← Back to Glossary

Frozen Commit Hash

The specific, immutable Git reference a smart contract audit is performed against. Required by every major audit firm.

A frozen commit hash is the specific, immutable Git reference (e.g. a3f4c1d...) that a smart contract audit is performed against. Every major audit firm — Quantstamp, ConsenSys Diligence, Sherlock, Hacken, Trail of Bits — requires one before the engagement begins. Auditing a moving target is not a service any reputable firm sells.

Why audit firms require it

A security audit is a review of a specific version of the code. Findings, line number references, attack traces, and remediation advice all make sense only against a fixed snapshot. When code changes mid-review, the auditor loses the ability to reason about the system as a whole, timelines expand, and findings may no longer apply by the time the report is delivered. Quantstamp frames it directly: audits are snapshots in time, and any changes after the review may introduce attack vectors the audit never examined.

What to hand over

At minimum, your scoping packet should include:

  • Repository URL
  • Branch name
  • Exact commit hash (full 40-character SHA, not a short hash)
  • File paths in scope
  • File paths explicitly out of scope

Parallel development of non-scope modules should happen on a separate branch so the scoped commit stays stable.

Common mistakes

  • Sending a branch name instead of a hash. Branches move; hashes don't. If you send main, the auditor audits whatever main points to when they check out the repo, which may differ from what you meant.
  • Pushing "small fixes" during the audit. Even typo corrections shift line numbers and invalidate the auditor's working notes. If a critical issue is discovered mid-audit, document it for the remediation phase rather than pushing immediately.
  • Excluding deploy scripts. Nascent's audit-readiness checklist is explicit that deployment and upgrade scripts are as important as runtime code and should be inside the scoped commit.

Re-audit scope

If the team makes changes after the initial audit report, a re-audit is scoped against a new frozen commit hash covering only the modified files plus any code they touch. This is standard practice and priced separately from the initial audit.

Articles Using This Term

Learn more about Frozen Commit Hash in these articles:

How to Scope a Smart Contract Audit: What Auditors Need

How to Scope a Smart Contract Audit: What Auditors Need

Smart contract audit scoping guide. Seven deliverables auditors need, nSLOC pricing benchmarks, and the Rekt Test — cut your quote 15–30%.

Apr 23, 202623 min read

Related Terms

Audit Scope

The defined boundaries of a security audit, specifying which contracts, functions, and concerns will be reviewed.

Audit Readiness

The state of a protocol's codebase and documentation being prepared for a formal security audit, including frozen code, test coverage, and documented invariants.

NatSpec

Natural Language Specification Format - Ethereum's standard for documenting smart contract code with structured inline comments.

Need expert guidance on Frozen Commit Hash?

Our team at Zealynx has deep expertise in blockchain security and DeFi protocols. Whether you need an audit or consultation, we're here to help.

Get a Quote

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx