Audits, threat modeling, custody review, and on-chain incident response for digital-asset operators.
Versus has audited L1s, bridges, decentralized exchanges, and custody platforms managing combined assets in the tens of billions. Our blockchain team is built from protocol engineers, cryptography researchers, and DeFi security specialists — many with prior bug-bounty leadership and protocol-engineering experience inside major ecosystems.
We work across EVM and non-EVM environments — Solidity, Vyper, Rust on Solana and Cosmos SDK, Move on Aptos and Sui, and the ZK-circuit and rollup stacks emerging in 2025-2026. We pair static and symbolic analysis with hands-on review, because the bugs that lose protocols their treasuries are usually composability bugs, not pattern-match issues.
When something goes wrong on-chain, our incident response team works the trace, the freeze, and the recovery in coordination with exchanges, validators, and law enforcement. We have run incidents with stolen-asset traces in the eight and nine figures.
Each engagement is led by senior operators. Scope is shaped to your environment, not pulled from a template.
Hands-on review of Solidity, Vyper, Rust, and Move codebases. Static analysis, symbolic execution, and property-based testing.
Architecture review for L1s, L2s, bridges, and oracles — economic, cryptographic, and composability attack surface.
MPC, HSM, and hot/warm/cold custody architecture review for exchanges, custodians, and treasury operators.
Stolen-asset tracing, exchange freeze coordination, validator-level response, and recovery operations under counsel.
Slashing-risk review, key ceremony design, and operational security for institutional staking and validator operators.
Circuit review, prover security, and bridge architecture for the rollup, ZK, and modular ecosystems.
A consistent rhythm whether the engagement is a single audit or a multi-quarter program.
Economic, cryptographic, and composability attack surface mapped against the protocol’s adversary assumptions.
Hands-on code review, automated analysis, and property-based testing. Senior reviewers, not junior pattern-matchers.
Findings reproduced as test cases. Severity assigned with explicit reasoning. No "informational" inflation.
Remediation review on the patched code. We sign off only what we have actually re-validated.
If yours isn’t here, the hotline and engagement intake both reach a senior partner.
For protocols that want public audits, yes — and they are searchable in our public repository. For private engagements (custody, treasury, exchanges), audits remain confidential.
Three to eight weeks depending on scope. We refuse audits we do not have time to do properly. "Two-day audits" are how protocols get drained.
Yes — within the hour. We have the tracing tooling, exchange relationships, and law-enforcement liaisons in place. Time matters: every minute of dwell time is funds moving further away.
Yes. Rust on Solana and Cosmos, Move on Aptos and Sui, and the ZK and rollup stacks. Our team is deliberately polyglot.
Chain engagements frequently sit alongside these capabilities. The same operating doctrine, the same partners.
Most engagements begin with a 30-minute scoping call. We’ll tell you within that call whether we’re the right fit.