nSLOC

nSLOC (non-comment source lines of code) is the standard metric used by smart contract audit firms to size scope, estimate timelines, and produce price quotes. It measures only executable code, excluding comments, blank lines, and import statements. Because it correlates loosely with the attack surface an auditor must review, it has become the dominant sizing variable across competitive platforms (Sherlock, Code4rena, Cantina), private firms (Hacken, Zealynx, Trail of Bits), and scoping tooling like Solidity Metrics.

Why nSLOC, not SLOC

Raw SLOC (source lines of code) counts everything in the file, including comments, blank lines, and boilerplate. Two files with identical logic can have wildly different SLOC if one is heavily commented. nSLOC normalizes for this by counting only the code an auditor must actually read and reason about. It is a better proxy for review effort than SLOC, though neither metric captures logic density or integration complexity.

How audit firms use nSLOC

Sherlock publishes explicit mappings from nSLOC to contest duration: ~500 nSLOC for a 3-day window, ~3,000 for 18 days, ~6,000 for 38 days. Above 6,000, scope growth stops being linear — complexity becomes exponential, and firms typically recommend splitting scope or sequencing reviews. Private firms use similar heuristics internally; they rarely publish the exact formula, but nSLOC is consistently the first variable plugged in.

Limitations

nSLOC does not capture:

• Logic density — 500 lines of ERC-20 boilerplate is not the same as 500 lines of cross-chain bridge math.
• Integration complexity — a small contract that depends on Uniswap v4 PoolManager internals expands the threat model beyond what line count suggests.
• Language premium — Rust on Solana, Cairo, Move, and ZK circuits all command 25–120% markups over equivalent Solidity nSLOC.

A competent audit firm uses nSLOC as a starting point, then applies multipliers for density, language, and integration scope before producing a final quote.

Measuring nSLOC yourself

Run Solidity Metrics or a similar tool against your scope before requesting quotes. Knowing your nSLOC lets you sanity-check quotes — a $200K quote on 400 nSLOC of standard DeFi logic is almost certainly inflated, while $40K on 6,000 nSLOC of bridge code is almost certainly a junior firm underbidding the actual difficulty.