Right-sized
From a single contract to a multi-service protocol. We'll tell you if a sprint is enough or if it isn't.
Services
Senior review, scoped to what matters.
We work best as a small, embedded research partner rather than a large vendor. Engagements are sized to the risk in front of you, whether that's a single contract, a protocol upgrade, or a full codebase. They're priced for senior attention: you get the people who actually do the work.
01
Smart-contract audits
Line-by-line manual review of on-chain logic: token accounting, access control and roles, upgrade and proxy patterns, oracle dependencies, and the economic assumptions that hold the system together. We pair close reading with targeted invariant and property tests, so the guarantees that matter end up written down and tested rather than assumed.
02
Protocol & codebase review
The code around the contracts: bridges and message passing, keepers and bots, indexers, signing services, node tooling. We trace trust boundaries and failure modes end to end. We also check codebases that share lineage with yours, where the same class of bug tends to recur. Outside crypto, we take on general codebase audits when the stakes justify a senior look.
03
Bug bounty research
Hunting and validation against live programs, with triage support for your team and clear write-ups when something lands. We validate every finding adversarially before it reaches you, and we verify the fix once it ships. The aim is to keep your program's signal high.
04
Threat modeling
Practical attack-path mapping for teams that want scope clarity before a review begins. We lay out the assets, the actors, the trust boundaries, and the handful of scenarios worth the most attention.
05
Remediation review
Fix validation, regression checks, and a concise verified-fix memo. Useful on its own when another party did the original review and you want an independent confirmation.
06
Security advisory
Ongoing, low-volume support for teams that would rather have a senior researcher on call than retain a large firm. Think design reviews, second opinions, and help handling a disclosure when one comes in.
:: scope · evidence · fix ::
A report you can act on
Plain enough for engineering execution, polished enough for a board or a community update.
We verify the fix
We re-test fixes and document residual risk, so closeout actually means something.
Scoping
Not sure which one you need?
Send a short description of the system and your concern. We'll suggest the smallest engagement that answers the question honestly.