Smart contract security

Security audits for the contracts your protocol runs on

Gizmolab audits smart contracts across every EVM chain and Solana — manual review by senior auditors, backed by fuzzing and automated analysis, and a self-serve first pass with Audit.new.

Vault.sol — audit pass
scanning
0
Critical
12
Resolved
100%
Coverage
Coverage

Audited across the chains you deploy on

Whatever you ship on, we review it there. Full EVM coverage and deep Solana expertise, with the same standard applied across every target.

Solana
Solana & the SVM

Native Rust and Anchor programs reviewed for account safety, CPI risk, and PDA correctness — the failure modes EVM auditors miss.

Audit a Solana program
EVM chains we audit
Ethereum
Ethereum
Base
Base
Arbitrum
Arbitrum
Optimism
Optimism
Polygon
Polygon
BNB Chain
BNB Chain
Avalanche
Avalanche
Blast
Blast
Linea
Linea
Scroll
Scroll
zkSync
zkSync
Mantle
Mantle
Berachain
Berachain
Unichain
Unichain
Gnosis
Gnosis
+ moreany EVM rollup
Languages

The languages we audit in

From high-level Solidity down to inline assembly, and across to Rust on Solana — we review the code in the language it was written in.

EVM

Solidity

The bulk of EVM DeFi. We review storage layout, external calls, access control, and upgrade paths line by line.

EVM

Vyper

Pythonic contracts with their own footguns. We check decorators, re-entrancy locks, and compiler-version pitfalls.

EVM

Yul & Inline Assembly

Low-level optimizations where most subtle bugs hide. Memory safety, calldata handling, and manual ABI decoding.

Solana

Rust

Native Solana programs. Account validation, signer/owner checks, CPI safety, and arithmetic on lamports.

Solana

Anchor

Anchor constraints, PDA derivation, account discriminators, and the gaps Anchor does not cover for you.

On request

Cairo & Move

Starknet (Cairo) and Aptos / Sui (Move) reviews available for teams shipping outside the EVM and SVM mainstream.

What we hunt for

The bugs that drain protocols

We test against the vulnerability classes behind real-world exploits — plus the invariants specific to your protocol's design.

Reentrancy

Cross-function and read-only reentrancy across external calls, callbacks, and token hooks.

Access Control

Missing or broken authorization, privileged role misuse, and initializer / ownership gaps.

Oracle & Price Manipulation

Spot-price reliance, TWAP gaming, flash-loan-driven manipulation, and stale feeds.

Arithmetic & Rounding

Overflow, precision loss, rounding direction, and share-inflation attacks on vaults.

Signature & Replay

EIP-712 / permit handling, nonce reuse, chain-id binding, and cross-domain replay.

MEV & Front-running

Sandwichable flows, unprotected slippage, and ordering-dependent state transitions.

Upgradeability & Proxies

Storage collisions, uninitialized implementations, and unsafe delegatecall patterns.

Solana Account Safety

Account confusion, missing owner/signer checks, PDA spoofing, and unchecked CPIs.

Process

How an audit runs

A clear, repeatable engagement — from threat model to a published report your community can trust.

01

Scope & threat model

We map your architecture, trust boundaries, and the invariants that must never break — before reading a single line.

02

Manual review

Senior auditors read the code line by line. Most critical findings come from humans who understand intent, not just tools.

03

Automated analysis

Static analysis, fuzzing, and symbolic execution stress invariants and surface edge cases the eye misses.

04

Severity-rated findings

Every issue gets a clear severity, impact, reproduction, and a concrete fix — not a vague flag.

05

Remediation support

We work with your engineers through fixes, answer questions, and re-check the patches you ship.

06

Re-audit & report

A final pass over remediations, then a clean report you can publish to your community and partners.

Deliverables

What you walk away with

Not just a list of bugs — everything your team needs to fix issues and prove the code is safe.

Full audit report

A structured report with findings, severity, reproduction steps, and remediation guidance.

Severity ratings

Critical → High → Medium → Low → Informational, scored by real-world impact and likelihood.

Remediation guidance

Concrete fixes and patterns, plus direct support while your team implements them.

Re-audit & public report

Verification of fixes and an optional published report you can share to build trust.

Self-serve tool

Audit.new — an instant first pass

Audit.new is Gizmolab's self-serve audit tool. Drop in a contract or connect a repo and get an AI-assisted first-pass review in minutes — surfacing common vulnerability classes, risky patterns, and a triage of where to look first.

It's the fast way to sanity-check code before a full engagement. For anything heading to mainnet with real value at stake, it hands off cleanly into a senior-led manual audit.

Paste or connect
A single contract or a whole repo.
Instant triage
Common vuln classes and risky patterns flagged.
Hand-off to manual
Escalate to a full senior-led audit in one click.

Ship it knowing it's
been looked at properly