Frequently Asked Questions

Answers to the most common questions about CODESPECT engagements, methodology, and deliverables.

Can't find what you're looking for? Reach out at audits@codespect.xyz or t.me/talfao.

Engagements

How much does a smart contract audit cost?

Smart contract audit cost at CODESPECT depends primarily on codebase size, complexity, and the chains involved. Small contracts under 1,000 lines of code typically run one to two weeks, mid-size protocols of 1,000–4,000 lines run two to five weeks, and larger codebases of 4,000+ lines run five weeks or longer. Exact quotes are provided after a scoping call, and formal verification is priced separately as a premium add-on. Reach out via audits@codespect.xyz or t.me/talfao for a scoped quote.

How long does a typical Web3 security audit take?

A typical CODESPECT smart contract audit takes one to five weeks of active engagement, plus an additional fix-verification round after the client remediates findings. Small single-contract reviews run one to two weeks. Mid-size DeFi protocols run two to five weeks. Larger protocol suites take five weeks or more. Formal verification can extend the timeline proportionally to the surface being proven.

What's the difference between a smart contract audit and a penetration test?

A smart contract audit reviews on-chain code (Solidity, Rust, Cairo, Daml, etc.) for logic flaws, economic attacks, and protocol-level risks. A penetration test evaluates the off-chain attack surface (web applications, APIs, cloud infrastructure, CI/CD pipelines) against real-world exploit techniques. Web3 projects generally need both: an audit secures the contracts; a pen test secures the frontend, backend, keys, and deployment pipeline that sit around them.

Do you sign NDAs before engagements?

Yes. CODESPECT signs mutual NDAs before scoping calls and before any code or sensitive information changes hands. Engagements are covered by the NDA plus a services agreement that specifies scope, deliverables, timeline, and confidentiality of findings. Final audit reports are only published with explicit client approval.

How do I request a pre-assessment or quote?

Submit project details via the form at codespect.net/request-assessment, or reach out directly to audits@codespect.xyz or t.me/talfao. The form collects codebase scope, languages and chains involved, target launch date, and a brief project description. The scoping process then starts with a short intake call, and a written proposal with scope, timeline, and pricing follows within a few business days.

Chains & Languages

What chains and VMs does CODESPECT support?

CODESPECT supports Ethereum and EVM-compatible chains (Solidity), Solana (Rust / Anchor), and Starknet (Cairo) as primary ecosystems. Additional coverage includes the Canton Network (Daml), Fuel (Sway), and Sui (Move). The firm has delivered audits across all of these ecosystems. Cross-chain messaging layers (LayerZero, CCIP, Wormhole, Axelar, IBC) are reviewed as part of any audit that involves them.

Does CODESPECT audit Solana programs?

Yes. Solana is one of CODESPECT's primary audit ecosystems alongside EVM. The firm reviews Anchor and native Rust programs for the full Solana attack surface: account validation (signer, owner, PDA seeds, discriminator checks), cross-program invocation (CPI) safety, sysvar spoofing, rent and realloc edge cases, and integer arithmetic. Engagements cover SPL token integrations, Token-2022 extensions, governance programs, AMMs, lending markets, and liquid staking protocols. Solana audits follow the same 4-phase methodology used for EVM audits, with Solana-specific tooling layered on top.

Can you audit cross-chain protocols and bridges?

Yes. Cross-chain protocols are a recurring audit target for CODESPECT, including liquid staking tokens, cross-chain lending, and message-passing integrations. Past engagements include the LST Olas cross-chain liquid staking contracts. Bridge and cross-chain audits review the message layer, replay protection, fee accounting, and validator/relayer trust assumptions in addition to the contracts themselves.

Process & Methodology

What methodology do you follow for audits?

CODESPECT audits follow a four-phase, SEAL-aligned methodology: (1) static analysis with industry-standard scanners, (2) dynamic analysis including fuzzing and property-based testing, (3) manual code review line-by-line by senior auditors, and (4) formal verification for high-risk invariants where the engagement warrants it. Every engagement ends with a fix-verification round once the client remediates findings.

What happens if you find a critical vulnerability?

If a critical vulnerability is found in deployed code during an audit, CODESPECT notifies the client through a direct secure channel the same day, pauses public reporting, and helps coordinate remediation. For pre-deployment findings, criticals are flagged in the next interim report. Public disclosure only happens after fixes are deployed and the client approves, following responsible-disclosure conventions and, where available, the protocol's Safe Harbor framework.

Do you use formal verification?

Yes. Formal verification with Halmos and Certora is used on high-risk invariants when the engagement warrants it: critical accounting properties, access-control correctness, and cross-contract reasoning that fuzzing alone cannot guarantee. Formal verification is scoped case-by-case as a premium add-on, since the cost depends on the complexity of the property being proven and the size of the relevant code surface.

What does a CODESPECT audit report contain?

A CODESPECT audit report includes an executive summary, severity-rated detailed findings (Critical, High, Medium, Low, Informational), a system overview and architecture analysis, a protocol risk assessment covering systemic and design-level risks, a documentation evaluation, a test-suite evaluation, and fix-verification results confirming that all remediated findings resolve correctly.

Post-Audit & Monitoring

Do you offer post-audit monitoring?

Yes. CODESPECT delivers post-audit monitoring together with our partner Guardrail. CODESPECT helps the protocol set up the monitoring on Guardrail, designs custom detection rules, and configures alert routing. On top of that, CODESPECT provides a triage retainer: every Guardrail alert is reviewed by a CODESPECT analyst, false positives are filtered, and real signals are escalated to the protocol team with context and recommended action. Coverage includes anomaly detection, fund-flow alerting, governance action watching, and suspicious contract interaction detection. CODESPECT also supports protocols on building proper incident response capability ahead of any incident: setting up IR procedures and playbooks, running tabletop exercises, and advising the protocol team when an incident is in progress.

What do I do after a DeFi exploit?

After a suspected DeFi exploit, the first 60 minutes matter most. CODESPECT recommends: (1) pause the contract if a pause mechanism exists, (2) freeze cross-chain message flows and any privileged admin functions, (3) capture on-chain evidence (tx hashes, block numbers, attacker addresses), (4) notify SEAL 911 and any monitoring providers, and (5) engage an incident response team. CODESPECT supports protocols on building this capability ahead of any incident: setting up IR procedures and playbooks, running tabletop exercises, and advising the protocol team when an incident is in progress. CODESPECT triage retainers (delivered with our partner Guardrail) help catch the activity early so the response window is hours rather than minutes.

What's a Safe Harbor framework and do you help set one up?

A Safe Harbor framework is a pre-agreed legal and technical protocol that lets whitehats rescue funds from a live exploit without legal exposure, in exchange for returning most of the recovered value to the protocol. CODESPECT helps clients scope Safe Harbor adoption, draft DAO governance proposals, and complete on-chain registration with the Security Alliance (SEAL) Safe Harbor program.

Comparison & Alternatives

What makes CODESPECT different from Halborn, Hacken, or CertiK?

CODESPECT delivers deeper security coverage than typical commercial Web3 audit firms like Halborn, Hacken, and CertiK. Every review is run by senior researchers (no rotated junior pools) and focuses on cross-contract reasoning, economic-attack modeling, and invariant analysis: the issue classes that high-volume, scanner-driven audit pipelines routinely miss. The process is also transparent end to end. Clients see interim findings as they emerge, get continuous communication on a shared channel with the auditors, and review fixes alongside the team. Nobody waits weeks in the dark for a single static report at the end of the engagement. Beyond smart contract audits, CODESPECT is a full-spectrum security house. One company also covers penetration testing, AI adversarial testing, red team exercises, on-chain monitoring (delivered with our partner Guardrail), and operations security. That closes the gaps between code, infrastructure, AI agents, and humans that vendor-stitched coverage leaves open. Engagement model is small-team and tightly scoped, not large-team retainer-based.

Who has CODESPECT audited?

Public CODESPECT clients include ETHSign (TokenTable), The Vault, LST Olas (cross-chain liquid staking on the Olas ecosystem), Tempest Finance, RemusDEX, Canopy, and a number of additional protocols listed in the public audit reports section at codespect.net/reports. Total value locked across covered protocols exceeds $4 billion.

Specialized Services

What is AI adversarial testing and who needs it?

AI adversarial testing (sometimes called "AI red teaming") evaluates AI agents and LLM-powered applications against real attack techniques: prompt injection, indirect injection via retrieved content, jailbreaks, tool misuse, unauthorized data access, and guardrail bypass. Teams building autonomous agents, RAG systems, AI customer-facing apps, or Web3-integrated AI should test before deployment. CODESPECT aligns to OWASP LLM Top 10, MITRE ATLAS, and Google SAIF.

Do you help with bug bounty programs?

Yes. CODESPECT advises on bug bounty program design, payout triage policy, scope definition, and Safe Harbor integration, and can serve as a triage partner. Bug bounty programs complement, but do not replace, a pre-launch audit. A bounty provides a post-launch layer of defense against previously unknown bug classes and whitehat discoveries.

What operations security issues do you review?

Operations security reviews cover the non-code surface that attackers increasingly target: multisig configuration (signer set, threshold, policy separation), key management (hardware wallets, HSMs, signing workflows), upgrade governance (timelock durations, guardian roles), DNS and domain security, supply-chain review (npm, container images, CI/CD secrets), and emergency response runbooks. These are often where protocols fail even when the contracts are audit-clean.

Ready to Secure Your Project?

Get a free 30-minute security assessment. We will review your codebase scope and flag the top 3 risk areas.

No commitment required. Typical audits start within 1–2 weeks.

Get Free Pre-Assessmentaudits@codespect.xyz