Request an Audit

Smart Contract Security Services

Our smart contract auditors thoroughly review your contract’s code to ensure top-tier security, flawless operation, and full compliance with industry standards. This involves examining logic, functions, and dependencies to guarantee safety and reliability and prevent issues from developer errors, potential vulnerabilities, and external threats.

Our Security Solutions Ecosystem

EVM EVM
Solana Solana
Stacks Stacks
Ton Ton
Fuel Fuel
Aptos Aptos
Cosmos Cosmos
Sei Sei

EVM-based Blockchains

EVM-based blockchains, like Ethereum, use the Ethereum Virtual Machine to run smart contracts. These are Turing-complete, meaning they can handle any computable task, and use a stack-based system. Developers often write contracts in Solidity, which gets turned into bytecode for execution. The consensus can be proof-of-work or proof-of-stake, depending on blockchain.

Security risks include reentrancy attacks, where a contract gets called repeatedly before finishing, and integer overflow/underflow, causing calculation errors. Front-running lets attackers manipulate transaction order, and phishing targets users. Smart contract codes may have access control issues, so audits are crucial.

We have audited EVM-based Layer 1 chains and protocols, including the U2U Network, Perp DEX Electra, and Bitperps.

Solana

Solana is known for its speed, handling up to 65,000 transactions per second. It uses proof-of-stake with Proof of History (PoH) for ordering and Tower BFT for consensus. Smart contracts are written in Rust, part of the Solana Program Library, ideal for real-time apps.

Security concerns include centralization risks, with a relatively small validator node count, potentially a single point of failure. Smart contracts, written in Rust via Solana Program Library (SPL), may have language-specific vulnerabilities like integer overflow, division by zero, and account confusion. Network congestion during high traffic, as seen in past outages, and potential 51% attacks, mitigated by PoS, require robust node distribution for security.

Our extensive security expertise in the Rust language, combined with collaborations with Soex, Stargate, and Bitget Solana Swap, has honed our ability to vigilantly safeguard the ecosystem.

Stacks

Stacks extend Bitcoin with smart contracts, using proof-of-transfer where miners lock Bitcoin to mine Stacks blocks. It uses Clarity, a safe and auditable language, with the state settled on Bitcoin for security.

Risks include reliance on Bitcoin’s stability, with potential vulnerabilities in Clarity code, such as authentication flaws, improper use of verifiable random functions (VRF), and reliance on Bitcoin block timestamps for time-sensitive logic. The proof-of-transfer mechanism may face issues like insufficient miner incentives or coordinated attacks, requiring careful monitoring and robust incentive structures for security.

We have identified a critical vulnerability in the Stacks consensus mechanism, earning us recognition as one of the few selected Stacks Orange Hats security firms. We now provide long-term security consultancy for protocols such as BSD-Money and DCAHQ.

Ton (The Open Network)

Ton is a scalable blockchain with proof-of-stake, using sharding for multiple chains. Smart contracts are in FunC, similar to C, with Toncoin for fees and staking.

Ton’s sharding architecture introduces complexity, increasing the risk of cross-shard attacks that can lead to state inconsistencies. FunC code is susceptible to security flaws, such as transaction ordering dependencies, improper storage management, unchecked return values, and timestamp dependency, necessitating thorough testing and secure coding practices, especially given its Telegram integration, which may expand the attack surface.

Our team has a solid foundation on Func programming language and has provided audits for protocols such as Tonark and Bitget Red Envelope.

Fuel Network

Fuel Network is a layer-2 for Ethereum, using optimistic rollups for efficiency, with FuelVM supporting Solidity for smart contracts. It offers lower fees and faster transactions.

Security risks include bridge vulnerabilities, common in layer-2 solutions, and Sway-specific smart contract issues such as reverted transaction manipulation, improper state management, access control flaws, and gas limit vulnerabilities. Fraud proofs must be robust to prevent exploitation, and the security council’s multisig management poses a risk if compromised, necessitating thorough testing and enhanced security protocols.

We are the first security firm to open-source Fuel-related security best practices, identify a critical vulnerability in the Fuelet wallet, and win the Fluid audit competition.

Aptos

Aptos is a layer-1 blockchain leveraging a proof-of-stake consensus mechanism, with a strong emphasis on resource management to mitigate denial-of-service (DoS) attacks. Its smart contracts are developed using Move, a language engineered for safety and auditability, featuring a resource-oriented type system and formal verification support.

However, Aptos encounters potential security challenges with Move code, including improper access control that may allow unauthorized actions, incorrect usage of abilities (e.g., copy, drop, store) leading to resource misuse, unbounded execution risks from unmonitored iterations causing gas exhaustion, and timestamp dependency vulnerabilities exploitable through manipulable block timestamps.

Additionally, a small validator set poses centralization risks, underscoring the need for broad node distribution and comprehensive security audits to bolster network resilience.

We are the first security firm to identify a critical bug in the Aptos MoveVM, earning a bug bounty for our discovery.

Cosmos

Cosmos is a network of interoperable blockchains, using proof-of-stake, with the Cosmos Hub using Tendermint consensus. Smart contracts often use CosmWasm, with IBC for cross-chain communication.

Security varies across zones, with the Inter-Blockchain Communication (IBC) protocol potentially susceptible to cross-chain attacks that could compromise data integrity. CosmWasm code is prone to flaws such as improper input validation, reentrancy attacks, access control issues, and gas exhaustion risks, necessitating rigorous testing and secure coding practices. Furthermore, small validator sets could lead to centralized control, highlighting the importance of diverse node participation to maintain network decentralization and resilience.

We have identified multiple critical bugs in Cosmos-based Layer 1 chains such as Sei network and have provided security services to numerous protocols.

SEI Network

SEI Network, focused on gaming, is a layer-1 built on Cosmos SDK, using proof-of-stake. It’s optimized for high performance and low latency, using CosmWasm for smart contracts.

As a relatively new blockchain, SEI faces potential vulnerabilities, inheriting Cosmos risks such as IBC-related issues that could lead to cross-chain exploits. Its custom gaming features introduce specific challenges, including insufficient input validation and resource exhaustion risks under high-frequency traffic, necessitating thorough security audits and robust testing to ensure network stability.

We have identified two critical vulnerabilities in the Sei network, affecting both their Consensus mechanism and exposing them to Denial-of-Service (DoS) attacks. As a result, we are now proud to serve as their long-term security partner.

Portfolio Overview

AsyncFinance AsyncFinance
FILX Token FILX Token
LetsPump
Morph Morph
PayProtocol
BitGenie BitGenie
DIDO
red_envelope
Meta Meta
Bitlen
TonArk TonArk
BulbaSwap BulbaSwap
Soex Soex
U2U U2U
OORT OORT
BSD-money
OKX OKX
Tesa
Tabi Tabi
DCAHQ
Bitget Bitget
Fluid Protocol Fluid Protocol
Audit Report

Our Security Solutions

Our Audit Process

Initial Consultation

We discuss your project’s business logic, security needs, and objectives to tailor the audit accordingly.

Quote

We provide a detailed quote with the expected timeline, cost, and payment terms for the audit.

Kickoff

We begin the audit by analyzing your code and protocols, keeping you updated throughout the process.

Report Delivery

We provide a comprehensive report with findings and fix recommendations.

Post-deployment Support

We offer ongoing support after deployment to address any issues and ensure the system’s continued security.

Protect your project
$89.09B+ On-chain TVL secured
$8.34B+ Vulnerabilities patched