When a Web3 company reaches Series A and starts thinking seriously about compliance, the natural move is to bring in an IT audit firm. What comes back is a checklist: patch management, Active Directory review, antivirus coverage, network segmentation, backup policy verification, incident response plan. Forty-seven items. Thorough. Professionally delivered. And containing exactly zero checks that would have prevented a validator slashing event, detected a compromised signing key, or identified the client diversity risk that exposed validators running a majority client to correlated failures when a consensus client bug shipped.
The gap is not a failure of competence. It is a failure of domain match. IT audit frameworks were built for enterprise environments where the threat model centers on data confidentiality, system availability, and regulatory compliance. Web3 infrastructure has a different threat model: cryptographic key security with no recovery path, consensus-layer attack surfaces that have no equivalent in traditional IT, and financial penalties (slashing, jailing, stake loss) that are irreversible and execute automatically by protocol without human intervention.
This is the web3 infrastructure audit checklist that fills that gap. Nine checks, each specific enough to be acted on, each with the evidence that a qualified auditor should request.
The Gap Between IT Audit and Web3 Infrastructure Audit
A ransomware event at a traditional company is catastrophic, but it is recoverable. Backups can be restored. Systems can be rebuilt. Insurance can pay out. The financial damage is bounded by what the attacker can extract and what the business can withstand during downtime.
A slashing event on a validator with 50,000 ETH in delegated stake executes in a single transaction, is irreversible on-chain, and triggers in seconds. A signing key that gets exfiltrated does not just enable unauthorized access to a system, it enables the attacker to sign transactions that drain funds permanently. The on-chain environment removes every recovery mechanism that traditional IT security assumes will be available.
This changes what an audit should look for. The priority in Web3 infrastructure is not whether systems are patched and segmented (those things matter, but they are hygiene, not the critical path). The critical path is whether the cryptographic and consensus-layer controls are correctly configured, monitored, and tested. That is what IT audit frameworks, even good ones, are not built to assess. OpenZeppelin’s infrastructure security research covers the operational attack surface in depth, and it is consistently where teams have the thinnest controls.
The 9 Web3 Infrastructure Audit Checks
1. Signing Key Custody and HSM Posture
What is audited: Whether validator signing keys are held in hardware security modules (HSMs) or remote signing infrastructure, and whether key management policies are documented and practiced.
Evidence requested: HSM model and firmware version, remote signing configuration (Web3Signer, Dirk, or Horcrux), key rotation policy document, attestation logs showing last rotation, access control records showing who can authorize key operations.
Why IT guides miss it: IT audit covers password policies, SSH key rotation, and certificate management. Validator signing keys are a different category: they are cryptographic credentials where compromise is undetected until the attacker uses them, and use means irreversible stake loss.
Risk if it fails: A signing key stored on a hot server, in a software keystore with weak access controls, or backed up to cloud storage in an unencrypted format can be exfiltrated without detection. The attacker does not need to announce themselves. They can wait for the optimal moment to sign malicious transactions.
Re-audit frequency: Every 6 months, and after any personnel change with key access.
2. Slashing Protection Mechanism
What is audited: The presence and correct configuration of slashing protection databases, doppelganger detection, and dual-instance prevention controls.
Evidence requested: Slashing protection database file (Lighthouse, Prysm, or Teku format), doppelganger detection configuration, documented runbook for migrating a validator between nodes without creating a dual-sign window, last restore drill log.
Why IT guides miss it: There is no equivalent in traditional IT. The slashing protection database tracks every signed message to prevent a validator from signing two conflicting messages, a condition the Ethereum and Cosmos protocols punish immediately and permanently. IT frameworks have no concept of this.
Risk if it fails: The most common failure mode is double-signing. On Ethereum it costs a significant percentage of staked ETH plus forced exit. On Cosmos it triggers immediate jailing and a 5% slash. Both are irreversible. This is not theoretical. It has happened to well-resourced teams during node migrations where the protection database was not transferred correctly. See our breakdown of validator slashing risks and prevention.
Re-audit frequency: Every 6 months, and before any validator migration or infrastructure change.
3. Consensus Client Diversity
What is audited: The distribution of consensus and execution clients across the validator set, and whether the team has a written policy governing client selection.
Evidence requested: Inventory of all validators with their client software and version, percentage breakdown by client, written policy stating the rationale for client selection, record of any client diversity assessment.
Why IT guides miss it: IT vendor diversity means not depending on a single software vendor for critical systems. Client diversity in Ethereum means something more specific: if a single consensus client holds more than 33% of the network’s stake, a critical bug in that client can trigger correlated failures across all validators running it. Ethereum’s documentation on client diversity explains the supermajority risk in detail. IT frameworks have no equivalent concept.
Risk if it fails: A validator set running 100% Prysm or 100% Geth is exposed to any bug that affects that client. The Ethereum network experienced finality incidents in May 2023 caused by client-specific bugs, and validator operators running a single dominant client saw degraded performance that operators with diverse client mixes did not.
Re-audit frequency: Annually, or after any major protocol upgrade.
4. Sentry Node Architecture and Peer Hygiene
What is audited: Whether validator nodes are protected by sentry architecture, whether they are directly reachable from the public internet, and whether peer configuration is documented and maintained.
Evidence requested: Network topology diagram showing sentry node placement, p2p configuration file, list of persistent peers with origin documentation, peer churn rate over the last 30 days, firewall rules showing validator node ingress restrictions.
Why IT guides miss it: IT network audits check firewall rules, VPN configuration, and network segmentation. They do not assess the P2P gossip topology specific to blockchain consensus protocols. A validator node that is directly reachable from the public internet is exposed to targeted DDoS attacks that isolate it from the network, causing missed proposals and attestations. The Cosmos validator documentation treats sentry architecture as standard for production operators.
Risk if it fails: A validator without sentry protection can be isolated from the network through targeted traffic flooding. The validator continues running, signing nothing, accumulating missed blocks and, depending on the chain, eventually getting jailed for prolonged inactivity.
Re-audit frequency: Every 6 months.
5. RPC Endpoint Hardening and Rate Limiting
What is audited: Whether public RPC endpoints (if operated) are rate-limited by method, whether dangerous methods are disabled or restricted, and whether abuse is observable.
Evidence requested: Nginx or Envoy configuration showing rate limit rules per endpoint, list of disabled or restricted JSON-RPC methods (debug_*, trace_*, eth_call with no gas cap), access logs showing rate limit triggers, observability dashboards for RPC abuse patterns.
Why IT guides miss it: IT rate limiting means generic API throttling. RPC rate limiting for Ethereum nodes means specifically restricting methods like eth_call without a gas cap (which can be used to perform computationally expensive calls at the caller’s expense but the node’s cost), debug_traceTransaction (which deserializes entire blocks), and eth_getLogs with unbounded ranges. These are Ethereum-specific attack vectors with no IT equivalent.
Risk if it fails: An unprotected public RPC endpoint can be used to overload the underlying node, degrading performance for the validator process running on the same infrastructure. Sensitive endpoint exposure can also leak information about the validator’s internal state.
Re-audit frequency: Annually, and after any RPC exposure change.
6. Time Synchronization and Clock Drift Monitoring
What is audited: NTP source configuration, active monitoring of clock drift, and alerting when drift exceeds the consensus-safe threshold.
Evidence requested: Chrony or NTP configuration file showing time sources, drift log for the past 30 days, alert rule configuration showing threshold (recommended: alert at drift > 100ms), evidence of alert having fired at least once in testing.
Why IT guides miss it: IT audits verify that NTP is configured. They do not verify that drift is actively monitored or that alerts fire before drift reaches a consensus-critical level. Blockchain consensus protocols are time-sensitive in ways traditional IT systems are not. A validator with 2 seconds of clock drift on certain Cosmos chains will miss attestation windows. As covered in our chaos engineering experiments for blockchain, clock skew is one of the failure modes that requires active detection rather than passive configuration.
Risk if it fails: Attestation invalidation, missed proposals, and on chains that penalize timing violations directly, potential slashing.
Re-audit frequency: Every 6 months.
7. Backup Verification: Restore Drills, Not Backup Existence
What is audited: Whether backups have been tested through a documented restore drill in the past 30 days, not merely whether backups exist.
Evidence requested: Restore drill log with timestamp, operator who executed it, what was restored, time to restore, and outcome. Not a backup system configuration screenshot. Not a policy document. A drill log.
Why IT guides miss it: Most IT audits verify that backups exist but rarely verify that they actually restore to a working state. For Web3 infrastructure, this distinction is critical: a validator state database backup that fails to restore under incident conditions is no backup at all, and the first time you discover it fails should not be during an actual outage.
Risk if it fails: During an incident, the team attempts to restore from backup, discovers the restore process is broken or the backup is corrupted, and has no recovery path. Every hour of extended downtime during a validator incident accumulates missed blocks and potentially reaches jailing thresholds.
Re-audit frequency: Monthly restore drills. Audit verification every 6 months.
8. Supply Chain Integrity: Binary and Dependency Verification
What is audited: Whether blockchain client binaries are verified against official checksums or signatures before deployment, whether dependencies are pinned, and whether the team has a Software Bill of Materials (SBOM).
Evidence requested: Binary verification script or CI step showing checksum verification against official releases, dependency lock files committed to version control, SBOM document, Cosign or Sigstore verification configuration where available.
Why IT guides miss it: IT patch management means applying vendor-approved updates through managed channels. Supply chain verification for blockchain clients means specifically verifying that the Geth, Lighthouse, or Prysm binary deployed to a production validator matches the officially signed release, not a binary downloaded from an unofficial mirror, modified in transit, or substituted by a compromised build pipeline. The xz-utils backdoor of 2024 demonstrated that sophisticated supply chain attacks can pass through normal update processes undetected. The SLSA framework and signing infrastructure like Sigstore provide the technical standards against which binary verification should be assessed.
Risk if it fails: A compromised validator client binary could exfiltrate signing keys, sign malicious transactions, or create covert channels without triggering any behavioral alert. This is the attack vector with the highest severity and the lowest detection probability if supply chain controls are absent.
Re-audit frequency: Every release cycle, and as part of incident response if a supply chain compromise is suspected.
9. Incident Response with On-Chain Coordination
What is audited: Whether the incident response plan includes on-chain-specific procedures: pause authority, multisig coordination, delegator communication, and freeze operations runbook.
Evidence requested: Written IR plan document with on-chain section, current multisig signer list with contact information, documented pause authority (who can initiate validator stop and how), record of last tabletop drill including on-chain scenario, delegator communication template.
Why IT guides miss it: NIST CSF and ISO 27001 IR frameworks cover identification, containment, eradication, recovery, and lessons learned. They do not cover the on-chain dimension: notifying delegators whose funds are at risk, coordinating with multisig holders across time zones to execute an emergency pause, or the decision framework for when to voluntarily jail a validator versus attempting to recover it while live. For EigenLayer AVS operators, this also includes AVS pause authority and coordination with protocol teams, covered in our EigenLayer AVS setup guide.
Risk if it fails: During an active incident, the team improvises. Improvised decisions under pressure in an on-chain environment with irreversible consequences produce worse outcomes than pre-planned responses. Every minute of uncoordinated response during a live slashing event or key compromise increases the financial and reputational damage.
Re-audit frequency: Annually, and after any significant infrastructure or personnel change.
What a Good Web3 Infrastructure Audit Deliverable Looks Like
A useful web3 infrastructure audit does not deliver a 200-page PDF. It delivers three things: a priority-ranked findings list that distinguishes between what needs to be fixed this week versus this quarter, evidence-backed findings that show the specific gap rather than asserting its existence, and runbooks for the highest-severity items so that remediation is actionable immediately.
The audit should distinguish clearly between findings that represent immediate risk to staked assets (signing key custody gaps, missing slashing protection), findings that represent architectural debt (no sentry topology, no client diversity policy), and findings that represent process maturity gaps (no restore drills, no tabletop IR drill). The first category requires immediate action. The second and third can be roadmapped. Conflating them in a single prioritized list produces paralysis.
An audit that concludes with “implement best practices for your key management” has not audited anything. The finding should read: “Signing keys for validators X, Y, and Z are stored in software keystores on hot servers accessible via SSH to 4 engineers. No HSM or remote signing infrastructure is in place. Key rotation has not occurred in 14 months. Recommended remediation: deploy Web3Signer with HSM integration before next validator migration.”
Conclusion
If any of the 9 checks in this guide prompted the thought “we don’t have evidence for that one”, that is the conversation worth having before an incident makes it urgent.
The Good Shell runs a focused web3 infrastructure audit designed specifically for validator operators, RPC providers, and DeFi protocols with production backend operations. The engagement is structured to be completed in 7 days, produces a priority-ranked findings report with remediation runbooks, and is scoped to the operational layer (not smart contracts, not generic IT compliance).
If this is the right moment to have that conversation, a 30-minute discovery call is the place to start: book a call here.
FAQ: Web3 Infrastructure Audit
How is a Web3 infrastructure audit different from a smart contract audit?
A smart contract audit reviews the code deployed on-chain for logic errors, reentrancy vulnerabilities, and economic attack vectors. A web3 infrastructure audit reviews the operational layer running that code, the validator nodes, signing infrastructure, network topology, key management, and incident response processes. Both matter. Most teams have commissioned smart contract audits and never commissioned an infrastructure audit. The infrastructure layer is where signing key compromises, slashing events from misconfigured failover, and supply chain attacks originate.
How often should a Web3 team re-audit?
The minimum is annually for a comprehensive web3 infrastructure audit. Higher-risk operations: large delegated stake, multiple AVSs, public RPC infrastructure, should audit every 6 months. Specific checks (restore drills, binary verification) should run on shorter cycles as operational practices, not just audit events.
What evidence does a Web3 audit actually require?
Evidence means artifacts, not assertions. Not “we have a key rotation policy” but the policy document with a last-updated date. Not “we run backups” but a restore drill log from the past 30 days. Not “our validators use diverse clients” but an inventory spreadsheet with client software and version per validator. An auditor who accepts verbal confirmation is not auditing, they are interviewing.
We already passed a SOC 2 Type II audit. Does that cover this?
SOC 2 covers the controls relevant to service organization trust principles: security, availability, processing integrity, confidentiality, and privacy. It does not assess validator signing key custody, slashing protection configuration, consensus client diversity, or any of the other Web3-specific controls in this checklist. SOC 2 compliance and Web3 infrastructure audit readiness are non-overlapping domains.
Related Articles
- → Cosmos Validator Slashing: How to Prevent It and Recover Fast
- → EigenLayer AVS Setup: 7 Proven Production Steps
- → Chaos Engineering Kubernetes for Blockchain: 6 Proven Production Experiments
- → Kubernetes Security Best Practices: The Essential Hardening Guide
- → Blockchain Node Monitoring: Complete Guide