabrik playing a critical role in the Stacks ecosystem and are thankful they’re already hard at work with many Stacks teams. These providers offer the formal 3rd party audits that exchanges or other high-profile partners often require.

We’ve also trained Tintash, which provides basic audits and has a number of great smart contract developers available for hire. We’re also aware of ZeroF which provided an audit for Arkadiko.
Written and audited ‘template’ contracts
In addition to writing or helping others write key smart contracts such as PoX Lite (used by CityCoins), and more recently, the Executor DAO from Marvin, we have also written and collected a number of simple template or ‘starter’ contracts and had them audited by CoinFabrik. You can find and fork them here.
Grants for contracts and audits
In cases where a smart contract maybe be broadly useful to the community, the grants program can provide an audit to ensure it is safe to use. This would most likely happen when there is a strong signal from a number of builders who want to use a particular smart contract. Further, when it comes to solutions like bridges or oracles that many in the network will likely use, we deploy capital and engineering resources to ensure these solutions are built by qualified individuals or organizations and that all smart contracts are audited.
Informal reviews
When possible, we’ve been happy to support informal code reviews, provide input on overall architecture, and generally be a technical sounding board for builders. This can take many forms, but the basic idea is getting as many additional eyes from educated builders on your code as possible. An informal review is often a high-level look at the code to spot possible structural issues and to provide feedback on code design choices. These are not a suitable replacement for a formal 3rd party audit.

As the ecosystem grows, our capacity to do these reviews in-house is more limited and we are shifting our focus to supporting reviews for larger grant projects or other high-use contracts and infrastructure vs. individual teams.
Matchmaking, community reviews
Beyond our own informal reviews, we are very often able to help projects source a great community developer or other resource to help. You can always reach out to [email protected] for guidance, or reach out to the community directly in Discord. We’ll avoid putting specific names here, but when you reach out we’ll get a feel for your need and make appropriate introductions.
Stacks Clarity Resident
We’re looking for a full-time Clarity resident if you know someone that would be a good fit. With this person focused on Clarity resources and education full-time, a lot more resources would open up for builders very quickly. We imagine this person overseeing Clarity Universe, providing insight to teams early on, and generally being the go-to steward for this emerging language.
So, how do you get the audit process started?
That’s easy! You are free to reach out directly to NCC, Least Authority, Coinfabrik, Tintash, or others you can find that provide Clarity auditing services. Alternatively, we are always happy to make a warm introduction to any of the teams we have relationships with. You can email [email protected] with your audit needs and we’ll happily facilitate a connection.

We also recommend you ask fellow builders about the resources they recommend, we imagine as demand continues growing, more and more agencies will provide services for Stacks builders.
Audit Pro Tips:
  • Schedule an audit well before you need it (providers work months out!)
  • Work with the community to review code beforehand and get the simple stuff fixed so that auditor feedback (which is expensive!) can remain focused on the most complex aspects of your applications.
  • Remember you can incentivize the community and others to help you with reviews, either with bounties, direct payments, or your project’s tokens. These actions could end up saving you thousands when the formal audits come and millions if you catch bugs or vulnerabilities before launch.
  • After addressing issues from your audit, publish the results to your blog or website. Whether you realize it or not, many users and partners look for an audit before engaging — don’t count on them to request it, you could silently miss an opportunity by not making it public. Plus, publishing the results allows for other builders to learn from you and save time.
What the Stacks Foundation does not support
We do not provide formal audits and this is not an area we plan to ever bring in-house for a couple main reasons:
  • Typically a key outcome of an audit is the ‘stamp of approval’ from a highly-respected group such as NCC, Least Authority, and others. An audit from the Stacks Foundation would likely never be viewed as unbiased enough to satisfy the need for partners looking to reduce their risk and we do not have a proven track record on this that the broader industry would respect in the same way as a dedicated professional group.
  • We believe our time is best spent training new auditors and creating Clarity resources like Clarity Universe. We could very easily spend our entire engineering bandwidth on auditing given current demand and would never be able to increase the availability of auditors or other important resources.

Mitchell Cuevas leads various partnership and growth marketing efforts at the Stacks Foundation. He's spent the last decade working in community-driven high-growth startups.