01
Specification & Threat Review
Independent review of the specification, trust model, and adversarial scenarios before implementation begins. Identifies design-level issues at the stage they cost the least to fix.
↓
Security that scales with complexity
Audicity applies independent security review across every engagement and offers standalone security services to teams operating production systems. Both follow the same standard: review the design before reviewing the code, and validate behaviour against threats rather than against checklists.
Review the design before reviewing the code.
Most exploitable vulnerabilities in production smart contract systems are design failures, not implementation failures. Access controls that are correct in isolation but unsafe in composition. Economic mechanisms that hold under normal conditions but break under coordinated pressure. Upgrade paths that introduce trust assumptions the original specification never acknowledged. Code-level review catches the bugs that remain after the design is sound. It does not substitute for the work of getting the design sound in the first place.
We treat security as a property of the system, not of the contract. Every review begins with the specification: what the system is meant to do, what it must never do, and what trust assumptions hold the two apart. Implementation review follows, against documented invariants rather than generic checklists. Where the value at stake justifies it, formal verification, independent third-party audit, and continuous post-deployment monitoring extend the same standard across the lifetime of the system.
This is the discipline applied to every engagement Audicity delivers. It is also the discipline applied when teams engage us specifically for the review of systems they have already built.
What a security engagement covers.
02
Code Review & Verification
Manual review against documented invariants, supported by static analysis, fuzzing, and where appropriate, formal verification. Findings categorised by severity, with reproducible test cases.
↓
03
External Audit Coordination
Procurement, scoping, and management of independent third-party audits with the firms appropriate to the system’s risk profile. Includes findings triage, remediation oversight, and re-verification before deployment.
↓
04
Post-Deployment Monitoring & Response
Real-time monitoring across contract and off-chain components, incident response procedures, and the operational structures that allow a team to detect, contain, and resolve issues in production.
The standard applied to every system we review.
- Specification and threat model documented before implementation review begins.
- All findings categorised by severity, with reproducible test cases and remediation guidance.
- Re-verification of every remediated finding before sign-off, with no exceptions for time pressure.
- Independent peer review at architecture, implementation, and pre-deployment stages.
- External audit coordinated where the value at stake justifies independent third-party review.
- Incident response procedures documented and handed over with every deployment.
Begin a security engagement.
Security engagements are scoped against the system being reviewed and progress through defined milestones. To begin, brief us on the system, the threats it must withstand, and the stage at which review is being commissioned. Reviews commissioned during specification cost less and find more than reviews commissioned after deployment.