Decentralized Finance (DeFi) represents a growing set of financial services that attempt to replicate key functions of the conventional financial system in an open and decentralized way using blockchain technology. This emerging form of capital markets has become economically meaningful; the Federal Reserve estimated the total value of digital contracts locked in DeFi applications exceeded $200 billion by early 2022, up from around $2 billion in 2020.
DeFi aims to create a decentralized financial ecosystem, removing intermediaries and fostering transparency over financial transactions by employing public blockchain technology. Central to DeFi services are smart contracts, which are autonomous self-executing digital agreements with terms and conditions explicitly laid out in computer code. This code, which resides on a blockchain network, enables the contract to enforce its own terms autonomously, streamlining transactions between parties without the need for intermediaries such as banks and brokerages. Smart contracts are designed with no recourse for contract disputes, underscoring the importance of ensuring upfront accuracy and completeness of smart contracts.
A major concern when using smart contracts is that non-technical users cannot judge the quality and completeness of the code behind these contracts. Although the open-source nature of DeFi aims to prevent coding and logic errors, its effectiveness has proven to be limited. For example, there are numerous high-profile instances of coding bugs in smart contracts that have led to substantial thefts of crypto assets. Subsequently, several leading financial organizations have issued white papers explicitly calling for independent third-party audits of the reliability of the code underlying smart contracts. In our recent study, we provide the first large-sample evidence of the emergence of these voluntary audits. Specifically, we address three main research questions: (1) who the audit firms are, (2) what services they provide, and (3) the value of the audit opinions to market participants.
First, we note that the three largest auditors performed 46% of the engagements in our sample. This market concentration in the emerging DeFi audit market is comparable to that observed in the market for audits of financial information in conventional capital markets. Since auditing in the DeFi market is unregulated and the audit is not tied to a specific time period (like the fiscal year for financial audits), DeFi ventures have the option to obtain multiple audits of their smart contracts.1 In our sample, 3,791 DeFi ventures obtained a single audit during our sample period, while 519 purchased at least two audits (1,557 reports). Among DeFi ventures with multiple audits, we observe that over 70% chose a different auditor between the first and second audit.
Second, we analyze a large sample of 5,343 unique smart contract audit reports to investigate the audit services and types of assurance provided by DeFi audit firms. In contrast to a financial statement audit report which spans only a few pages and provides limited detail, the audit reports in our sample have a mean of 17 pages and provide a detailed look at the exact tests performed by the auditors and the outcome of those tests. With respect to audit methods and tasks, the average audit in our sample combines manual and automatic verification testing and tests about 20 specific items in the code of the smart contract. For example, auditors commonly analyze whether the code properly locks the assets under consideration and safeguards against common exploits and security vulnerabilities. In reviewing these items, auditors typically separate any issues into major and minor issues. Audit clients usually have an opportunity to remedy any issues identified by the audit before the report is released. These issues are then re-evaluated by the audit firm and, if fixed, are noted as such in the audit report. Overall, the granularity of smart contract audit reports exceeds that of financial statement audit reports. However, just as financial audits do not guarantee against misstatements and fraud, smart contract audits do not guarantee against data breaches, thefts, or other problems.
Third, we investigate the benefits of smart contract audits by examining whether these audits are valued by market participants. Specifically, we examine abnormal returns at the DeFi venture level around the release of the audit report for a sub-sample of 483 reports covering 272 unique ventures for which the venture’s token has available price data. We find that, on average, the release of an audit report results in a positive and statistically significant market-adjusted return of about +10% in the two days after and including the release date. Although ventures elect to release their audit reports, this finding nonetheless suggests that smart contract audits are value relevant. This is consistent with the longstanding proposition in accounting that audits serve as a mechanism to reduce information asymmetry and improve the functioning of capital markets.
Overall, our findings highlight the demand for novel assurance services driven by blockchain technology. Studying other areas of the evolving DeFi market where external verification plays a role may be a fruitful path for future research.
Thomas Bourveau is an Associate Professor of Business at Columbia Business School.
Janja Brendel is an Assistant Professor of the School of Accountancy at The Chinese University of Hong Kong (CUHK) Business School.
Jordan Schoenfeld is an Associate Professor at the Eccles School of Business at the University of Utah and a Visiting Associate Professor at the Tuck School of Business at Dartmouth College.
This post was adapted from their paper, “Decentralized Finance (DeFi) Assurance: Audit Adoption and Capital Markets Effects,” available on SSRN.