EEA EthTrust Security Audit Methodology
Release: Version 1.0
Document
| Field | Description |
|---|---|
| Name | EEA EthTrust Security Audit Methodology |
| Creators | Hacken OU |
| Subject | EEA EthTrust; Ethereum security; smart‑contract assurance; code review; bronze silver gold levels; compliance audit; |
| Description | A structured methodology for assessing smart contracts and Ethereum‑based systems in accordance with the Enterprise Ethereum Alliance (EEA) EthTrust Security Levels v2 specification. The process combines technical review, compliance verification, and remediation planning to determine and certify the achieved EthTrust Level (Bronze, Silver, or Gold). |
| Author | Dmytro Yasmanovych | Compliance Services Lead, Hacken OU |
| Date | Oct 15th 2025 |
| Rights | Hacken OU |
Intro
Purpose of the document
This document describes Hacken’s methodology for conducting security reviews and audits aligned with the EEA EthTrust Security Levels v2 specification. It outlines our assessment approach, deliverables, and the certification process used to evaluate Ethereum‑based smart contracts and related components.
Why Hacken
Hacken combines deep experience in blockchain security auditing, smart‑contract engineering, and regulatory compliance. Our methodology ensures an independent, transparent, and repeatable process to determine a project’s EthTrust Level and guide clients through targeted remediation to achieve higher assurance tiers.
EthTrust in Brief
What is EEA EthTrust Specification
The Enterprise Ethereum Alliance (EthTrust Security Levels v2) specification defines requirements for evaluating the security, reliability, and maintainability of Ethereum smart contracts and related components.
It organizes controls into three ascending assurance levels:
| Level | Focus | Typical Outcome |
|---|---|---|
| [S] Level | Basic code safety and compilation correctness | Baseline conformance for simple contracts |
| [M] Level | Secure design, tested deployments, dependency integrity | Mature smart‑contract systems |
| [Q] Level | Advanced assurance, governance, and continuous monitoring | Institutional‑grade ecosystems |
Each level inherits the requirements of all previous levels and adds stricter conditions in domains such as code analysis, key management, upgrade procedures, and ecosystem security.
Hacken’s EthTrust Audit Methodology
Hacken follows a five‑phase process ensuring consistency, transparency, and client readiness for certification.
1. Scoping & Readiness Assessment
We begin by defining the assessment scope, including smart contracts, interfaces, libraries, and deployment environments.
Objectives:
- Identify contract families, versions, and dependencies.
- Determine applicable EthTrust Level targets (Bronze, Silver, Gold).
- Collect architectural diagrams, deployment addresses, and test coverage.
Deliverable:
📄 Readiness Memo — scope summary, level target, and evidence checklist.
2. Initial Security Review (Audit Phase)
A comprehensive analysis of source code and related assets is performed against the EEA EthTrust v2 controls, grouped into:
- Code Safety & Correctness (compiler warnings, integer handling, gas usage)
- Security & Reliability (re‑entrancy, access control, DoS resilience)
- Governance & Upgrade Mechanisms
- Operational Security & Key Management
- Testing & Deployment Practices
- Ecosystem Dependencies
Verification methods include:
- Automated SCA tools (static analysis, linting, SLITHER/MythX rules matching EthTrust controls)
- Manual review by auditors for complex logic and edge cases
- Documentation review of test reports and deployment procedures
Deliverable:
📄 Preliminary EthTrust Report stating the Level achieved and detailing non‑conformities mapped to specific requirements.
3. Remediation Phase
Clients may choose to remediate identified issues to pursue a higher EthTrust Level.
- Hacken provides a Remediation Plan with actionable recommendations prioritized by risk and complexity.
- The client has 20 business days to implement the changes and submit updated evidence.
- If remediation requires more than 20 days, Hacken reserves the right to apply additional charges for a Follow‑Up Check.
Deliverable:
📄 Remediation Plan & Guidance Report
4. Follow‑Up Check
Upon submission of remediated evidence, Hacken performs a focused validation:
- Confirm fixes address all non‑conformities.
- Re‑run automated and manual tests where applicable.
- Update compliance matrix to reflect the new status.
Deliverable:
📄 Follow‑Up Report summarizing resolved and outstanding items and updated EthTrust Level eligibility.
5. Final Certification & Reporting
Based on the latest validated results, Hacken issues a formal certification package:
- Final EthTrust Security Audit Report (technical and management sections)
- Certificate of EthTrust Compliance stating the achieved Level (Bronze, Silver, or Gold)
- Verification Hash / On‑chain Record (optional)
If the client opts not to perform remediation, the certificate is issued immediately based on initial results.
Optional Complementary Services
To enhance overall ecosystem security, Hacken may offer the following add‑on services through independent technical teams, ensuring no conflict of interest with the EthTrust audit:
- Web3 Penetration Testing of associated dApps and infrastructure
- Smart Contract Formal Verification
- Secure Deployment and Key Custody Advisory
- Post‑deployment Monitoring and Alerting
These services are optional and conducted under separate engagement agreements.
Deliverables Summary
| Stage | Deliverable |
|---|---|
| Scoping & Readiness | Readiness Memo |
| Initial Audit | Preliminary EthTrust Report (Level Achieved) |
| Remediation | Remediation Plan |
| Follow‑Up | Follow‑Up Report |
| Certification | Final Audit Report & Certificate |
| Optional Add‑ons | Formal Verification, Penetration Testing, Monitoring (Separate Team) |
Conclusion
The Hacken EEA EthTrust Security Audit Methodology provides a structured, transparent, and independent pathway for smart‑contract projects to demonstrate compliance with the Enterprise Ethereum Alliance’s EthTrust Security Levels v2.
By combining technical rigor with actionable remediation guidance, we enable clients to earn trusted certification that reflects real security maturity and industry best practice.
For onboarding, please fill our Hacken Compliance Services Form.