Solana
Should auditors refuse shady projects or expose risks for users?
2025-04-04
As auditors, we often face a hard choice: we deal with different projects, some of them possess truly high quality while others cause questions and uncertainty. It’s our responsibility to deliver the most honest assessment of the project for the sake of both the project owners and their users.
Recently, we received a request for an audit. It looked like our usual request, where we discussed the terms and dates and got to work on analyzing the code. But after we started the process, our auditors started getting suspicious: judging from the code, the project seemed to be doing a different thing from what the owners claimed. For starters, the project promises 120% annual income for its clients. User deposits are sent to a smart contract, from which the owners withdraw them. It is hard to say what happened to these funds without further investigation, but the promised 120% annual interest was likely paid using deposits from new users. At the time of the audit, more than $8 million had already been deposited by users for the project contract.
Being an audit company, we faced a dilemma. On the one hand, any connection with a fraudulent project is a blow to our reputation, even if we clearly describe all the risks for users in the report. Someone may read the report inattentively, and someone might assume that the audit company serves scammers without even reading the report. Our first thought was to refuse to audit the project altogether. It was tempting to step aside and forget about this unpleasant case. However, during the discussion within the team, we realized that the same client would probably contact another company that could make a "clean" report, formally checking the errors in the smart contract. Unfortunately, we see that lately there’s been a surge in the appearance of new audit companies with questionable morals.
At the same time, we see our mission as an auditor — not only to check the code for formal errors and vulnerabilities but to openly talk about all the risks that the users of the project approaching us for an aduit, might face. In our understanding, this is the only way for users to be able to trust us and the results of our work. We made a fundamental decision: to complete the audit and publish a report with all our findings, clearly indicating the risks of a high probability of fraud and loss of users' funds. Of course, the audit customers were not happy with the report and did not want to publish it. We decided that our responsibility to users is more important than reputational risks.
Refusing an unpleasant order for the sake of preserving one's reputation means becoming an accomplice by keeping silent about a fraudulent scheme. We believe that it is the auditor's duty to tell the truth, even if it is inconvenient and unpleasant. Such audits must be completed and only complete honesty and transparency with users can gain the community's trust in cryptocurrencies and cryptocurrency projects in general.