DEV Community

juan23z
juan23z

Posted on

Your audit expired the day you made the next commit

Mirror/dev.to. Positions continuous monitoring (our wedge).*

You paid for an audit. The firm reviewed a commit hash, handed you a PDF, and moved on. You shipped. Then, like
every real project, you kept building: a new feature here, a parameter tweak there, a "quick fix" before a
weekend deploy.

Here's the uncomfortable truth: that audit covered a snapshot that no longer exists. The moment your first
post-audit commit landed, you were running unaudited code again — often the exact kind of rushed change where
bugs are born.

Where the money actually leaks

Look at the post-mortems. A huge share of DeFi losses aren't in the audited launch code — they're in what came
after:

  • An "innocent" refactor that flips a Floor to a Ceil in a share-conversion path.
  • A new integration that reads a manipulable totalAssets.
  • An upgrade whose access control wasn't gated as tightly as the original.
  • A hotfix deployed on a Friday with no time for a fresh review.

The audit didn't miss these. They didn't exist yet when the audit happened.

The gap is structural, not a failure of the auditor

One-time audits are priced and scoped as snapshots. That's fine for a launch gate. But your risk surface is a
moving target, and a snapshot can't cover a moving target. For a small or fast-moving protocol, the window
between "audited" and "materially different code in production" can be days.

What actually closes the gap: continuous review

The fix isn't "audit more often" (expensive, and you'd still have gaps). It's to make review continuous:
watch the contracts, and re-review automatically on every change/deploy — so the delta between your live code and
your last review is always small enough to reason about.

That's exactly what we do. An autonomous engine watches your repo 24/7; every new commit or deploy triggers a
fresh pass over the changed surface, and you get an alert plus a monthly report. It costs a fraction of an audit
per year, because the marginal cost of another scan is near zero.

A one-time audit tells you your code was safe on a Tuesday in March. Continuous monitoring tells you it's still
safe today.


We do fast, affordable security reviews for small protocols — then keep watching. Sample report:
https://juan23z.github.io/sample-audit-report.html · First month of monitoring free with any review.


I offer continuous smart-contract monitoring — I re-audit your contracts on every change and send a monthly report, so security keeps up as your code evolves. Custom detectors + manual verification, 0 false positives on all of OpenZeppelin. Sample report · Get in touch

Top comments (0)