Flagship engagement

Solana Audits

End-to-end security review for any Solana program, Anchor, Pinocchio, or native.

Our default engagement. Two researchers spend one to four weeks doing nothing but reading your code, backed by static analysis, dynamic testing, and AI-assisted scanning.

Audit Inquiry Speak to an Auditor

Approach

Why Solana audits don’t look like EVM audits.

Solana programs share almost nothing with the Ethereum mental model. There is no implicit msg.sender, no automatic storage, no per-contract state. Every account is just bytes; every check is one your program has to make explicitly. An audit that’s correct on Ethereum can be silently wrong on Solana.

We treat the runtime as part of the threat model. Compute-unit exhaustion, log truncation, instruction reordering, CPI privilege carry-over, account type confusion, these aren’t edge cases on Solana, they’re the substrate every program runs on. We catalogue them by program type and walk through each one explicitly on every engagement.

Our researchers work in parallel, not sharing notes, each one reporting findings as they go. The point is divergence: everyone uses their own approach and follows their own instincts rather than converging on a single reading. There is no reconciliation step, we report issues as we find them.

The engagement runs as a living GitHub repository. We file issues as we find them, with fix tracking and discussion threads, so you can start remediating before the audit is even over. The final deliverable is a PDF report with severity ratings, bug summaries, and remediation guidance. Fix verification is included with unlimited rounds within reasonable time bounds, no surprise per-review costs the way other firms charge. Reports are only made public if you publish them or give us permission to.

What we cover

The surface area of a typical engagement.

01

Program correctness

Account validation, signer & owner checks, PDA derivation, CPI safety.

02

Economic & oracle risk

Invariants, rounding, slippage paths, price-feed assumptions, MEV exposure.

03

Runtime exploits

SVM-specific gotchas: compute exhaustion, log truncation, instruction reordering.

04

Authority model

Admin and privileged-instruction gating, multisig topology, key management, emergency procedures.

How we work

01

Scoping & threat model

We map trust boundaries, identify privileged paths, and agree on what's in-scope before kickoff.

02

Deep manual review

Two researchers read every line in parallel, filing issues to a shared repo as they go.

03

Static, dynamic & AI analysis

Static analysis, dynamic testing, and AI-assisted scanning back the manual review and sweep the mechanical bug classes.

04

Report & fix verification

A PDF report with severity ratings, summaries, and remediation guidance, plus fix verification with unlimited rounds within reasonable time bounds.

Selected engagements

A small sample of the protocols we’ve audited end-to-end. Each engagement is led by a named researcher and culminates in a public report once the client gives the green light.

Feb 2026

MetaDAO

Full protocol audit

Sep 2025

Sanctum

Jiminy · token ratio · flat-slab

May 2025

Light Protocol

Compressed accounts · ZK proofs

May 2025

Realms

Governance · versioned transactions

Ready to audit your protocol?

Submit your protocol for review and we'll respond within 24 hours. Our researchers have prevented 50+ critical exploits across the Solana ecosystem.

Lead time2–4 weeksPost-audit support6 monthsCoverage100% Solana

Submit Audit Inquiry Speak to an Auditor