Security Auditing,
Research, and Advisory

for the Decentralized Web

Web3 is the modern standard for transparent financial transactions, trustless accessible banking, and the global economy. But to build a competent, tamper-proof network and safeguard your users' assets, you need comprehensive security services.

Request a service
Request a service
Ethereum
Cosmos
Polkadot
CosmWasm
Solidity
Rust
Move
Sui
Aptos

Services

Web3 brings great benefits: democratized access to services, increased transparency and elimination of single points of failure. However, decentralized networks also raise the stakes. Every little inconsistency can be a vulnerability. Ensuring security in this new landscape is about more than just meeting standards — it's about keeping everyone's investments safe.Finding weak spots and vulnerabilities in decentralized networks demands not just robust knowledge of blockchain and a strong foundation in computer science, but also a keen eye for detail, verifying every line of code with precision and thoroughness.
security auditing illustration
As numerous blockchains emerge, there's a need for them to communicate and work together. Interoperability ensures that these diverse systems can coexist and interact smoothly. It enables the seamless transfer of assets and information between different blockchains. This is especially important for DeFi applications where assets may need to move across various platforms.
To build an effective and secure bridge between blockchains, experience and understanding in several areas are essential:    

Finality Protocols provide means to ensure that a transaction is irreversible on one chain before initiating any corresponding actions on another chain. They are vital for moving assets across chains.    

Cryptographic Proofs are essential to verify that certain actions or events have occurred on one blockchain before they can be acknowledged or mirrored on another blockchain. Proofs such as Simple Payment Verification (SPV) or Merkle proofs help ensure that data coming from one chain is authentic.    

Cryptoeconomic Incentives play a pivotal role in ensuring the security and functionality of a bridge. Validators, relayers, or other intermediaries involved in the bridging process need to have economic incentives to act honestly.
Interoperability Research illustration
Redefining trust and transparency in the digital era: partnering with our expert blockchain auditors to safeguard your assets, verify transactions, and navigate cryptocurrencies
Smart Contract Development illustration
4000+
of something
560
of something
200k+
of something
16
of something

Case Studies

View All
View All
4000+
of something
July 2024
Security Audit
X
oak

Dusk is a L1 blockchain built from scratch to fill the gap in Web3: native private transactions, regulatory-compliant. Rusk is the official Dusk protocol node client and smart contract platform. During the audit, both consensus algorithm and node implementation has been reviewed

L1
RocksDB
Rust
4000+
of something
October 2023
Security Audit
X
oak
Rust
CosmWasm
DEX
DeFi
4000+
of something
March 2023
Security Audit
X
oak

— platform for DAOs:

- Vesting contract
- Payroll factory

Rust
CosmWasm
DAO
4000+
of something
axelar network
August 2024
Security Audit
X
C4

Axelar is a cross-chain General Message Passing platform unlocking cross-chain swaps and calls across multiple networks. The audit was conducted on Code4rena and included thorough code review of Interchain Token Service contracts and gateways on Ethereum and Cosmos

Cross-chain
DEX
Ethereum
Solidity
4000+
of something
August 2023
Security Audit
X
oak

— bridge from Ethereum to Polkadot:

- Beacon chain light client built as parachain
- Asset Hub and Bridge Hub parachains
- BEEFY light client built as Solidity smart contract

Ethereum
Polkadot
Cross-chain
Light client
Rust
Solidity
Substrate
Merkle trees
4000+
of something
Centauri
June 2023
Security Audit
X
oak

— bridge from Cosmos to Polkadot:

- GRANDPA finality proofs verification
- CosmWasm contract and IBC messaging
- Major and Critical vulnerabilities found

CosmWasm
Polkadot
Cross-chain
Light client
Rust
Substrate
Merkle trees
4000+
of something
May 2023 - September 2024
Interoperability Research

- Architecture of DEX
- Atomic Swap prototype

Solidity
TON
DEX
Ethereum
4000+
of something
October 2022
Interoperability Research

- custom Substrate network
- custom Polygon Edge network
- scalability analysis of EVM-networks
- performance analysis, stress testing
- test deployments of ChainBridge
- test deployments of Avalanche
- test deployments of Fantom

EVM
Solidity
Polygon
Substrate
Polkadot
Avalanche
Fantom
logo

SMART CONTRACT AUDIT

4000+
of something

Redefining trust and transparency in the digital era: partnering with our expert blockchain auditors to safeguard your assets, verify transactions, and navigate cryptocurrencies Redefining trust and transparency in the digital era: partnering with our expert blockchain auditors to safeguard your assets, verify transactions, and navigate cryptocurrencies

Past clients

logo
logo
logo
logo
logo

Process

Pre-Audit
(free of charge)
Quote
Your journey begins when you contact us through the contact form on our website, via messenger, or by email. When you do, please briefly describe your project and outline your goals with our services.
arrow
Preliminary
assessment
We will promptly review your project online, evaluating the quality of the documentation and codebase. Our team will then provide a rough estimate of the workload required to uncover as many vulnerabilities as possible.
arrow
post-Audit
Client resolves
the issues
Feel free to take the necessary time to address all identified issues. However, be aware that our post-audit support and review of the fixes will be available only for one month following the wrap-up call. This timeframe is in place because the mental model of any project requires refreshing after a period of inactivity.
arrow
Fixes
review
We will promptly review your fixes and make corresponding updates to the draft report. In the event that a fix is found to be incorrect or incomplete, we will provide you with detailed guidance on the additional development required.
arrow
Public
report
When all issues identified during the audit are resolved, or once the one-month post-audit timeframe has elapsed, we will finalize the report and proceed to publish it.
arrow
Audit
Architecture
review
The initial phase of our engagement will involve a comprehensive review of the existing documentation. This will be followed by a detailed outline of the key components and modules. Most importantly, we will benchmark the architectural patterns implemented in your project, ensuring they meet the highest standards
arrow
Technical
interview
Once we grasp the high-level concepts of your project, we will conduct a technical interview with your team. We kindly request that you share as much technical information as possible. Please elaborate on the nuances of your build and deployment procedures and highlight any areas in the codebase that you feel uncertain about. If a code walkthrough is possible, it would be greatly beneficial. The more information you provide, the more time we can dedicate to addressing sophisticated issues and exploring corner cases in your algorithms.
arrow
Manual
code review
Included in any audit.
Static & dynamic
analysis
Included in any audit.
Threat
modelling
Optional
Cryptography
review
Optional
Economics
review
Optional
arrow
Private report
Included in any audit.
arrow
Q&A with
the client
After dispatching the report to you, we'll schedule a comprehensive wrap-up call. In this call, we will address all your questions, offer clarity on each issue and its impact, and outline the specific mitigation strategy for every concern. By the end of the call, you will have a clear picture of your project's security landscape and a robust action plan to reinforce its defenses.
Pre-Audit
(free of charge)
Quote
Your journey begins when you contact us through the contact form on our website, via messenger, or by email. When you do, please briefly describe your project and outline your goals with our services.
arrow
Preliminary
assessment
We will promptly review your project online, evaluating the quality of the documentation and codebase. Our team will then provide a rough estimate of the workload required to uncover as many vulnerabilities as possible.
arrow
Audit
Architecture
review
The initial phase of our engagement will involve a comprehensive review of the existing documentation. This will be followed by a detailed outline of the key components and modules. Most importantly, we will benchmark the architectural patterns implemented in your project, ensuring they meet the highest standards
arrow
Technical
interview
Once we grasp the high-level concepts of your project, we will conduct a technical interview with your team. We kindly request that you share as much technical information as possible. Please elaborate on the nuances of your build and deployment procedures and highlight any areas in the codebase that you feel uncertain about. If a code walkthrough is possible, it would be greatly beneficial. The more information you provide, the more time we can dedicate to addressing sophisticated issues and exploring corner cases in your algorithms.
arrow
Manual
code review
Included in any audit.
Static & dynamic
analysis
Included in any audit.
Threat
modelling
Optional
Cryptography
review
Optional
Economics
review
Optional
arrow
Private report
Included in any audit.
arrow
Q&A with
a client
After dispatching the report to you, we'll schedule a comprehensive wrap-up call. In this call, we will address all your questions, offer clarity on each issue and its impact, and outline the specific mitigation strategy for every concern. By the end of the call, you will have a clear picture of your project's security landscape and a robust action plan to reinforce its defenses.
arrow
post-Audit
Client resolves
the issues
Feel free to take the necessary time to address all identified issues. However, be aware that our post-audit support and review of the fixes will be available only for one month following the wrap-up call. This timeframe is in place because the mental model of any project requires refreshing after a period of inactivity.
arrow
Fixes
review
We will promptly review your fixes and make corresponding updates to the draft report. In the event that a fix is found to be incorrect or incomplete, we will provide you with detailed guidance on the additional development required.
arrow
Public
report
When all issues identified during the audit are resolved, or once the one-month post-audit timeframe has elapsed, we will finalize the report and proceed to publish it.

About

My name is Kirill Taran, and I wear multiple hats in the digital realm. I audit decentralized systems and smart contracts both independently and as a contractor. In my spare time, I dedicate myself to researching the architecture of cryptocurrencies and decentralized algorithms.

EDUCATION
Master of Science (MSc) in Mathematics and Software Engineering (010503) from the Department of Software Engineering, Faculty of Mathematics and Mechanics, St. Petersburg State University, Russia.
Thesis title: “Martin-Löf Type Theory in Software Verification”.
Experience
- Research and Development since 2011
- Blockchain and Web3 since 2019
- Tech Founder since 2020
View CV
View CV
SKILLS

- Security Advisory
- Solution Architecture
- Technical Leadership
- Formal Verification
- Smart Contracts
- Algorithms & Optimization
- Research & Data Analysis
- Token Economics

TOOLS

- Rust
- CosmWasm
- Substrate
- ink!
- Move
- Solidity
- Polkadot

- Ganache
- SCALE
- RocksDB
- TypeScript
- web3.js
- ethers
- ssz-rs

ECOSYSTEMS

- Ethereum
- Cosmos
- Polkadot
- Bitcoin
- Aptos
- Sui

PROTOCOLS

- Proof-of-Stake
- Proof-of-Work
- BFT Consensus
- BABE/GRANDPA
- DAG-based

bridge illustration

FAQ

Why is auditing necessary?
minus
plus

An audit is like a thorough checkup for digital projects. Its main goals are to make sure everything works as it should, find and fix any weak points that could be exploited by hackers, discover bugs that might cause unexpected issues, and check if the best coding practices were followed. Auditing isn't just about pointing out problems; it also provides helpful suggestions to make the code safer and easier to understand. In a nutshell, auditing is an investment in a project's health, protecting the team and its customers from unexpected financial losses.

How do you conduct an audit and how long does it take?
minus
plus

The process begins with understanding the code's purpose through documentation. Automated tools can speed things up, but manual analysis for security issues and best practices is unavoidable. Each project undergoes meticulous line-by-line examination, checking for race conditions, overflow problems, key management, and access control. DeFi projects are particularly susceptible to reentrancy attacks or oracle manipulation, among other potential vulnerabilities. A comprehensive audit demands careful attention, so it's more about being thorough than being fast. Time to complete an audit depends on the codebase size and complexity, but typically it ranges from 1 to 3 weeks.

Can an audit discover zero vulnerabilities?
minus
plus

While it's theoretically possible for an audit to result in finding zero vulnerabilities, it's highly unlikely in practice. No system or process is entirely free from vulnerabilities, as security landscapes are constantly evolving, and new vulnerabilities may emerge over time.However, if a system has undergone rigorous security measures, regular updates, and best practices in design and implementation, it may have fewer vulnerabilities and be more resistant to attacks. In such cases, it's possible that no critical or major vulnerabilities are found during an audit, yet minor issues and areas for improvement may be identified. Recommendations will be provided to fortify the project's security further. If, in the rare event, our audit of your project discovers no issues across all vulnerability levels, we'll refund 100% of the amount paid.

How much does an audit cost?
minus
plus

Our pricing structure is tailored to the complexity of the project, the scope of the audit, and the expertise required. We offer competitive rates based on industry standards and the unique requirements of each engagement. For detailed information on pricing, we encourage you to contact us using the "Request a service" form. We're eager to discuss your needs and provide a quote aligned with the value of our services. The cost increases if you opt for a public audit, additional threat modeling, or economic consulting services.

What is the difference between a private and a public audit?
minus
plus

Both kinds of auditing thouroughly verify that the project functions correctly and identify vulnerabilities and potential attack vectors. However, the results of a private audit are shared exclusively with internal stakeholders to ensure confidentiality during the project's development. The report is published immediately after the analysis is completed. On the other hand, public audits serve as a transparent proof of a project's security and reliability, fostering trust within the broader community and attracting external stakeholders. Public audits typically involve multiple auditors to cross-check each other and scrutinize each line of code meticulously. The initial report is drafted and presented to the customer, who then has a fixed one-month period to address any identified issues. After this timeframe, all issues are re-evaluated to ensure resolution by the customer. The status of each issue in the report is updated, and the finalized report is published on our website, making it publicly accessible.

How to prepare for an audit?
minus
plus

To enhance the efficiency of an audit, undertake fundamental refactoring, address outstanding to-dos, and streamline the code for improved comprehension. This approach ensures that the audit focuses on identifying complex and potentially hazardous vulnerabilities. Once these improvements are implemented, it is crucial to freeze the code and provide us with the corresponding commit hash. An audit requires the codebase to be immutable, as any alterations necessitate a reassessment of the affected segments within the scope.

What to do after the audit?
minus
plus

After your project has been audited, there are several steps you, as a client, can take to ensure the effectiveness and integrity of the audit process:

1. Review the Audit Report:
Carefully examine the audit report provided by the auditing team, and prioritize recommendations based on their severity.

2. Develop an Action Plan:
Collaborate with your development team to create a detailed action plan for implementing the recommended changes. Define timelines and allocate necessary resources.

3. Communication with Stakeholders:
Keep stakeholders informed about audit results, planned actions, and potential impacts on project timelines. Maintain transparent communication.

4. Implement Changes:
Execute the action plan by implementing necessary changes to your project, resolving all discovered issues based on the audit report.

5. Retest and Validate:
Conduct rigorous testing to ensure that identified vulnerabilities have been successfully addressed. Validate the effectiveness of applied solutions.

6. Documentation:
Update project documentation to reflect changes made based on the audit recommendations. Use this documentation as a resource for future audits and development efforts.

7. Continuous Monitoring:
Establish a process for continuous monitoring of your project's security and performance. Regularly assess and reassess your system to identify and address new vulnerabilities.

8. Provide Updated Codebase:
If the audit is public, provide the auditing team with the updated codebase. Separate fixes for each issue into distinct commits for easier review.

9. Review Fixes:
The auditing team will promptly review your fixes shortly and update the audit report accordingly.

10. Feedback and Improvement:
Gather feedback from the audit process and leverage it to enhance your development practices. Integrate lessons learned into future projects. By following these steps, you can not only address the findings of the audit but also strengthen the overall security and robustness of your project.

background illustration

Contact

Whether you're gearing up for a thorough audit or are still in the planning stages of your project, we encourage you to get in touch. Our expertise extends to architecture and security consulting, catering to a diverse range of needs. Rest assured, all inquiries are attentively processed during business hours. You can expect a response within an hour; however, we appreciate your patience if it occasionally takes a few days.

Thank you for your inquiry! We've received your message and will respond soon.
Oops! Something went wrong while submitting the form.