Methodology
Our Process
Thorough, independent, verified.
Overview
How We Approach an Audit
Every engagement begins with a mutual understanding of scope. We review your codebase, discuss your architecture, and agree in writing on exactly what will be examined. Scope creep is expensive — for both parties. We avoid it by being precise at the start.
Our review process is multi-layered by design. Automated tools catch a broad surface area quickly. Manual review catches the subtle logic errors that no tool finds. A second independent pass — reviewing the same code without looking at the first reviewer's notes — catches what familiarity can obscure.
Typical audits take two to four weeks depending on the complexity and size of the codebase. We do not rush engagements. A missed finding in a rushed audit is worse than a delayed launch.
Tooling
Analysis Tools
We use industry-standard open-source tools as the foundation of our automated analysis phase. Tools surface known vulnerability patterns, coverage gaps, and potential attack vectors — giving our manual reviewers a strong starting point.
Automated tooling is the starting point, not the conclusion. Every finding from automated analysis is manually verified before it is included in the report. False positives are excluded. Findings that tools miss — business logic errors, economic attack paths, integration vulnerabilities — are identified exclusively through manual review.
Engagement Steps
The Five Phases
Scope & Intake
We begin with a written scope agreement covering: which contracts are in scope, which commit hash or version is the audit target, and what the expected behavior of each contract is. We review your documentation, test suite, and any prior audit reports. A well-defined scope protects both parties.
Automated Analysis
We run the in-scope contracts through our standard tool suite: static analysis with Slither and Aderyn, symbolic execution with Mythril, and fuzz testing with Echidna where applicable. We build and test with Foundry to verify the existing test suite passes and measure coverage. Results from this phase are triaged and documented before manual review begins.
Independent Multi-Layer Review
Each contract is manually reviewed line by line. We examine: access control and privilege escalation paths, reentrancy and external call ordering, integer arithmetic under edge cases, flash loan and price oracle attack surfaces, governance and upgrade mechanism risks, and economic attack vectors specific to your project's tokenomics. A second independent reviewer then reviews the same code without access to the first reviewer's findings — differences between the two passes are resolved through discussion, ensuring completeness.
Comprehensive Reporting
Every finding is documented with: a severity classification (Critical, High, Medium, Low, or Informational), a precise description of the vulnerability including the affected code location, a proof-of-concept demonstrating exploitability where applicable, and specific remediation guidance. The report is delivered as a professional PDF. Clients may share the report with investors, exchanges, listing platforms, and regulators.
Remediation Verification
After your team implements fixes, we receive the updated codebase and verify each remediation. We confirm that the vulnerability has been resolved without introducing new issues, and update the report accordingly. The final, verified report is delivered and may be published publicly if the client chooses.
Severity Classification
Finding Severity Levels
Every finding is classified using a five-level severity framework. Severity reflects both the potential impact and the likelihood of exploitation.
Critical
Immediate risk of funds loss or contract takeover. Must be resolved before deployment.
High
Significant risk with realistic exploit path. Should be resolved before deployment.
Medium
Material vulnerability with limited exploit conditions or partial impact. Strongly recommended to resolve.
Low
Low-severity issue with minor impact or highly constrained exploit conditions.
Informational
Code quality, best practice, or documentation observations — no immediate security risk.
Timeline & Deliverables
What You Receive
Typical audits take two to four weeks depending on the complexity and size of the codebase. Simple token contracts can be completed in two weeks. Complex DeFi protocols with multiple interacting contracts may take four weeks or longer. Timeline is agreed upon at the start of the engagement.
At the conclusion of the engagement, you receive: a professional PDF audit report suitable for public release, a separate executive summary for non-technical stakeholders, a structured findings list with severity classifications and remediation status, and verification confirmation after remediation review.
We do not publish audit reports without client consent.