Audit Severity Matrix

The audit severity matrix is the structured framework that smart contract audit firms use to assign severity to findings. It replaces subjective judgment with a defensible two-axis grid where one axis is impact (how bad would the exploit be if it happened) and the other is likelihood (how easy is it for an attacker to actually trigger).

How the Matrix Works

Most serious audit firms map findings against a 5x3 or 4x4 matrix with severity bands. Impact ranges from Informational to Critical, capturing what the protocol stands to lose if the finding is exploited. Likelihood ranges from Low to High, capturing how plausible exploitation is in practice given the actual deployment context.

A finding lands in a cell of the matrix, and that cell determines severity. A finding with Critical impact and High likelihood is Critical severity. A finding with Critical impact but Low likelihood (for example, requiring an exotic attack with significant capital and trusted-actor cooperation) might be downgraded to High or Medium. A finding with Low impact but High likelihood might be Medium or Low depending on the specific cells defined.

The matrix exists so that severity is not vibes-based. Without it, the same finding could be rated Critical by one researcher and Medium by another, and the report would not have any cross-audit comparability. With it, a High on one firm's audit means roughly the same thing as a High on the same firm's other audits.

Why Severity Comparability Matters

Founders read audit reports to understand risk and to communicate that risk to investors, users, and their own engineering team. If severity is assigned inconsistently, the report becomes harder to act on. A High severity finding that any engineer would treat as urgent loses meaning if the same firm has previously labeled trivial issues as High elsewhere.

Investors evaluating a protocol often request audit reports as part of due diligence. They are looking at multiple reports across multiple protocols and firms, and they rely on severity ratings to triage which protocols deserve deeper conversation. A consistent severity matrix makes that triage reliable.

Common Severity Mistakes

The most common severity mistake is over-weighting impact and ignoring likelihood. A finding that would be catastrophic but requires a specific combination of trusted actors to collude can technically be exploited, but in practice the protocol is not at meaningful risk. Rating such findings as Critical inflates the report and dilutes the meaning of true Critical findings.

The opposite mistake is over-weighting likelihood and ignoring impact. A finding that is easy to trigger but only causes a 0.01 percent rounding loss should not be High severity, even if "anyone can do it." The matrix forces both dimensions to be considered.

The third mistake is severity drift across the engagement. A researcher under deadline pressure may rate the first few findings carefully, then start applying looser standards as fatigue sets in. Audit peer review catches drift by applying a second consistent reading.

What the Matrix Should Include

A properly documented severity matrix appears in the firm's methodology documentation and in the audit report itself. The report should show the matrix, list the cells with severity bands, and rate each finding against it explicitly. Findings with edge-case severity decisions should include a one-sentence justification.

When reading an audit report, look for the severity matrix near the front of the document. If the firm does not publish their matrix, ask for it directly. A firm that cannot describe their severity framework in writing is unlikely to be applying one consistently.