Our Methodology

A transparent, repeatable security process built on industry-leading tools and frameworks. Every engagement follows the same rigorous standard.

SEAL Framework Alignment

Our methodology aligns with the Security Alliance (SEAL) frameworks, the emerging industry standard for Web3 security. We map every engagement to the relevant SEAL domains to ensure comprehensive coverage.

The 4-Phase Audit Process

Phase 1: Static Analysis + AI Review

Tools:

Slither, Aderyn, AI-assisted analysis

Purpose:

Automated detection of known vulnerability patterns, code quality issues, and gas optimizations, augmented by AI review using custom skills and domain-specific models to surface deeper issues across the codebase.

Output:

Baseline findings report, false positive triage, AI-flagged risk areas

Phase 2: Fuzz Testing & Invariant CheckingPremium

Tools:

Foundry fuzz testing, Trident

Purpose:

Property-based testing, invariant checking, edge case discovery.

Output:

Custom fuzz harnesses, failing test cases for identified issues

Phase 3: Manual Code Review

Tools:

Senior-only review, minimum two auditors

Purpose:

Business logic, access control, economic attacks, cross-contract interactions, oracle manipulation, reentrancy, front-running.

Output:

Detailed findings with PoC exploits where applicable

Phase 4: Formal Verification

Tools:

Halmos

Purpose:

Mathematical proofs for critical invariants (token conservation, exchange rate monotonicity, access control correctness).

Output:

Best for AMMs, lending protocols, stablecoins, bridges

Beyond Smart Contracts

Our methodology extends across all six service pillars

ServiceKey Frameworks
Web3 SecuritySEAL Security Testing, External Security Reviews
Penetration TestingOWASP, PTES, SEAL Infrastructure
AI HackingOWASP LLM Top 10, MITRE ATLAS, Google SAIF
Red TeamingSEAL OpSec, DPRK IT Workers, Awareness
MonitoringSEAL Monitoring, Infrastructure, P1-P5 Severity
Operations SecuritySEAL OpSec, Multisig, Wallet Security

Risk Classification

Severity is determined by combining Likelihood and Impact

Severity LevelImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMedium
Likelihood: MediumHighMediumLow
Likelihood: LowMediumLowLow

Impact

High

Substantial loss of assets (more than 10%) within the protocol or significant disruption to the majority of users.

Medium

Losses affect less than 10% globally or impact only a portion of users, but are still considered unacceptable.

Low

Losses may be inconvenient but are manageable — griefing attacks that can be resolved or minor inefficiencies such as gas costs.

Likelihood

High

Very likely to occur — either easy to exploit or difficult but highly incentivized.

Medium

Likely only under certain conditions or moderately incentivized.

Low

Unlikely unless specific conditions are met, or there is little-to-no incentive for exploitation.

Action Required

Critical

Must be addressed immediately if already deployed.

High

Must be resolved before deployment (or urgently if already deployed).

Medium

It is recommended to fix.

Low

Can be fixed if desired but is not crucial.

Informational

Do not pose a direct security risk but provide useful information the audit team wants to communicate formally.

Best Practices

Indicate that certain portions of the code deviate from established smart contract development standards.

Transparency Guarantee

Daily progress updates during every engagement

No black-box processes

Full PoC exploits for all Critical and High findings

Fix verification included at no additional cost

Published audit reports (with client approval)

See our methodology in action

Browse our published audit reports or get a free 30-minute assessment.

View ReportsGet Assessment