Protocol security and architecture for blockchain infrastructure and high-stakes DeFi teams. We focus on the failure-prone edges of modern crypto systems, from cross-chain trust boundaries to execution, consensus, and off-chain transaction flows.
ZKsync OS is a new RISC-based execution system for the next generation of ZKsync. Taran Space reviewed core components across multiple engagements, including the bootloader, transaction processing, EVM implementation, cache logic, and L2 interoperability paths at the center of the rollup architecture. The work also included a dedicated cryptography review focused on elliptic-curve components and proof-adjacent logic.
Powers an ecosystem securing over $320 million in value.
Stellar is a major blockchain infrastructure network for payments, tokenized assets, and financial applications. The work was delivered through public Oak Security engagements and covered Stellar Core protocol updates, with focus on correctness and consensus-sensitive changes that affect secure network operation.
Stellar has over $180M in DeFi TVL.
Snowbridge is a trustless bridge between Polkadot and Ethereum, using light-client verification instead of a trusted multisig or external validator set. Working as part of Oak Security’s team, we reviewed multiple releases, focusing on the boundaries between consensus assumptions, bridge logic, and Solidity/EVM execution.
Secures over $30M in assets bridged between Ethereum and Polkadot.
STBL is a stablecoin infrastructure protocol for token issuance, asset management, yield distribution, and operational control. We carried out the review for Hashlock, covering STBL’s Stellar/Rust smart-contract system, including asset issuer, airdrop issuer, USST/STBL token, oracle, registry, access-control, upgrade, and yield-distribution components.
Stablecoin infrastructure for asset issuance and yield distribution
Empowa / NSE Housing connects Cardano smart contracts with a real-world housing-finance application linked to the Nairobi Securities Exchange. Scope included eUTXO transaction design, order-book behavior, and business-critical contract logic used to coordinate financial activity before release.
RWA finance linked to a national securities exchange
VIA Labs builds cross-chain messaging infrastructure for moving data and value between blockchain networks. In a Hashlock-branded engagement, we reviewed VIA Labs’ Stellar/Soroban Rust messaging stack, covering client, fee-handler, gas-handler, message-client, and message-gateway components.
Cross-chain messaging for value-bearing blockchain flows
An audit is like a thorough checkup for digital projects. Its main goals are to make sure everything works as it should, find and fix any weak points that could be exploited by hackers, discover bugs that might cause unexpected issues, and check if the best coding practices were followed. Auditing isn't just about pointing out problems; it also provides helpful suggestions to make the code safer and easier to understand. In a nutshell, auditing is an investment in a project's health, protecting the team and its customers from unexpected financial losses.
The process begins with understanding the code's purpose through documentation. Automated tools can speed things up, but manual analysis for security issues and best practices is unavoidable. Each project undergoes meticulous line-by-line examination, checking for race conditions, overflow problems, key management, and access control. DeFi projects are particularly susceptible to reentrancy attacks or oracle manipulation, among other potential vulnerabilities. A comprehensive audit demands careful attention, so it's more about being thorough than being fast. Time to complete an audit depends on the codebase size and complexity, but typically it ranges from 1 to 3 weeks.
While it's theoretically possible for an audit to result in finding zero vulnerabilities, it's highly unlikely in practice. No system or process is entirely free from vulnerabilities, as security landscapes are constantly evolving, and new vulnerabilities may emerge over time.However, if a system has undergone rigorous security measures, regular updates, and best practices in design and implementation, it may have fewer vulnerabilities and be more resistant to attacks. In such cases, it's possible that no critical or major vulnerabilities are found during an audit, yet minor issues and areas for improvement may be identified. Recommendations will be provided to fortify the project's security further. If, in the rare event, our audit of your project discovers no issues across all vulnerability levels, we'll refund 100% of the amount paid.
Our pricing structure is tailored to the complexity of the project, the scope of the audit, and the expertise required. We offer competitive rates based on industry standards and the unique requirements of each engagement. For detailed information on pricing, we encourage you to contact us using the "Request a service" form. We're eager to discuss your needs and provide a quote aligned with the value of our services. The cost increases if you opt for a public audit, additional threat modeling, or economic consulting services.
Both kinds of auditing thoroughly verify that the project functions correctly and identify vulnerabilities and potential attack vectors. However, the results of a private audit are shared exclusively with internal stakeholders to ensure confidentiality during the project's development. The report is published immediately after the analysis is completed. On the other hand, public audits serve as a transparent proof of a project's security and reliability, fostering trust within the broader community and attracting external stakeholders. Public audits typically involve multiple auditors to cross-check each other and scrutinize each line of code meticulously. The initial report is drafted and presented to the customer, who then has a fixed one-month period to address any identified issues. After this timeframe, all issues are re-evaluated to ensure resolution by the customer. The status of each issue in the report is updated, and the finalized report is published on our website, making it publicly accessible.
To enhance the efficiency of an audit, undertake fundamental refactoring, address outstanding to-dos, and streamline the code for improved comprehension. This approach ensures that the audit focuses on identifying complex and potentially hazardous vulnerabilities. Once these improvements are implemented, it is crucial to freeze the code and provide us with the corresponding commit hash. An audit requires the codebase to be immutable, as any alterations necessitate a reassessment of the affected segments within the scope.
After your project has been audited, there are several steps you, as a client, can take to ensure the effectiveness and integrity of the audit process:
1. Review the Audit Report:
Carefully examine the audit report provided by the auditing team, and prioritize recommendations based on their severity.
2. Develop an Action Plan:
Collaborate with your development team to create a detailed action plan for implementing the recommended changes. Define timelines and allocate necessary resources.
3. Communication with Stakeholders:
Keep stakeholders informed about audit results, planned actions, and potential impacts on project timelines. Maintain transparent communication.
4. Implement Changes:
Execute the action plan by implementing necessary changes to your project, resolving all discovered issues based on the audit report.
5. Retest and Validate:
Conduct rigorous testing to ensure that identified vulnerabilities have been successfully addressed. Validate the effectiveness of applied solutions.
6. Documentation:
Update project documentation to reflect changes made based on the audit recommendations. Use this documentation as a resource for future audits and development efforts.
7. Continuous Monitoring:
Establish a process for continuous monitoring of your project's security and performance. Regularly assess and reassess your system to identify and address new vulnerabilities.
8. Provide Updated Codebase:
If the audit is public, provide the auditing team with the updated codebase. Separate fixes for each issue into distinct commits for easier review.
9. Review Fixes:
The auditing team will promptly review your fixes shortly and update the audit report accordingly.
10. Feedback and Improvement:
Gather feedback from the audit process and leverage it to enhance your development practices. Integrate lessons learned into future projects. By following these steps, you can not only address the findings of the audit but also strengthen the overall security and robustness of your project.
Whether you're gearing up for a thorough audit or are still in the planning stages of your project, we encourage you to get in touch. Our expertise extends to architecture and security consulting, catering to a diverse range of needs. Rest assured, all inquiries are attentively processed during business hours. You can expect a response within an hour; however, we appreciate your patience if it occasionally takes a few days.
