Security audits for
the contracts your protocol runs on
Gizmolab audits smart contracts across every EVM chain and Solana — manual review by senior auditors, backed by fuzzing and automated analysis, and a self-serve first pass with Audit.new.
Audited across the chains you deploy on
Whatever you ship on, we review it there. Full EVM coverage and deep Solana expertise, with the same standard applied across every target.
Native Rust and Anchor programs reviewed for account safety, CPI risk, and PDA correctness — the failure modes EVM auditors miss.
The languages we audit in
From high-level Solidity down to inline assembly, and across to Rust on Solana — we review the code in the language it was written in.
Solidity
The bulk of EVM DeFi. We review storage layout, external calls, access control, and upgrade paths line by line.
Vyper
Pythonic contracts with their own footguns. We check decorators, re-entrancy locks, and compiler-version pitfalls.
Yul & Inline Assembly
Low-level optimizations where most subtle bugs hide. Memory safety, calldata handling, and manual ABI decoding.
Rust
Native Solana programs. Account validation, signer/owner checks, CPI safety, and arithmetic on lamports.
Anchor
Anchor constraints, PDA derivation, account discriminators, and the gaps Anchor does not cover for you.
Cairo & Move
Starknet (Cairo) and Aptos / Sui (Move) reviews available for teams shipping outside the EVM and SVM mainstream.
The bugs that drain protocols
We test against the vulnerability classes behind real-world exploits — plus the invariants specific to your protocol's design.
Reentrancy
Cross-function and read-only reentrancy across external calls, callbacks, and token hooks.
Access Control
Missing or broken authorization, privileged role misuse, and initializer / ownership gaps.
Oracle & Price Manipulation
Spot-price reliance, TWAP gaming, flash-loan-driven manipulation, and stale feeds.
Arithmetic & Rounding
Overflow, precision loss, rounding direction, and share-inflation attacks on vaults.
Signature & Replay
EIP-712 / permit handling, nonce reuse, chain-id binding, and cross-domain replay.
MEV & Front-running
Sandwichable flows, unprotected slippage, and ordering-dependent state transitions.
Upgradeability & Proxies
Storage collisions, uninitialized implementations, and unsafe delegatecall patterns.
Solana Account Safety
Account confusion, missing owner/signer checks, PDA spoofing, and unchecked CPIs.
How an audit runs
A clear, repeatable engagement — from threat model to a published report your community can trust.
Scope & threat model
We map your architecture, trust boundaries, and the invariants that must never break — before reading a single line.
Manual review
Senior auditors read the code line by line. Most critical findings come from humans who understand intent, not just tools.
Automated analysis
Static analysis, fuzzing, and symbolic execution stress invariants and surface edge cases the eye misses.
Severity-rated findings
Every issue gets a clear severity, impact, reproduction, and a concrete fix — not a vague flag.
Remediation support
We work with your engineers through fixes, answer questions, and re-check the patches you ship.
Re-audit & report
A final pass over remediations, then a clean report you can publish to your community and partners.
What you walk away with
Not just a list of bugs — everything your team needs to fix issues and prove the code is safe.
Full audit report
A structured report with findings, severity, reproduction steps, and remediation guidance.
Severity ratings
Critical → High → Medium → Low → Informational, scored by real-world impact and likelihood.
Remediation guidance
Concrete fixes and patterns, plus direct support while your team implements them.
Re-audit & public report
Verification of fixes and an optional published report you can share to build trust.
Audit.new — an instant first pass
Audit.new is Gizmolab's self-serve audit tool. Drop in a contract or connect a repo and get an AI-assisted first-pass review in minutes — surfacing common vulnerability classes, risky patterns, and a triage of where to look first.
It's the fast way to sanity-check code before a full engagement. For anything heading to mainnet with real value at stake, it hands off cleanly into a senior-led manual audit.