When should I get a security audit while building my project?

Security audits should be conducted early in the development process, ideally before mainnet deployment. For early-stage builders, getting an audit during testnet phase helps identify vulnerabilities before they become exploitable. This prevents costly exploits and builds user trust from day one.

Why do early-stage projects need security audits?

Early-stage projects are prime targets for exploits because they often have limited security resources. A security audit is essential for: preventing loss of user funds, building credibility with investors, ensuring code quality before scaling, and avoiding reputation damage from security incidents.

What makes a good smart contract security audit?

A comprehensive security audit requires deep technical expertise in the specific blockchain architecture, thorough analysis of smart contract logic, understanding of common vulnerability patterns, and experience with production deployments. Look for auditors with proven track records in your specific ecosystem (Move, Rust, Solana, etc.) rather than generalists.

What should I look for when building a Web3 project?

When building Web3 projects, prioritize: 1) Security audit before mainnet deployment, 2) Specialized expertise in your specific blockchain architecture (Aptos/Solana/Sui), 3) Auditors with proven track records in similar protocols, 4) Comprehensive testing beyond automated tools. Security should be integrated into your development process, not an afterthought.

How long does a smart contract audit take?

Most smart contract audits take 1-4 weeks depending on complexity. We start within days, unlike traditional firms with 8+ week backlogs that can delay your project launch.

What blockchains do you audit?

We specialize in Solana (native Rust and Anchor), ZK rollups (ZkSync), Cosmos, and EVM chains. Our team has deep expertise across Rust-based chains and emerging ecosystems.

How do I secure Aptos smart contracts?

Secure Aptos smart contracts by: 1) Validating all capability transfers and resource ownership, 2) Testing parallel execution scenarios for race conditions, 3) Implementing proper access controls using Aptos's account-based model, 4) Auditing Move bytecode for logic errors, 5) Testing with Aptos's formal verification tools. Professional audits catch architectural vulnerabilities that automated tools miss.

What are common Sui Move vulnerabilities?

Common Sui Move vulnerabilities include: capability leakage in shared objects, improper object ownership transfers, missing ability annotations (drop, copy, store), reentrancy in object-centric patterns, and misuse of Sui's consensus mechanisms. The $223M Cetus exploit demonstrates how subtle Move vulnerabilities can bypass multiple audits.

What is Move language security?

Move is a resource-oriented programming language designed for blockchain security with linear types that prevent double-spending and resource duplication. However, Move's safety guarantees are language-level only—architectural vulnerabilities, logic errors, and consensus-level exploits require specialized security auditing expertise.

How do Sui and Aptos security differ?

Sui uses object-centric architecture with parallel execution and ownership-based security, while Aptos uses account-based model with Block-STM parallel execution. Sui's security risks involve object capability patterns, while Aptos focuses on account access control and transaction ordering. Each requires specialized audit expertise.

What is parallel execution security?

Parallel execution security involves preventing race conditions, transaction ordering attacks, and state inconsistencies when multiple transactions execute simultaneously. Both Sui and Aptos use parallel execution but with different models—Sui's optimistic concurrency vs Aptos's Block-STM—requiring different security analysis approaches.

How do I audit Move smart contracts?

Auditing Move contracts requires: 1) Analyzing resource safety and ability annotations, 2) Testing ownership transfer patterns, 3) Validating capability usage, 4) Checking for logic errors in complex functions, 5) Reviewing upgrade mechanisms and admin privileges, 6) Testing integration with consensus layer. Automated tools catch syntax issues; human experts find architectural flaws.

What are object-centric security risks?

Object-centric blockchains like Sui introduce unique security challenges: shared object race conditions, capability leakage through object wrapping, unintended object freezing, complex ownership transfer bugs, and consensus-level vulnerabilities. Traditional smart contract security knowledge doesn't directly transfer to object-centric architectures.

Why are non-EVM audits different?

Non-EVM blockchains use fundamentally different architectures: Move's resource safety vs Solidity's account model, Rust's ownership vs Solidity's inheritance, different consensus mechanisms, and unique execution models. Security patterns from Ethereum don't apply—you need auditors specialized in your specific blockchain architecture.

What is DeFi protocol security?

DeFi protocol security involves: 1) Economic attack vector analysis (oracle manipulation, flash loans, MEV), 2) Smart contract logic validation, 3) Integration risk assessment across protocols, 4) Liquidity mechanism security, 5) Governance vulnerability testing. DeFi security requires understanding both code and economic game theory.

How do I prevent reentrancy in Move?

Move prevents traditional reentrancy through its resource safety model and linear types. However, Move protocols can still have reentrancy-like vulnerabilities through: cross-module callbacks, shared object modifications, and consensus-level transaction ordering. Proper capability management and access controls are essential.

What is Move bytecode verification?

Move bytecode verification is the process of analyzing compiled Move code for security vulnerabilities at the bytecode level. This includes: resource safety verification, ability constraint validation, type safety checks, and reference analysis. Bytecode-level audits catch compiler optimization issues and advanced attack vectors.

What are blockchain infrastructure security risks?

Blockchain infrastructure security encompasses: consensus mechanism vulnerabilities, networking layer attacks, validator security, RPC node security, oracle integrity, bridge security, and upgrade mechanisms. Infrastructure exploits often bypass smart contract security entirely.

How do I secure Solana smart contracts?

Secure Solana contracts (programs) by: 1) Implementing proper account validation and ownership checks, 2) Using PDAs correctly for security boundaries, 3) Preventing arithmetic overflow with checked operations, 4) Validating signer authorities, 5) Testing with Anchor framework security best practices. Solana's account model requires specialized security expertise.

What is formal verification for smart contracts?

Formal verification mathematically proves that smart contract code satisfies specified security properties. However, formal verification has limitations: it only proves what you specify, can't catch architectural issues, and doesn't prevent consensus-level attacks. The Cetus $223M exploit had formal verification but still failed due to architectural vulnerabilities.

How do I find smart contract vulnerabilities?

Finding smart contract vulnerabilities requires: 1) Manual code review by experienced auditors, 2) Automated static analysis tools, 3) Fuzzing and property testing, 4) Economic simulation and game theory analysis, 5) Integration testing across protocols, 6) Historical exploit pattern matching. Critical vulnerabilities are found by human experts, not tools.

What are common DeFi exploit patterns?

Common DeFi exploit patterns include: oracle manipulation attacks, flash loan exploits, reentrancy attacks, access control failures, logic errors in math operations, front-running vulnerabilities, and cross-protocol integration risks. Understanding these patterns is essential for both auditors and developers.

How do I secure crypto protocol upgrades?

Secure protocol upgrades by: 1) Implementing timelocks on upgrade functions, 2) Using multi-sig governance for upgrade approval, 3) Auditing upgrade logic and migration code, 4) Testing upgrade paths on testnets, 5) Providing emergency pause mechanisms, 6) Documenting upgrade procedures. Upgrade vulnerabilities bypass all previous security measures.

What is capability-based security in Move?

Capability-based security in Move uses unforgeable resource types (capabilities) to control access to privileged operations. Capabilities must be carefully managed to prevent: capability leakage through shared objects, unintended capability duplication, improper capability destruction, and unauthorized capability access. Proper capability design is critical for Move security.

How do I audit cross-chain bridges?

Auditing cross-chain bridges requires analyzing: 1) Message verification mechanisms, 2) Validator set security and collusion risks, 3) Asset locking/unlocking logic, 4) Replay attack prevention, 5) Finality guarantees, 6) Emergency shutdown procedures. Bridge exploits account for billions in losses—specialized expertise is essential.

What is MEV and how does it affect security?

MEV (Maximal Extractable Value) is profit extracted by reordering, inserting, or censoring transactions. MEV affects security through: front-running attacks, sandwich attacks, liquidation manipulation, and oracle price manipulation. Protocols must design MEV-resistant mechanisms or accept MEV as an attack vector.

How do I secure NFT smart contracts?

Secure NFT contracts by: 1) Implementing proper access controls for minting, 2) Validating metadata URI integrity, 3) Preventing unauthorized transfers, 4) Securing royalty mechanisms, 5) Testing upgrade paths, 6) Auditing marketplace integrations. NFT security extends beyond the token contract to entire ecosystem interactions.

What are the risks of unaudited smart contracts?

Unaudited smart contracts risk: total loss of user funds through exploits, permanent reputation damage, legal liability, inability to fix vulnerabilities after deployment, loss of investor confidence, and protocol failure. The cost of an exploit vastly exceeds audit costs—security is an investment, not an expense.

Mirage Audits: Valid Proofs, Broken Protocols: The ZK Bugs Engineers Actually Miss

A ZK proof can verify correctly while the system still leaks private data, proves the wrong semantics, or authorizes the wrong action.

Most engineers hear "ZK audit" and think the main question is simple: can someone produce a proof for a false statement?

That is one part of the job.

You still need to find missing constraints, bad verifier keys, weak public input handling, and circuits that accept witnesses they should reject.

But that is not enough.

The better mental model is this:

A ZK system is a security promise implemented across math, code, configuration, and product flow.

The proof is only one object inside that system.

The pattern I keep seeing is this: teams verify the proof, then stop tracing the promise.

When I review ZK protocols, I try to split the audit into three questions:

Soundness: is the prover forced to prove the intended statement?
Zero-knowledge: does the proof leak anything the system claims to hide?
Binding: is the proof tied to the exact action the protocol performs?

Most interesting bugs are violations of one of those promises.

The proof may still verify.

The protocol may still be broken.

1. Zero-Knowledge Can Fail Even When Verification Is Correct

The easiest trap is treating "the verifier accepts" as the only security property.

In a zero-knowledge proof, verification is not enough. The proof also has to hide the witness. If an implementation leaks enough structure for a verifier to recover private values, then the proof can be complete and sound while no longer being zero-knowledge.

This is not theoretical.

In 2024, gnark disclosed CVE-2024-45040. The issue affected Groth16 proofs with commitments before gnark v0.11.0. The commitments to private witnesses did not provide the required hiding property. If committed values had low entropy, an attacker could enumerate candidate witnesses and compare against the proof commitment. The fix added randomness to mask committed values.

That is an important audit lesson:

Commitments are not private just because they are called commitments.

They need the hiding property. In practice, that often means blinding.

A recent Sherlock Pico ZKVM finding applied this exact class of issue in a concrete system. The circuit used RangeChecker.Check() in paths that could trigger the affected commitment behavior. For small or low-entropy witness values, a verifier could brute-force guesses and compare deterministic commitments. The proof still verified. The leakage came from how private values were committed inside the proving flow.

OpenZeppelin reported a related privacy failure in its Linea PLONK prover audit. The quotient polynomial shards were committed into the proof without individual blinding. The impact was not "fake proof accepted." The impact was that the implementation did not provide the expected statistical zero-knowledge property. The fix introduced blinding for those shards, with an option to disable statistical ZK when the memory cost was not desirable.

That tradeoff matters.

Zero-knowledge is not free. It costs memory, randomness, constraints, complexity, and implementation discipline. If a team disables or skips blinding for performance, that may be a reasonable engineering tradeoff in a non-private setting. But it cannot be marketed as the same privacy property.

When auditing privacy-sensitive ZK systems, I would ask:

which witness values are committed?
are those commitments hiding or only binding?
are low-entropy witnesses exposed to guessing?
where is randomness introduced?
can a verifier recompute proof components for candidate values?
is "statistical zero-knowledge" optional, disabled, or inconsistently applied?

The bug class is simple:

the proof verifies, but the witness is no longer private.

That is a ZK failure even if soundness is intact.

The verifier accepting is not the finish line.

2. The Circuit Can Prove A Weaker Statement Than The Developer Thinks

The second class is the classic circuit-audit problem: the code computes something, but the constraints do not force it.

In circuit work, computing a value is not the same as constraining it.

This is where many Circom-style bugs live.

A witness generator can compute the honest value. A malicious prover does not have to use the witness generator honestly. They only need values that satisfy the constraints.

So the audit question is not:

what does the code appear to compute?

The audit question is:

what is the prover actually forced to prove?

In a recent private audit, I found a simple version of this pattern around Merkle path selection. The circuit expected each path selector to be binary: at every tree level, the current node is either on the left or on the right. But the selector was not explicitly constrained to 0 or 1.

The intended statement was:

this is a valid left/right Merkle path to a known root.

The actual statement was weaker:

this is a path equation using selector field elements that are not fully restricted to left/right bits.

That distinction matters.

It did not automatically mean an attacker could steal funds. Exploitation still depended on whether the extra freedom could be used to land on a known root under the hash assumptions. But it was still a real circuit bug, because the statement being proven was not the statement the developers intended.

This is where severity discipline matters.

Weak statement does not always mean practical exploit.

No practical exploit does not mean no bug.

A serious ZK finding should say:

intended statement
actual constrained statement
extra freedom given to the prover
whether that freedom creates an exploit path
what assumption blocks exploitation if no exploit is known
exact constraint or redesign needed

The same mindset applies outside hand-written app circuits.

In a recent Pico ZKVM finding, the issue was not "forgot to constrain a Merkle selector." It was compiler semantics. A read_ghost_addr method incremented a multiplicity counter even though ghost reads were meant to be non-computational. Other ghost-read paths did not increment multiplicity. That inconsistency could affect the memory-access accounting used later by the circuit.

This is a more advanced version of the same problem.

In a zkVM, the circuit is not only the thing developers write by hand. The compiler, memory model, lookup arguments, multiplicity counters, opcode tables, and trace-generation semantics are part of the proof statement.

If the compiler records the wrong semantics, the proof can faithfully prove the wrong thing.

That is why zkVM audits need a different mindset from ordinary application audits. You are not only reviewing functions. You are reviewing the translation layer between program execution and constraints.

For this class, I check:

are boolean values actually boolean-constrained?
are range assumptions explicit?
are field elements later treated as fixed-width integers?
are component outputs connected?
are selectors, lookup multiplicities, and memory counters updated consistently?
does "debug" or "ghost" behavior affect proof-relevant state?
does the trace encode the semantics the VM claims to prove?

The bug class is:

the proof is valid, but it proves a weaker or different statement.

A proof can preserve exactly the wrong thing.

3. A Valid Proof Can Authorize The Wrong Action

The third class is the one Web3 engineers understand fastest.

The proof proves something true, but the protocol uses it to authorize something not fully bound to that proof.

OpenZeppelin's SSO Account OIDC Recovery audit has a clean example. The recovery flow used a ZK proof to show ownership of an OIDC identity. Once the proof and related data were verified, startRecovery could begin account recovery. Most parameters were validated, but pendingPasskeyHash was not bound to the proof before being written into account storage.

That matters because the passkey hash determines who can complete recovery.

If a caller can supply a pendingPasskeyHash they control while reusing a valid proof, the proof of identity becomes a way to set the attacker's recovery key. The proof is not false. The action is under-bound.

The fix was conceptually simple: include pendingPasskeyHash in the data checked by the proof, via the JWT nonce construction, so the user intent covers the exact passkey being installed.

This is one of the most important ZK application lessons:

If a value changes the action being authorized, it must be bound to the proof.

I found a related pattern in a recent private audit of a privacy-style protocol.

The withdrawal proof bound several public values: root, nullifier, recipient, relayer, fee, and an additional settlement value. Verification succeeded. The contract used the settlement value in payout arithmetic.

But the protocol did not fully honor that value after verification.

It affected the accounting, but did not have the complete transfer semantics the proof implied.

This is not a cryptographic break. It is a boundary break. The circuit and the settlement code disagreed about what a public input meant.

Every public input is a promise.

If the proof binds recipient, settlement must pay that recipient.

If the proof binds fee, settlement must cap and route that fee correctly.

If the proof binds pendingPasskeyHash, recovery must install that exact intended key.

If the proof binds a pool, root, denomination, chain ID, domain separator, relayer, refund, nonce, or account, the protocol must use that value with the same semantics.

Otherwise the proof is being used as a generic permission slip.

That is dangerous.

If a value changes user authority, funds, recovery, or privacy, it belongs inside the statement.

For this class, I ask:

what action does this proof authorize?
which values define that action?
are all of those values public inputs or otherwise committed into the proof?
does the contract use the same values after verification?
can a caller swap an action parameter after proof generation?
can the same proof be replayed in another account, pool, chain, epoch, or recovery session?
can config select a verifier or circuit that proves a different statement?

The bug class is:

the proof is valid, but it is not bound to the exact protocol action.

The Auditor Mindset

The best ZK audits are not "read circuit, check proof."

They are systems audits with math inside them.

A good review moves through layers:

Statement: write the proof statement in plain English.
Constraints: check that the circuit enforces that statement.
Privacy: check that proving artifacts do not leak the witness.
Verifier: check key, public input order, curve, field, and proof-system assumptions.
Binding: check that every action-critical value is part of the statement.
Settlement: trace what happens after verifyProof.
Integration: check relayers, APIs, logs, compliance checks, hosted provers, and frontend flows.

This is where ZK audits become psychologically different from normal smart contract audits.

In a normal contract, the dangerous line is often directly visible: bad access control, wrong arithmetic, unsafe external call.

In ZK systems, the dangerous line may be a mismatch between worlds:

field element vs integer
witness assignment vs constraint
commitment vs hiding commitment
proof verification vs action authorization
VM execution vs trace semantics
privacy claim vs actual integration behavior

That is why "the proof verifies" is such a weak stopping point.

In ZK audits, the dangerous line is often the boundary between two systems.

The useful question is:

What promise does this proof create, and does the rest of the system keep it?

If the answer is no, the protocol can fail even with a valid proof.

Conclusion

ZK is powerful because it lets systems prove precise statements without revealing the full witness.

But precision is also the trap.

If the statement is weaker than intended, the proof preserves the wrong semantics.

If the proving implementation leaks witness commitments, the proof stops being zero-knowledge.

If the protocol performs an action not fully bound to the proof, the proof becomes a partial authorization primitive.

Valid proof. Broken protocol.

That is the class of bug engineers miss when they treat ZK as a black box.

The best auditors do the opposite.

They trace the promise around the proof.

References

RareSkills ZK Book
CVE-2024-45040: gnark Groth16 commitments to private witnesses break zero-knowledge
Linea PLONK Prover and Verifier Audit - OpenZeppelin
SSO Account OIDC Recovery Solidity Audit - OpenZeppelin
Public Sherlock Pico ZKVM judging finding #128
Public Sherlock Pico ZKVM judging finding #108