SuperDroidsSuperDroidsBook a scoping call

Audit drift · Protocol security

Audit Drift: Why Your Protocol Is No Longer the System That Was Audited

A practical view of what changes between an audit and a real incident — and how to track the drift before it bites.

SuperDroids6 min read

Scaffold content — replace with the real essay when ready.

The system your auditors reviewed isn't the system that's running on mainnet right now.

That gap is audit drift, and it's where most post-audit incidents actually live. Not in the contracts that were reviewed — in the contracts, configs, and assumptions that changed after the report was signed.

What drifts

Drift accumulates in five places:

  1. Code — new contracts deployed via factories, storage-layout changes, compiler/optimizer changes, new library imports.
  2. Configs — admin addresses, role memberships, timelock parameters, oracle endpoints, fee parameters, threshold values.
  3. Roles — multisig signer changes, new role-bearing addresses, EOA-to-contract migrations.
  4. Deployments — chains added, new proxy implementations, new pools/markets created via factories.
  5. Assumptions — what the audit explicitly assumed. "Assumes governance is trusted." "Assumes oracle X is reliable." "Assumes upgrades go through the timelock." Half of post-audit incidents start when one of these assumptions silently stops holding.

The last category is the one that gets missed, because it's not in the code — it's in the report.

A minimal tracking routine

You don't need a monitoring platform. You need a recurring 30-minute exercise:

CadenceWhat
WeeklyDiff against the audited tag; flag anything that touches the report.
MonthlyRe-read the audit's assumptions section. Are they still true?
Per-PRAttach a card to security-sensitive PRs flagging audit relevance.

The output of each pass is a one-page drift report: what changed, against which assumption, severity, and the re-audit decision (none / lightweight review / full re-audit).

The expensive version

If you wait for an incident, the drift report writes itself — in the post-mortem. The point of doing it on a schedule is to make the report cheap and boring instead of expensive and urgent.

What to do next

If your last audit was more than 90 days ago and you haven't mapped the drift, that's the highest-leverage security work you can do this week.

The Audit Drift Checklist is a starting template. Use it, or copy the structure into whatever doc tool your team lives in.