Audit Application Form
Let's talk
Blockchain Security & Smart Contract Audit
Identifying technical and economical vulnerabilities, and preventing exploits in decentralized projects.
Customers
The protocols we specialize in
EVM Compatible Blockchains
Substrate
Polkadot
What we offer:
Private Security Audit
Projects with stable quality code and detailed documentation
Interim audit
Вug Fixing
Re-audit
Final audit (Deployment verification)
Issuing a Public Report
Вug Fixing
Re-audit
Final audit (Deployment verification)
Issuing a Public Report
Comprehensive code check
Issuing an Official Public Report
Issuing an Official Public Report
Who for:
Flow:
3
✓
✓
5
4
•
2
1
Pre-Audit (Code review)
Projects with incomplete code under development
Projects without complete documentation, tests, etc.
Projects without complete documentation, tests, etc.
Interim audit with the list of recommendations on code assurance
Base code check
List of recommendations on code assurance and to-do list for the following comprehensive audit
List of recommendations on code assurance and to-do list for the following comprehensive audit
Who for:
Flow:
✓
✓
•
1
•
Security Audit Subscription
Projects with a large volume of the constantly updated code base
Projects that need the continuous support of an allocated team
Projects that need the continuous support of an allocated team
Standard Security Audit +
Additional services:
Deployment scripts verification
Existed tests verification
Preparing additional tests for specific scenarios
Verification of the deployed contracts (e.g. all initialization parameters check, check of the migration to another implementation of upgradeable contract, etc.)
Monitoring system design and implementation
Preparation of bots according to monitoring system design
Validation of the financial model of the project and assessment of possible risks
Delivering additional security research tasks from the customer aimed at increasing overall system security, availability and decentralization
Additional services:
Deployment scripts verification
Existed tests verification
Preparing additional tests for specific scenarios
Verification of the deployed contracts (e.g. all initialization parameters check, check of the migration to another implementation of upgradeable contract, etc.)
Monitoring system design and implementation
Preparation of bots according to monitoring system design
Validation of the financial model of the project and assessment of possible risks
Delivering additional security research tasks from the customer aimed at increasing overall system security, availability and decentralization
Who for:
Flow:
2
•
1
•
4
3
5
7
6
8
9
Security Audit Methodology
A group of security engineers are involved in working on the audit. The security engineers check the provided source code independently of each other in accordance with the methodology described below:
- Project documentation review.
- General code review.
- Reverse research and study of the project architecture based on the source code alone.
- Build an independent view of the project's architecture.
- Identify logical flaws.
- Manual code check for the vulnerabilities listed on the Contractor's internal checklist. The Contractor's checklist is constantly updated based on the analysis of hacks, research, and audit of the clients' codes.
- Code check with the use of static analyzers (i.e., Slither, Mythril, etc.).
Eliminate typical vulnerabilities (e.g., reentrancy, gas limit, flash loan attacks, etc.).
- Detailed study of the project documentation.
- Examination of contracts tests.
- Examination of comments in the code.
- Comparison of the desired model obtained during the study with the reversed view obtained during the blind audit.
- Exploits PoC development with the use of such programs as Brownie and Hardhat.
Detect inconsistencies with the desired model.
- Cross-check: each auditor reviews the reports of the others.
- Discussion of the issues found by the auditors.
- Issuance of an interim audit report.
- Double-check all the found issues to make sure they are relevant and the determined threat level is correct.
- Provide the Customer with an interim report.
- The Customer either fixes the issues or provides comments on the issues found by the auditors. Feedback from the Customer must be received on every issue/bug so that the Contractor can assign them a status (either "fixed" or "acknowledged").
- Upon completion of bug fixing, the auditors double-check each fix and assign it a specific status, providing a proof link to the fix.
- A re-audited report is issued.
- Verify the fixed code version with all the recommendations and its statuses.
- Provide the Customer with a re-audited report.
- The Customer deploys the re-audited source code on the mainnet.
- The Contractor verifies the deployed code with the re-audited version and checks them for compliance.
- If the versions of the code match, the Contractor issues a public audit report.
- Conduct the final check of the code deployed on the mainnet.
- Provide the Customer with a public audit report.
FAQ
The report describes all types of logical errors, inconsistencies, and vulnerabilities detected through the audit, as well as recommendations to address each of them.
Yes, we always provide a confidential original audit report, so that you can correct any errors found. With your permission, we would like to publish a report on our blog. We strongly recommend to make your report public, as this demonstrates increased security to your partners.
Audit timing and costs depend on its complexity and code volume. We will promptly prepare a full quotation after you contact us and provide the code. It is impossible to determine the terms of the audit without examining the code.
For large projects we provide updates every 2 weeks. If there are critical and major errors, we immediately give notifications via GitHub.
Blog