Web3 security audits and protocol review

Goldberg Security Research

We audit smart contracts, DeFi systems, bridge flows, wallet interactions, and supporting APIs to find exploitable failures before launch or before attackers do.

Contact Review approach
Protocol scope Contracts, roles, integrations, and chain assumptions are mapped first.
Exploit evidence Findings include concrete reproduction paths, not abstract warnings.
Engineering handoff Reports are written so protocol engineers can patch and retest.
Services

Blockchain security audits for protocols, products, and integrations.

We review on-chain code and the off-chain systems around it as one attack surface: contracts, permissions, accounting, bridge state, wallet flows, relayers, APIs, and operational assumptions.

01

Smart contract and protocol audit

Manual review of Solidity, Rust, Move, or protocol logic where authorization, upgradeability, state transitions, and asset custody must behave exactly as intended.

Client receives
  • Severity-ranked findings with affected contracts, functions, and roles
  • PoCs or exact reproduction steps for exploitable conditions
  • Patch guidance, invariant notes, and retest-ready acceptance criteria
02

DeFi accounting and economic risk review

Review of vault accounting, share pricing, reward distribution, oracle assumptions, liquidations, staking math, fee paths, and user-fund movement across edge cases.

Client receives
  • Fund-flow and accounting-invariant review for critical paths
  • Mainnet-fork simulations where realistic loss needs proof
  • Severity framing tied to loss potential, privilege, and market state
03

Bridge, wallet, and integration security

Review of cross-chain messaging, relayers, refund paths, wallet signing flows, SDK routes, API permissions, and off-chain services that influence on-chain outcomes.

Client receives
  • Trust-boundary map across contracts, services, chains, and signers
  • Replay, stale-state, refund, route, and authorization test cases
  • Concrete fixes for integration assumptions that can move assets
04

Launch readiness, retest, and exploit validation

Final review before deployment, upgrade, migration, bridge rollout, token launch, or bug bounty payout, with emphasis on whether the system is safe enough to ship.

Client receives
  • Launch-blocker list and high-risk diff review
  • Independent exploitability verdicts for submitted reports
  • Post-fix verification notes and residual-risk summary
Inputs Repos, contracts, deployment addresses, architecture docs, chain/fork config, tests.
Outputs Audit findings, PoCs, impact analysis, remediation guidance, retest notes.
Engagement model Focused audit, launch review, bounty validation, retainer research, urgent triage.
Interactive scope

Audit the whole Web3 system.

Protocol risk rarely lives in one contract. We test the places where contracts, off-chain services, wallets, bridges, and operational controls meet.

01

Smart contracts and protocol code

Review access control, upgradeability, state transitions, accounting logic, external calls, and invariant assumptions.

Focus: exploit paths, invariant breaks, patchable findings.
Specialisms

Web3 systems we audit.

The strongest reviews connect on-chain logic with the systems that operate it: governance, keepers, relayers, wallet flows, frontends, SDKs, monitoring, and incident response.

01

Smart contracts and DeFi

High-signal review of vaults, adapters, staking, governance, oracle assumptions, share pricing, reward accounting, and liquidation paths.

Fund flows

Can accounting drift create user loss, unfair exits, or reward capture?

Governance

Can stale state, eras, or voting power bypass protocol guards?

Fork proof

Can impact be reproduced against realistic chain state and balances?

02

Cross-chain and bridges

Analysis of message verification, endpoint accounting, replay state, fallback recovery, refunds, XCM fees, and multi-chain address logic.

Message state

Can stale verification, nonce, payload, or confirmation state be reused?

Refund paths

Can fallback, fee, or shared-balance logic move assets incorrectly?

Chain formats

Can address encoding, XCM weight, or route assumptions break safety?

03

Wallet, signer, and API boundaries

Review of wallet prompts, signer state, key material handling, API permissions, relayer authorization, SDK routing, and multi-role product logic.

Key handling

Can low-privilege access expose stronger credentials or secrets?

Signer logic

Can stale owners, wrong chains, or wrong routes authorize new actions?

Route access

Can frontend, SDK, or API routes trigger unintended on-chain effects?

04

Crypto and protocol code

Focused analysis of Rust and protocol implementations where proof verification, wallet behavior, parser state, or runtime semantics must match intent.

Proof systems

Can verifier assumptions be violated by edge-case group elements?

Wallet logic

Can transaction construction leak fingerprints or break parity?

Runtime edges

Can encodings, weights, nonces, or cached keys alias unexpectedly?

Method

A practical audit process.

Each audit is designed to answer the question that matters: can this system lose funds, leak authority, mis-account value, or execute unintended state changes?

1

Authorize

Confirm protocol scope, deployed addresses, repos, test environments, chain assumptions, and operational constraints.

2

Map

Trace contracts, roles, admin controls, cross-chain messages, oracle inputs, wallet flows, and external dependencies.

3

Validate

Build the smallest useful proof needed to show exploitability, economic impact, and affected assets.

4

Report

Deliver severity, reproduction steps, PoCs, affected components, remediation notes, and retest criteria.

Responsible security research only.

Work is conducted on authorized targets and avoids destructive testing, unnecessary fund movement, broad data access, and avoidable service impact.

Authorization

Testing begins only when scope, target ownership, and permitted techniques are clear.

Disclosure

Technical details are shared with authorized stakeholders and are not published without permission or coordinated disclosure context.

Data handling

Evidence is minimized, redacted where possible, and collected only to demonstrate impact.

Evidence

Audit reports are built for protocol engineers.

Findings are structured so a protocol team can reproduce the issue, understand asset impact, patch the right component, and verify the fix with confidence.

Fork reproduction Invariant trace Remediation context
evidence.packet.yml 
scope:
  authorization: confirmed
  surface: defi.accounting
  objective: prove_impact_without_noise

finding:
  boundary: vault_share_price
  impact: passive_user_loss
  proof:
    mode: mainnet_fork
    chain_state: pinned_block
    artifacts:
      - invariant_trace
      - attacker_delta
      - victim_delta
      - fix_note

handoff:
  status: reproducible
  retest: ready_after_fix
Contact

Start with the protocol, scope, and launch decision.

For smart contract audits, DeFi reviews, bridge/integration checks, exploit validation, or launch readiness, send enough context to scope the review quickly.

Assessment Scoped review of contracts, protocol mechanics, integrations, and privileged flows.
Triage Independent exploitability verdict for reports, alerts, suspicious transactions, or suspected bugs.
Handoff PoCs, reproduction artifacts, remediation notes, and retest criteria for engineers.
Secure intake goldberg.security@proton.me

First replies focus on whether the work is authorized, bounded, technically useful, and ready for an audit or triage sprint.

Response Scope, authorization, assets, next step.
Mode Authorized testing only.
Include
  • Target systems, contracts, repos, domains, or API surfaces
  • Chain, deployment addresses, branch/commit, and test environment
  • Authorization context or public program scope
  • Timeline, constraints, known concerns, and preferred report format

Goldberg Security Research Ltd | Company no. 17223706 | Registered in England and Wales | 167-169 Great Portland Street, 5th Floor, London W1W 5PF