Code that controls capital deserves rigorous scrutiny
Violet Sky Security SEZC conducts structured, methodology-driven smart contract audits for DeFi protocols, NFT platforms, token issuers, and regulated Web3 entities.
· BSSC Smart Contract Security Standard v1 2026
· OWASP Smart Contract Security Verification Standard
· SWC Registry Classification
WHAT WE AUDIT
Every contract type.
Every vulnerability class.
From a simple token deployment to a multi-contract DeFi architecture, our audit scope is calibrated to the attack surface, not a fixed template. Each engagement uses a contract-type-specific checklist covering the vulnerability classes that actually matter for that architecture.
ERC-20 Tokens & Stablecoins
Mint/burn controls, supply cap enforcement, permit (EIP-2612), fee-on-transfer handling
DeFi Protocols
Oracle manipulation, flash loan attack surface, AMM price integrity, liquidation logic, slippage controls
Governance & DAO Contracts
Flash loan voting, proposal lifecycle, timelock controls, quorum manipulation
Cross-Chain Bridges
Message replay protection, validator threshold, lock/mint accounting integrity, emergency controls
NFT Collections & Marketplaces
safeTransferFrom vs transferFrom, onERC721Received reentrancy, royalty enforcement (EIP-2981), signature replay
Upgradeable Proxy Contracts
Storage collision analysis, initialisation guard, UUPS/Transparent/Beacon patterns, upgrade authorization
Staking & Reward Systems
Flash stake reward inflation, lock period bypass, reward pool drain, time-weighted accounting
VARA / MiCA Regulated Contracts
Regulatory compliance overlay, token classification, licence application-ready reporting
AUDIT METHODOLOGY
Eight phases.
No shortcuts.
Our process follows the BSSC Smart Contract Security Standard v1 (2026), the institutional-grade framework developed by OpenZeppelin, Halborn, Coinbase, Kraken, Fireblocks, and Mastercard.
Every engagement runs all eight phases in sequence.
01
Pre-Audit & Scoping
Architecture review, threat model construction, and trust assumption mapping. We document every external dependency, oracle feeds, external protocols, admin key types, before analysis begins. Client completes the VSS Pre-Audit Readiness Checklist to ensure code freeze and documentation are in place.
02
Automated Analysis Pipeline
A multi-tool pipeline runs simultaneously: static analysis for control flow and state variable tracking, symbolic execution for SWC classification and reachability, and call graph generation for privilege and dependency mapping. All analysis runs on isolated, air-gapped infrastructure, no source code is transmitted to third-party cloud services.
03
Formal Verification (where applicable)
Critical invariants "the total staked balance can never exceed the contract ETH balance", are formally verified using symbolic model checking on local infrastructure. Used for high-value DeFi contracts and protocols where mathematical correctness guarantees are required by investors or regulators.
04
Manual Line-by-Line Review
Every line of in-scope code is read by a human with 22 years of security experience. Logic bugs, economic attack paths, and design-level vulnerabilities, the class of issue that automated tools consistently miss, are identified here. The contract-type-specific checklist drives structured coverage: 50+ items for NFT contracts, different 50+ items for DeFi protocols.
05
Finding Scoring & Classification
Every finding is scored using BVSS (Blockchain Vulnerability Scoring System), ten dimensions including two blockchain-specific factors: Deposit Risk (what fraction of locked ETH is at risk) and Yield Drain (whether protocol yield can be siphoned). Each finding is classified against SWC Registry, OWASP Smart Contract Security Verification Standard, and BSSC SCS v1.
06
Draft Report Delivery
A structured report is delivered covering: executive summary with security rating, full trust assumptions register, methodology statement, per-finding sections with vulnerable code, impact assessment, corrected code, and BSSC SCS conformance table. Delivered within the agreed timeline, typically 5–10 business days from code access depending on scope.
07
Client Review & Remediation
The development team has 10 business days to respond to each finding. Seven response statuses are tracked: Resolved, Partially Resolved, Acknowledged Will Resolve, Acknowledged Not Resolved, No Response, and two intermediate states.
VSS is available for clarifying questions throughout this period. Every change submitted as a fix is reviewed against the original finding before the status is updated.
08
Final Report & Attestation
The final report is issued with updated finding statuses, fix verification confirmations, and VSS attestation. It is structured to serve investor due diligence, regulatory submissions (VARA, MiCA, CIMA), and public transparency disclosures. A six-month re-audit recommendation is included, as is a post-deployment monitoring advisory.
ANALYSIS TECHNIQUES
Four complementary methods.
No single-tool audits.
Each technique finds a different class of vulnerability. Running them together and reconciling the results , which is the manual work, is where real audit value is created. A report that is just a Slither output dump is not an audit.
Static Analysis
Analyses control flow, data flow, and state variable interactions without executing the contract. Highly effective at detecting reentrancy, access control failures, arithmetic issues, and event logging gaps. Produces SWC-classified findings with source line references.
Symbolic Execution
Explores all possible execution paths through mathematical constraint solving. Finds reachability violations, assertion failures, and integer boundary conditions that static analysis misses. Particularly effective for SWC-101, SWC-107, and SWC-115 patterns.
Formal Verification
Mathematically proves that specific invariants hold across all possible inputs and states. Used on critical protocol logic "the contract balance never falls below total depositor claims", where probabilistic testing is insufficient. All formal verification runs locally; no code transmitted to cloud provers without explicit consent.
Manual Expert Review
Business logic flaws, economic attack paths, and design-level vulnerabilities require human judgment. Covers trust assumption violations, oracle manipulation scenarios, flash loan attack surfaces, governance manipulation, and the gap between what the code does and what the documentation says it should do.