CertiK smart contract audit: manual vs. automated review
The security conversation around DeFi has shifted from a simple question — “Has this protocol been audited?” — toward a more difficult one: what, precisely, did the audit examine, and by which method?

That shift matters because automated scanning, real-time monitoring, manual code review, and formal verification all produce security signals, but they do not produce the same signal.
A CertiK smart contract audit is designed as a layered process rather than a single automated verdict. Static tools can inspect a wide codebase quickly and flag known insecure patterns; experienced auditors can then decide whether a flagged pattern is exploitable inside the protocol’s actual architecture, while also looking for assumptions that no generic rule has captured. Formal verification, where included, introduces another layer entirely: a mathematical test of whether selected contract behavior conforms to a written specification.
For capital deployed into staking vaults, lending markets, or liquidity incentives, the distinction is not semantic. Yield is created by a chain of contracts, permissions, oracle inputs, upgrade paths, and liquidity dependencies. A scan may observe code. An audit must attempt to understand the system that code creates.
The layered architecture of a CertiK smart contract audit
CertiK describes its audit methodology as a sequence of overlapping security disciplines: environment setup, architecture review, threat modeling, static analysis, manual review, reporting, remediation, and, where the engagement calls for it, formal verification. The order is meaningful. Security assessment is not merely a search for suspicious lines of Solidity; it is an effort to establish which lines matter, which privileges can change them, and which user balances depend on their behavior.
Before meaningful review begins, the scope has to be defined. This is often treated as administrative housekeeping, yet it is one of the most consequential parts of the engagement. The project and auditor determine whether all contracts are reviewed or whether the work is restricted to essential and unique functions. They identify critical modules and discuss expected attack scenarios.
That scope creates the boundary of the resulting report. If a yield protocol has audited vault contracts but later adds a new strategy adapter, changes its oracle configuration, deploys a proxy upgrade, or hands operational authority to a different multisig, the original report does not silently expand to cover those decisions. The security posture of a protocol is therefore a moving architecture, not a PDF frozen at launch.
CertiK classifies findings into five severity levels:
| Severity | What it generally communicates | What it does not communicate |
|---|---|---|
| Critical | A severe issue with potentially immediate, system-level consequences | That every other module is safe once it is resolved |
| Major | A substantial vulnerability or design weakness requiring remediation | That user losses are inevitable in every condition |
| Medium | A meaningful security or correctness concern with a narrower impact profile | That it can be dismissed because it is not Critical |
| Minor | A lower-impact issue, often connected to hardening, edge cases, or implementation quality | That it has no relevance to long-term maintenance |
| Informational | A note about clarity, maintainability, conventions, or potential improvements | That it is a vulnerability finding by default |
Each finding may include a category, severity, file location, and alleviation status. The last field deserves more attention than it often receives. A finding marked resolved may indicate a code change, but the reader still needs to know whether the deployed contracts correspond to the reviewed and remediated codebase. A report is a record of a particular scope and revision; it is not an eternal property of a brand.
An audit is not a certificate attached to a protocol. It is an argument about a defined codebase under defined assumptions.
This is also where the common comparison between a CertiK security score, a monitoring dashboard, and manual review becomes confused. A score can compress multiple observable factors into a legible signal. Real-time protocol monitoring can surface changes or unusual conditions after deployment. Neither should be read as a substitute for the slow work of establishing how a contract’s state transitions, permissions, and economic incentives interact.
What automated and AI-assisted analysis can see
Automated analysis is indispensable because modern DeFi systems are too large, too composable, and too repetitive to inspect efficiently without tooling. CertiK’s methodology describes automated tools performing static testing at both source-code and bytecode levels. These tools can identify insecure patterns and generate diagrams that help auditors map relationships across contracts.
That scale has real value. An automated layer can rapidly search for familiar classes of exposure:
- externally callable functions whose access control appears inconsistent with their intended role;
- arithmetic, state-update, and call-order patterns associated with reentrancy or accounting errors;
- dangerous uses of delegatecall, low-level calls, or unvalidated external addresses;
- duplicated logic across strategy contracts that may replicate a vulnerability many times;
- bytecode-level discrepancies that matter when source verification or deployment provenance is incomplete.
For protocols managing pooled collateral, this early mapping is not ornamental. Liquidity fragmentation often means that a single economic product is spread across vaults, routers, adapters, reward distributors, bridges, and third-party integrations. A scanning system can create an initial topology of that surface far more quickly than a reviewer can construct it by hand.
Yet speed is not judgment. Tool-generated findings must be manually verified, both to remove false positives and to give reported issues a useful explanation. A function can match a high-risk pattern while remaining unreachable in the deployed configuration. Conversely, a sequence of individually ordinary functions can form a dangerous path once governance permissions, external calls, and market conditions are considered together.
The distinction becomes sharper with AI-assisted systems. CertiK has publicly presented an AI Auditor evaluation involving 35 real-world Web3 security incidents and reported an 88.6% cumulative exact-hit rate for that stated test set. This is informative as a vendor benchmark for a bounded evaluation; it is not a universal detection rate, an independent validation, or a guarantee that an automated system will find every issue in a new protocol.
That limitation is not an indictment of automation. It is a description of the problem. Machine-assisted review is strongest where security knowledge can be expressed as patterns, code properties, historical examples, and repeatable checks. DeFi risk, however, often emerges from the space between components: a collateral parameter that is sensible in isolation but unstable with a thin oracle market; a withdrawal queue that functions correctly until an incentive program changes liquidity behavior; a privileged upgrade that is technically authorized but misaligned with users’ expectations of custody.
For a useful baseline on what a code-level assessment should actually interrogate, this five-step guide to smart contract audit analysis is a helpful companion. Its practical premise holds: an audit result must be read through scope, findings, remediation, and the protocol’s continuing operational model.
Manual review is where code becomes a system
CertiK distinguishes between micro-auditing and macro-auditing. The distinction is technical, but it also captures why a comprehensive review cannot be reduced to a scanner output.
Micro-auditing examines the local mechanics of contracts: functions, arguments, variables, access levels, and state changes. It asks questions such as whether a withdrawal function updates balances before transferring tokens; whether an initialization path can be called twice; whether a role is assigned, revoked, or inherited as intended; whether a token’s non-standard behavior can break accounting assumptions.
These questions are granular because exploits are often granular. A single missing modifier, an unchecked return value, or an unexpected state mutation can alter who controls funds and when.
Macro-auditing moves outward. It looks at call and contract hierarchy, state-field occurrences, and “what-if” conditions across the protocol. Here, the auditor is not merely asking whether function A is written safely. They are asking what happens if function A changes the state later read by contract B, which then relies on an oracle update timed around a liquidity event, while contract C retains emergency authority over settlement.
The two modes are complementary:
| Review layer | Primary unit of analysis | Typical question | Why it matters for DeFi yield |
|---|---|---|---|
| Automated static analysis | Code patterns and structural signals | Does this code resemble a known insecure construction? | Broad coverage across many contracts and repeated modules |
| Manual micro-audit | Individual functions and state transitions | Can this call be abused, repeated, reordered, or invoked by the wrong actor? | Protects accounting integrity at the contract level |
| Manual macro-audit | Contract relationships and system behavior | What emerges when these components execute under stressed conditions? | Tests the architecture supporting deposits, rewards, liquidation, and withdrawals |
| Formal verification | Selected properties against specifications | Can this function ever violate its stated invariant? | Provides strong assurance for explicitly modeled critical behavior |
A protocol can pass local review while still presenting system-level risk. Consider a reward mechanism that is internally consistent in each contract but depends on an external strategy reporting a value accurately and on time. The contracts may have no obvious reentrancy flaw, no missing permission check, and no arithmetic error. Still, an oracle or valuation dependency may create an opening for distorted share issuance, excess withdrawals, or unfair reward allocation.
The same is true of multisig wallet security. A review may confirm that a privileged setter requires a designated role; it does not automatically establish whether that role is held by a robust multisig, whether the signer threshold is adequate, whether signers are operationally independent, or whether a timelock meaningfully constrains upgrades. These are validator dynamics in another form: the technical protocol and the human authority structure must remain aligned.
Static analysis finds patterns. Manual review tests whether those patterns have consequences inside a living protocol.
This is why a clean automated scan should be treated as an opening condition for analysis, not as its conclusion. In DeFi, the absence of a visible code-pattern alert says little about the economic behavior that may emerge under a particular liquidity configuration.
Formal verification and static analysis answer different questions
Formal verification is often described with more certainty than it deserves. It is not “better static analysis,” nor is it an automatic proof that a protocol is safe. It is a separate, specification-based discipline.
CertiK describes formal verification as an optional process that mathematically checks contract behavior against custom function specifications. The crucial word is custom. The verification can only prove properties that have been precisely defined and modeled. If the specification says that only a governance role may execute a parameter update, formal methods can help establish whether the code preserves that property. But if the specification fails to express a problematic incentive, an unsafe governance decision, or a dependency on compromised external data, the proof does not discover the missing premise by itself.
The relationship between formal verification and static analysis is therefore best understood as one of different epistemic reach:
1. Static analysis searches broadly for known hazardous patterns. It is efficient at scale and useful for surfacing code that merits attention, even before a reviewer has fully absorbed the architecture.
2. Manual review interprets intent and context. It decides whether apparent findings are reachable, exploitable, mitigated elsewhere, or symptomatic of a deeper design inconsistency.
3. Formal verification tests selected invariants with mathematical precision. It can offer strong confidence that defined properties hold, provided the implementation, assumptions, and specification accurately reflect the relevant security objective.
For a lending market, a useful invariant may concern the conservation of debt accounting or restrictions on liquidation execution. For a staking system, it may concern the impossibility of withdrawing more than an account’s credited balance. For a bridge, it may concern the relationship between lock and mint operations. But the choice of what to formalize is itself a risk decision.
A protocol team can devote substantial effort to proving a narrow function correct while leaving the surrounding upgrade process, price feed assumptions, or cross-chain message validation outside the verified surface. This is not a failure of formal verification. It is a reminder that assurance inherits the boundaries of the model.
The practical implication is restrained but important: a project that mentions formal verification should state which contracts and properties were covered. Without that, the phrase conveys ambition more than usable information.
Scope is the security boundary investors should read first
The first page many readers seek in an audit report is the list of findings. In many cases, the more revealing page is the scope statement.
Scope tells the reader what the auditors were asked to inspect. It may identify contract files, commit hashes, deployed addresses, dependencies, libraries, and exclusions. It may also reveal whether the engagement focused on unique logic or included all contract files. This is the frame within which every severity rating must be understood.
Several gaps commonly arise between an audited codebase and the protocol users actually encounter:
- Post-audit changes. A small patch can alter a key permission boundary or an accounting relationship. A new version may require a new review even if the earlier report was rigorous.
- Proxy and upgrade mechanics. The implementation may be reviewed, while the authority to point a proxy toward a new implementation remains a separate operational risk.
- External dependencies. Oracles, bridges, DEX pools, token wrappers, and strategy providers may sit outside the reviewed repository but remain central to the protocol’s loss surface.
- Front-end and operational controls. A contract audit does not necessarily assess a web interface, key-management practice, DNS risk, signer coordination, or the configuration of a treasury multisig.
- Economic and governance design. A contract can execute exactly as coded while its incentives produce liquidity instability, governance capture, or a withdrawal imbalance that no conventional vulnerability label fully describes.
This is also the proper context for real-time protocol monitoring. Monitoring can observe deployed behavior, changes in contract interactions, anomalous fund movements, and evolving risk indicators. It addresses the temporal problem that audits cannot solve: code and dependencies continue to change after a report is delivered.
But monitoring and auditing occupy different positions in the security architecture. Monitoring is an ongoing observational layer. An audit is a structured investigation of a defined system. One can reveal a change that prompts a new review; the other can identify a design weakness before it becomes observable on-chain. Capital alignment depends on treating them as complements rather than competing badges.
The same restraint applies to public security scores. A CertiK security score may be useful as a navigational signal, particularly when comparing a broad set of protocols, but it is not equivalent to manual review and does not turn the absence of Critical findings into a guarantee against loss. Scores aggregate. Security failures often concentrate.
The audit report is a starting point for network alignment
The most durable reading of a CertiK smart contract audit is neither dismissive nor devotional. It is architectural.
Automated and AI-assisted analysis offers breadth, repetition, and fast pattern recognition. Manual micro-auditing examines whether specific functions and state changes resist abuse. Macro-auditing asks whether the protocol’s components retain their intended behavior when viewed as a connected system. Formal verification can establish powerful guarantees for explicitly specified properties. Monitoring extends attention into the protocol’s life after deployment.
None of these layers eliminates the need for the others. Their value lies in the places where their blind spots do not overlap.
For DeFi participants, the central question is therefore not whether a protocol can display an audit badge, a security score, or a clean scanner result. It is whether its review process, deployment practices, upgrade authority, and economic dependencies remain aligned with the claims made to depositors. As staking systems and yield protocols become more modular, the harder question will be whether security assessment can remain equally modular without losing sight of the system it is meant to protect.