Audit Competitions Beat Private Audits on Every Metric That Matters
TL;DR
We read every public audit report from three top firms: Trail of Bits, Zellic, and OpenZeppelin. 1,178 reports in all. The median audit finds zero critical or high vulnerabilities, half find none at all, and the average is roughly 1.5 serious bugs per engagement.
Immunefi’s 58 audit competitions found 159 deduplicated unique criticals and 361 critical-and-high findings. That is 5% as many engagements producing 20% as many serious findings: 6.2 per competition against 1.5 per audit, 4x the rate. The median competition finds two serious bugs; the median tier-1 audit finds zero.
A critical/high vulnerability costs $6,548 to find in a public audit competition, roughly $66K in a T1 private audit, and $24.5M on average once an attacker finds it first.
Audits still earn their place for architecture and design review. But for the most bugs found per dollar before launch, an audit competition wins on every metric: critical vulnerabilities found, total vulnerabilities found, and cost per vulnerability. And that advantage compounds: roughly 93% of crypto’s critical disclosures flow through Immunefi, so we track the attack frontier from a live daily feed while every competitor works from an outdated snapshot.
You’re a crypto protocol founder. You have a launch date, a finite security budget, and a question you want answered: if I buy this audit, am I actually safe?
In 2025, audited protocols kept landing in the exploit headlines. Balancer was reviewed eleven times by four of the best firms in the industry, its vault contract three times over, and still got drained for $128M in November. Being audited and being safe are not the same thing.
Let’s say you have $150K and a codebase that’s about to hold real money. You can hand it to a top firm for a single, fixed-fee engagement and get 2-5 people reading your code. Or, you can run an audit competition, put up $150K as the prize pool, and get two hundred researchers reviewing your code.
I’ve watched both outcomes play out hundreds of times, because I run Immunefi: the leading crowd security platform for blockchains, protecting over $180B of user funds. And right now, audit firms steer founders toward the first option (bespoke), when the data says the second (audit competitions) has vastly better ROI.
It’s the most expensive mistake we’re making in crypto security today with increasingly severe risks: attackers are getting faster every month, while projects are pushed toward less effective audit formats. In 2026, the only defense that keeps up is one that moves at AI speed, which is the crowd.
Two auditors, or two hundred researchers.
The only honest way to compare security spend is return on investment against real hack risk: how much real risk each dollar removes, and how fast. Three numbers measure that risk:
how many serious bugs the code review format tends to find; does the review find the criticals you need?
how much of your code the code review format can cover in the window you have before you ship; how close can you get to all critical vulnerabilities being found?
what each vulnerability costs you to find, per vulnerability; how much did the entire review process cost you?
On all three, audit competitions win decisively: on cost by ten to one, on coverage by an order of magnitude, and on serious bugs by four to one per engagement. Here’s how they rank according to each point.
1. Audit competitions find far more bugs
Let’s start with what the firms actually find. We read every audit report Trail of Bits, Zellic, and OpenZeppelin have ever publicly published. All 3 are genuinely T1 audit firms; if we were looking for a T1 auditor, we would confidently entrust our code to Zellic. Together, that’s 1,178 audit reports in total, from which we counted findings against each report’s own executive summary. That counts every review each firm has published, web3 and beyond, including follow-up fix reviews where firms publish them separately. If anything, that is generous to the firms.
We used every Trail of Bits audit published on their github here.
For Zellic, we used all reports published on their github here.
For OpenZeppelin, we used every public audit report they have published.
Trail of Bits, across all 433 reviews they have ever published: a median of zero critical-or-high findings, and half finding none.
Zellic: 386 published reports. The median report finds zero criticals or highs... not a few, but zero. 52% of reports found no critical or high at all.
OpenZeppelin: 359 published reports, and the same pattern again. Median of zero, 52% finding no critical or high.
Immunefi: 58 audit competitions. The median competition finds two critical-or-high bugs, not zero. 71% surfaced at least one serious finding, and more than half turned up a critical.
Notice two things about that table.
First, every median is zero, at all three tier-1 firms. More than half of all published tier-1 audits surface no critical or high finding at all. Not a below-average report. The typical audit report.
Second, notice how tightly the three firms cluster. Different firms, different report formats, different severity taxonomies, and they all land between 1.3 and 1.7 serious findings per report. This is not a verdict on any one firm’s skill; it is the ceiling of the format itself. Assign 2-5 people to a codebase for a fixed window, and roughly a bug and a half is what the model produces, no matter which Tier-1 logo is on the report. You cannot fix that by shopping for a better firm. You can only fix it by changing the audit format.
Across 1,178 tier-1 audit engagements combining all three firms, the median engagement found zero critical or high-severity issues. Half found none, and the average serious-finding rate was about 1.5 per engagement. We get to 1.5 by dividing the 1,789 critical and high findings by the 1,178 total engagements across all three firms.
The typical published audit report from the most respected audit firms in crypto finds no critical vulnerability at all. That’s the baseline you’re paying six figures for. And these are the reports the firms chose to make public (their best-looking work?).
Now let’s look at Immunefi’s Audit Competitions: across 58 finished competitions, researchers surfaced 159 unique criticals and 361 unique critical-and-high findings. That is 6.2 serious findings per competition, 4x the firms’ per-engagement rate. Compared with the full 1,178-engagement dataset, competitions were about 1/20th as many engagements, yet produced 20% as many serious findings.
And here is the line that matters most. The median tier-1 audit finds zero serious bugs. The median Immunefi competition finds two.
More than half of all competitions find at least one critical, and the ones that do average five. Across the firms’ 1,178 reports, only 16% surfaced even one critical. One report in six, against more than one competition in two.
The single best report in that entire 1,178-audit dataset found 21 critical-and-high issues. One Immunefi competition on a $100K pool found 43, double the best report any of the three firms has ever published. Roughly 1 audit firm engagement in 14 reaches what the average Immunefi competition finds.
And unlike a private audit, you don’t have to take our word for any of this. Immunefi publishes every audit competition report: every finding, every severity, every payout, public. The numbers in this piece are numbers you can check yourself, which is more than a firm handing you a curated highlight reel can say.
Audit competitions find more bugs, and it’s not close.
2. Audit competitions cover more code in the time you have
This is the dimension everyone underrates, and in my view the most valuable.
An audit assigns 2-5 people to your code for a fixed engagement. What they can realistically code review in that time is your ceiling on code coverage.
A competition runs in the same kind of window and fills it with hundreds of researchers working in parallel. Recent Immunefi audit competitions each drew 952, 943, and 1,415 submissions. The strongest submitters are literally and verifiably the best hackers alive, with leaderboard histories that prove they’ve found real critical vulnerabilities in live protocols, post-audit. They aren’t assigned to you; they show up because they think they can find something the others can’t, and the reward pool incentivizes exactly that.
And they no longer work by hand. Immunefi’s security researchers all run their own AI harnesses, reading unfamiliar codebases and writing proof-of-concept exploits in minutes and hours where it once took days and weeks. Alongside them, competitions now field dozens of autonomous AI vulnerability-hunting systems, agents trained and hardened on bug bounty programs, the highest-stakes security environment that exists. They read your code in parallel with the humans, and they don’t get tired, bored, or out of time. You’re getting hundreds of AI-augmented humans, vulnerability-hunting cyborg whitehats, each running a different workflow, each with a different instinct for where bugs hide, plus the world’s largest fleet of AI hunters, all pointed at your code at once.
You aren’t buying two auditors. You’re buying all the best security researchers alive. And these are the people defining the security frontier, the state-of-the-art. The newest techniques surface in their submissions first, so the moment offense evolves we see it on live code, before it is ever turned on a protocol. A fixed team of four is only as current as the day their engagement began. Immunefi’s crowd is as current as this morning, giving you a live feed from the bleeding edge of security knowhow and attacker craft.
The competition delivers far more coverage depth per calendar week, just by virtue of the sheer volume of attention. Moreover, a firm paid a fixed fee has no reason to dig past the due date, while a security researcher paid per finding often keeps going after the pool is empty, running his agents on the codebase in anticipation of their future bug bounty program. He may monitor their pull requests and security posture indefinitely, in the interests of future bounties.
Finally, a single protocol can touch smart contracts, bridges, oracles, MEV, liquidations, governance, staking, restaking, cross-chain messaging, token accounting, and economic design. No 2-5 person team is equally expert across all of it. Some part of that stack is always your reviewers’ weakest area, and you don’t get to know which part until something gets exploited.
But an Immunefi audit competition practically guarantees the world’s best niche specialists your code needs are already hunting on it, matched to the exact module where their expertise pays off.
Coverage is what buys you conviction that you are, truly, as safe as you can be. When 100+ researchers independently converge on the same critical, that convergence is information a single audit can never give you. It tells you that coverage was exhausted, not reviewed once and signed off. Two auditors give you one pass and a hope. Two hundred researchers give you the same bug confirmed from hundreds of angles, and real confidence that your code is as close to safe and secure as code review allows.
When it comes to code coverage, the audit competition is king.
3. Audit Competition cost-per-vulnerability is a fraction of the cost
A traditional audit from a T1 audit firm sits at the expensive end of a finding, not the cheap one. Some firms charge $100 a line. Others run $25K per auditor per week. A single engagement can easily land between $100K and $300K, and for that you might get 2-5 people reviewing your code.
Let’s suppose you do manage to get an audit from a T1 firm for the middling price of $100K (and we have all heard of much higher prices). What would the real cost of a serious finding in the typical $100K T1 engagement? Assessed as conservatively and charitably as possible, across 1,178 audits from Zellic, Trail of Bits, and OpenZeppelin, those audits imply roughly $117.8M in audit spend for 1,789 critical-or-high findings. That works out to about $66K per critical-or-high finding (and if you only count criticals, roughly $307K per critical found). Compare that to Immunefi Audit Competitions, where the cost per critical-or-high finding is $6,548. Ten times cheaper, like for like.
However you look, it’s impossible to avoid the conclusion that audit competitions are dramatically more cost-effective than their audit firm equivalents.
With audit competitions, you set the number upfront and pay only for what researchers actually find, up to that cap, and not a dollar past it. Across Immunefi competitions, a third paid out less than their pool cap. This makes the real cost per finding even lower.
However, if the same finding was found through a bug bounty, the bug costs far more. Across every confirmed critical we’ve ever paid, $115M in total, the median payout is $20K and the mean is $114K - That’s three times the cost of a bug found via a competition at the median, seventeen times at the mean.
The bug bounty payout mean runs high because a handful of disclosures were enormous. In 2022, weeks after Wormhole lost close to $323M to one bug, a whitehat known as satya0x found another: an uninitialized proxy flaw in the core bridge that could have let an attacker take control of the contracts and lock up user funds. He disclosed it through Wormhole’s Immunefi program. Wormhole verified and patched it the same day, lost nothing, and paid him $10M, still the largest bug bounty ever paid. That is what a single critical is worth once the code is live and the money is sitting in it.
The same class of bug, found in a competition before launch would cost just $6,548.
Even worse: a production exploit, on the other hand, has no ceiling. The median onchain hack steals $2.2M. The average steals $24.5M.
Let’s run an ROI calculation on a real example. If you take the same $100K competition that found 15 unique criticals and 28 unique highs and price the 15 criticals at our bounty mean, researchers surfaced $1.7M worth of live vulnerabilities for a cost of $100K; Each and every one of those critical vulnerabilities was headed for production.
If a single critical had been exploited live, the median hack alone would have cost twenty-two times the entire pool.
This leads to a striking conclusion: an audit competition may be the highest-ROI per unit-of-risk investment a protocol will ever make. Not just among auditing investments, but of any security investment.
“We’ve been audited” was never “we’re safe”
Audited code gets drained constantly, and 2025 made that very obvious.
Balancer is the cleanest case, precisely because its security process was historically exemplary: eleven audits across four of the most respected firms in the industry. The vault contract alone was reviewed three times. In November 2025, a rounding error drained $128M despite eleven serious reviews… and the vulnerability that compromised the protocol survived all of them.
Cetus, the largest DEX on Sui and audited multiple times, lost $223M in fifteen minutes to an overflow check bug in May 2025. Bunni did everything right by the conventional playbook, but a logic flaw in its custom withdrawal math took $8.4M in September 2025. It shut down a month later.
The audited names on 2025’s exploit list didn’t come from careless teams. Our own five years of data proves it: 93.9% of bug bounty programs that run five years or longer eventually surface a confirmed critical. Real vulnerabilities will almost always make it through the audit process, and that’s simply the risk we take building onchain and in the open internet.
So when a firm hands you a report with zero criticals, read it carefully. Zero findings doesn’t mean zero bugs. More probably it means 2-5 people ran out of time.
We have the proof of exactly that. In May 2025, we ran a $125K competition on Flare’s FAssets v1.1 codebase, the same code Coinspect had audited repeatedly since 2022, including a dedicated Core Vault review one month earlier that surfaced zero high-severity issues.
Over four weeks, 151 researchers filed 633 submissions in the Flare audit competition, which surfaced 9 distinct high-severity, fund-loss bugs, mostly in the broader AssetManager surface the audits hadn’t exhausted: a forged non-payment proof that let an attacker steal from paying users, a payout function that burned collateral without returning fees, a double-payment challenge bypass that led to insolvency, two pricing flaws that let agents mint excess tokens and drain depositors. This is the norm, not the exception.
So why are firms steering founders and security leaders away from audit competitions?
Because they’re optimizing for their revenue and business model, not your security outcome. A fixed-fee engagement is a clean, forecastable line on a revenue projection. A competition that pays out based on what researchers actually find is messier to run and harder to predict.
Look at what the fixed fee actually buys the firm. When an audit misses the bug that drains you, the firm almost never faces any financial consequence. You get exploited, their reputation takes a small dent, the cycle repeats. They get paid whether they find 9 criticals or zero, whether or not you get exploited... whereas competition researchers eat only if they find what everyone else missed.
The honest objection to audit competitions
Here’s the fair counterargument, and we hear it constantly: open your code to hundreds of AI-augmented researchers, and you also invite AI spam, low-quality submissions, and a triage burden that can bury a small team. Managing audit competitions is just so much work!
This was a real problem, but is no longer: report overload is an almost-solved problem for the customer, thanks to our breakthroughs in AI triaging and anti-spam techniques.
Immunefi now prices out spam with pay-to-submit mechanics, so a junk report costs the sender something, and the flood thins out. We run managed triage so your team isn’t drowning in reports, and our AI triage agents are already showing strong results and increasingly matching our best human triagers. Competitions now scale to thousands of reports each, with little operational burden to your team.
The other worry sounds scarier: when you open your unlaunched code to hundreds of strangers, and haven’t you just handed it to your attacker? But on reflection, this doesn’t make sense: the moment you launch, your code is already exposed to every adversary on earth, for free, with real money incentivizing a breach. A competition doesn’t create that exposure, it front-runs exposure under the safest and friendliest of conditions. You get the best hackers alive crawling your code before the funds are live, reporting to you instead of draining you, under disclosure rules and a budget you set and control.
Handing your code to friendly AI-augmented hackers before launch is the best security move available to you today.
Audit competitions work best on Immunefi
Everything above is true of the format. But it’s also true that audit competitions are strongest on Immunefi, which can’t be copied anywhere else.
The highest payouts on record pull the best hackers alive, all of which hunt on Immunefi, and they bring their AI hunters with them.
Every competition report is public, so our track record is auditable, not asserted.
Managed triage and AI triage agents from the industry leader mean findings reach you sorted and pre-triaged better than any other platform, and not as a flood of spam.
Roughly 93% of every critical vulnerability disclosed in crypto flows through Immunefi, about 14x the nearest platform. That gives us the fastest, widest, freshest read on how attackers actually operate from the very edge of the security frontier, updating every single day.
Immunefi is your live feed from the security frontier. We build on that frontier; everyone else builds on a lag. And it all runs on the platform protecting over $180B, the one almost every major protocol already uses to protect themselves today. And the lead compounds: more researchers bring more reports, more reports sharpen where we look next, and the next competition gets better still. No platform seeing a fraction of that flow can keep pace with the frontier.
I hope it’s clear that audit competitions win on the evidence. I also hope it’s clear that Immunefi is how that math can be made to show up and secure your code.
The obvious choice
Let’s give audits their due. A private firm is the right call for architecture review, design-intent and business-logic discussion, and the structured first pass on brand-new code. Some deals, boards, and exchanges want a famous firm’s report on file, and that’s a real reason to buy one. Bug bounties are essential the moment code is live and funds are at risk. Use all of them, all together.
But if you’re the founder with a launch date and a finite budget, and you want the most possible bugs found and code covered in your audit, for the fewest dollars, in the time you actually have, then an audit competition is the highest-ROI security money you can spend.
And doing it on the platform that operates as crypto’s live attacker feed (processing 93% of crypto’s critical disclosures over the last 5 years), improving every day because of it, is the way to go.
A serious bug for $6,548 before launch, or the same bug for $24.5M after it. A bug and a half per audit engagement, or six per competition. Two auditors, or two hundred researchers.
You decide.









