What we do
Read by someone who thinks like an attacker
Static scanners catch patterns, not intent. They miss that two safe functions become dangerous together, or that one access check is absent in an otherwise clean codebase. We read the critical paths by hand, follow how data and trust flow, and rank what we find by what it actually opens. For on-chain code the stakes are higher: one bug is a direct loss.
CAP 01
Manual review of critical paths
We read the code where it matters most: authentication, access, payment, and anything handling sensitive data.
- Manual review of the critical code paths
- Data flow and trust boundaries traced end to end
- Logic flaws and chained weaknesses scanners miss
- Findings ranked by what they actually open
CAP 02
Secrets and supply chain
The risk that is not in your own code, but in what it pulls in and what it leaks.
- Secrets and keys exposed in code and logs
- Dependencies with known vulnerabilities
- Supply chain and build pipeline reviewed
- Configuration and defaults that leak
CAP 03
Smart-contract and protocol
On-chain code where the stakes are higher, read against both known and novel attack patterns.
- Smart-contract security review
- Protocol and economic-logic analysis
- Reentrancy, access and price manipulation
- Findings with concrete exploit scenarios