Our smart contract auditors thoroughly review your contract’s code to ensure top-tier security, flawless operation, and full compliance with industry standards. This involves examining logic, functions, and dependencies to guarantee safety and reliability and prevent issues from developer errors, potential vulnerabilities, and external threats.
EVM
Solana
Stacks
Ton
Fuel
Aptos
Cosmos
Sei
EVM-based blockchains, like Ethereum, use the Ethereum Virtual Machine to run smart contracts. These are Turing-complete, meaning they can handle any computable task, and use a stack-based system. Developers often write contracts in Solidity, which gets turned into bytecode for execution. The consensus can be proof-of-work or proof-of-stake, depending on blockchain.
Security risks include reentrancy attacks, where a contract gets called repeatedly before finishing, and integer overflow/underflow, causing calculation errors. Front-running lets attackers manipulate transaction order, and phishing targets users. Smart contract codes may have access control issues, so audits are crucial.
We have audited EVM-based Layer 1 chains and protocols, including the U2U Network, Perp DEX Electra, and Bitperps.
Solana is known for its speed, handling up to 65,000 transactions per second. It uses proof-of-stake with Proof of History (PoH) for ordering and Tower BFT for consensus. Smart contracts are written in Rust, part of the Solana Program Library, ideal for real-time apps.
Security concerns include centralization risks, with a relatively small validator node count, potentially a single point of failure. Smart contracts, written in Rust via Solana Program Library (SPL), may have language-specific vulnerabilities like integer overflow, division by zero, and account confusion. Network congestion during high traffic, as seen in past outages, and potential 51% attacks, mitigated by PoS, require robust node distribution for security.
Our extensive security expertise in the Rust language, combined with collaborations with Soex, Stargate, and Bitget Solana Swap, has honed our ability to vigilantly safeguard the ecosystem.
Stacks extend Bitcoin with smart contracts, using proof-of-transfer where miners lock Bitcoin to mine Stacks blocks. It uses Clarity, a safe and auditable language, with the state settled on Bitcoin for security.
Risks include reliance on Bitcoin’s stability, with potential vulnerabilities in Clarity code, such as authentication flaws, improper use of verifiable random functions (VRF), and reliance on Bitcoin block timestamps for time-sensitive logic. The proof-of-transfer mechanism may face issues like insufficient miner incentives or coordinated attacks, requiring careful monitoring and robust incentive structures for security.
We have identified a critical vulnerability in the Stacks consensus mechanism, earning us recognition as one of the few selected Stacks Orange Hats security firms. We now provide long-term security consultancy for protocols such as BSD-Money and DCAHQ.
Ton is a scalable blockchain with proof-of-stake, using sharding for multiple chains. Smart contracts are in FunC, similar to C, with Toncoin for fees and staking.
Ton’s sharding architecture introduces complexity, increasing the risk of cross-shard attacks that can lead to state inconsistencies. FunC code is susceptible to security flaws, such as transaction ordering dependencies, improper storage management, unchecked return values, and timestamp dependency, necessitating thorough testing and secure coding practices, especially given its Telegram integration, which may expand the attack surface.
Our team has a solid foundation on Func programming language and has provided audits for protocols such as Tonark and Bitget Red Envelope.
Fuel Network is a layer-2 for Ethereum, using optimistic rollups for efficiency, with FuelVM supporting Solidity for smart contracts. It offers lower fees and faster transactions.
Security risks include bridge vulnerabilities, common in layer-2 solutions, and Sway-specific smart contract issues such as reverted transaction manipulation, improper state management, access control flaws, and gas limit vulnerabilities. Fraud proofs must be robust to prevent exploitation, and the security council’s multisig management poses a risk if compromised, necessitating thorough testing and enhanced security protocols.
We are the first security firm to open-source Fuel-related security best practices, identify a critical vulnerability in the Fuelet wallet, and win the Fluid audit competition.
Aptos is a layer-1 blockchain leveraging a proof-of-stake consensus mechanism, with a strong emphasis on resource management to mitigate denial-of-service (DoS) attacks. Its smart contracts are developed using Move, a language engineered for safety and auditability, featuring a resource-oriented type system and formal verification support.
However, Aptos encounters potential security challenges with Move code, including improper access control that may allow unauthorized actions, incorrect usage of abilities (e.g., copy, drop, store) leading to resource misuse, unbounded execution risks from unmonitored iterations causing gas exhaustion, and timestamp dependency vulnerabilities exploitable through manipulable block timestamps.
Additionally, a small validator set poses centralization risks, underscoring the need for broad node distribution and comprehensive security audits to bolster network resilience.
We are the first security firm to identify a critical bug in the Aptos MoveVM, earning a bug bounty for our discovery.
Cosmos is a network of interoperable blockchains, using proof-of-stake, with the Cosmos Hub using Tendermint consensus. Smart contracts often use CosmWasm, with IBC for cross-chain communication.
Security varies across zones, with the Inter-Blockchain Communication (IBC) protocol potentially susceptible to cross-chain attacks that could compromise data integrity. CosmWasm code is prone to flaws such as improper input validation, reentrancy attacks, access control issues, and gas exhaustion risks, necessitating rigorous testing and secure coding practices. Furthermore, small validator sets could lead to centralized control, highlighting the importance of diverse node participation to maintain network decentralization and resilience.
We have identified multiple critical bugs in Cosmos-based Layer 1 chains such as Sei network and have provided security services to numerous protocols.
SEI Network, focused on gaming, is a layer-1 built on Cosmos SDK, using proof-of-stake. It’s optimized for high performance and low latency, using CosmWasm for smart contracts.
As a relatively new blockchain, SEI faces potential vulnerabilities, inheriting Cosmos risks such as IBC-related issues that could lead to cross-chain exploits. Its custom gaming features introduce specific challenges, including insufficient input validation and resource exhaustion risks under high-frequency traffic, necessitating thorough security audits and robust testing to ensure network stability.
We have identified two critical vulnerabilities in the Sei network, affecting both their Consensus mechanism and exposing them to Denial-of-Service (DoS) attacks. As a result, we are now proud to serve as their long-term security partner.
AsyncFinance
FILX Token
Morph
BitGenie
Meta
TonArk
BulbaSwap
Soex
U2U
OORT
OKX
Tabi
Bitget
Fluid Protocol
In preparation for the expert audit, we will conduct a comprehensive security scan of the code utilizing static code analysis technology,complemented by symbolic execution and AI. This process involves a thorough review and analysis of the contract code to identify potential vulnerabilities and security risks without the need for execution. Our proprietary static code analysis techniques allow us to pinpoint issues such as uninitialized variables, access control vulnerabilities, and business logic errors. This proactive approach enables the quick identification and resolution of potential risks.
Fuzzing is an automated testing technique where we input a wide variety of random or specially crafted data into a contract to identify unexpected behaviors or vulnerabilities under different inputs. We specialize in fuzzing and have worked on various fuzzing strategies for different environments. For example, we have developed differential fuzzers for Solidity-based contracts, focusing on transaction scenarios to uncover critical denial of service issues. Our fuzzing efforts are aimed at ensuring contract robustness against unexpected inputs and behaviors, which can significantly enhance the security of the contract. Fuzzing can reveal hidden vulnerabilities that might not be found through other testing methods.
Formal verification employs rigorous mathematical methods and tools to ensure that a smart contract’s behavior conforms to its intended specification. This technique is particularly useful for high-security contracts, such as those involved in finance or user fund management. By using formal verification, we can mathematically prove that a contract behaves as expected under all possible conditions, preventing unexpected behavior or vulnerabilities. It provides a higher level of assurance that a contract is free from subtle bugs that might otherwise remain undetected through traditional testing methods. Formal verification is a powerful tool to guarantee that contracts meet their security and correctness requirements before deployment.
Our team offers comprehensive auditing services, leveraging deep expertise across a diverse range of blockchain ecosystems, including Cosmos, Near, and BTC L2. Comprised of seasoned, top-tier auditors and numerous world-class security specialists with proven track records, our collective experience is underscored by over $1 million USD in cumulative bug bounties. Our rigorous, multi-stage audit process includes an in-depth preliminary analysis, collaborative cross-audits conducted by independent experts, and a meticulous post-fix review to ensure the comprehensive security hardening of every project we assess.
Real-time monitoring is essential for identifying and responding to potential security threats after the contract is deployed. We offer dynamic security monitoring services that ensure the contract remains secure throughout its lifecycle. Our monitoring system continuously tracks all transactions and interactions with the contract, detecting abnormal behavior or suspicious activities, such as large transfers or frequent contract calls. This allows for immediate response to any potential threats, minimizing the risk of exploitation. We currently provide real-time security monitoring for contracts deployed on the Ethereum and Binance Smart Chain (BSC) networks, helping to ensure that projects can respond quickly to any emerging security issues.
We discuss your project’s business logic, security needs, and objectives to tailor the audit accordingly.
We provide a detailed quote with the expected timeline, cost, and payment terms for the audit.
We begin the audit by analyzing your code and protocols, keeping you updated throughout the process.
We provide a comprehensive report with findings and fix recommendations.
We offer ongoing support after deployment to address any issues and ensure the system’s continued security.
We focus on cyber Security and Threat Detection and Response, and provide industry-leading Cyber Security Solutions, which can completely cover all cyber security requirements of all kinds application scenarios.
