In the crypto industry, the word is most often shorthand for a smart contract audit: a specialized code review in which security researchers examine a protocol's source code before it goes live, hunting for bugs, dangerous design choices, and logic flaws that an attacker could exploit to drain funds. Unlike a financial audit, this checks software, not accounting records, though the same principle of independent verification applies.
A typical audit combines automated tools such as static analyzers and fuzzers, which generate random inputs to try to break a contract's assumptions, with a manual line-by-line review by experienced engineers. Firms like CertiK, Trail of Bits, and OpenZeppelin publish a report ranking each finding by severity, from critical to informational, along with suggested fixes. High-value protocols sometimes add formal verification, mathematically proving a property holds for every possible input rather than just the ones tested.
Crypto exchanges also commission audits of a different kind: proof of reserves attestations, where an accounting firm compares an exchange's on-chain holdings against customer balances, often using a Merkle tree so users can verify their own balance was included. These became common after the FTX collapse in 2022, though critics note they typically confirm assets held, not liabilities owed, so they cannot prove solvency on their own.
An audit is not a guarantee. Passing one reduces risk but does not certify a project is free of bugs or bad intentions; code can change after the report, and a clean audit has not stopped every later rugpull. It is one input for due diligence, not a substitute for it.