top of page
Modern Cityscape at Night

Code that controls capital deserves rigorous scrutiny

Violet Sky Security SEZC conducts structured, methodology-driven smart contract audits for DeFi protocols, NFT platforms, token issuers, and regulated Web3 entities.

· BSSC Smart Contract Security Standard v1 2026

· OWASP Smart Contract Security Verification Standard

· SWC Registry Classification

Modern Glass Buildings

WHAT WE AUDIT

Every contract type.
Every vulnerability class.
From a simple token deployment to a multi-contract DeFi architecture, our audit scope is calibrated to the attack surface, not a fixed template. Each engagement uses a contract-type-specific checklist covering the vulnerability classes that actually matter for that architecture.

ERC-20 Tokens & Stablecoins

Mint/burn controls, supply cap enforcement, permit (EIP-2612), fee-on-transfer handling

DeFi Protocols

Oracle manipulation, flash loan attack surface, AMM price integrity, liquidation logic, slippage controls

Governance & DAO Contracts

Flash loan voting, proposal lifecycle, timelock controls, quorum manipulation

Cross-Chain Bridges

Message replay protection, validator threshold, lock/mint accounting integrity, emergency controls

NFT Collections & Marketplaces

safeTransferFrom vs transferFrom, onERC721Received reentrancy, royalty enforcement (EIP-2981), signature replay

Upgradeable Proxy Contracts

Storage collision analysis, initialisation guard, UUPS/Transparent/Beacon patterns, upgrade authorization

Staking & Reward

Flash stake reward inflation, lock period bypass, reward pool drain, time-weighted accounting

CIMA Tokenised Funds

Regulatory compliance overlay, token classification, licence application-ready reporting

Three-Document Alignment Review

Tokenised fund engagements under the Cayman Islands Mutual Funds Amendment Act 2026 include a Three-Document Alignment Review, comparing what CIMA approved in the registration filing, what the constitutional documents (PPM and Articles of Association) promise investors, and what the smart contract code actually enforces. 

 

Misalignment between the three layers creates regulatory risk (CIMA non-conformance), legal risk (investor claims against the fund), and financial risk (unenforceable transfer restrictions or uncapped token supply).

Each type of misalignment requires a different remediation path. 

Financial auditors review the accounts. Legal counsel reviews the constitutional documents. Neither reads Solidity. VSS bridges all three layers, verifying that what CIMA approved, what the PPM promises, and what the smart contract enforces are the same. VSS provides technical security review only. This is not legal or regulatory advice.

AUDIT METHODOLOGY

Nine phases.

No shortcuts.

 

All reports assessed against:

BSSC Smart Contract Security Standard v1 (2026) · OWASP Smart Contract Security Verification Standard · SWC Registry · BVSS scoring (Halborn)

 

Every engagement runs all nine phases in sequence.

00

Pre-Audit & Scoping

Architecture walkthrough, scope definition, trust assumption mapping, and readiness checklist review. Code freeze confirmed before analysis begins.

01

Threat Modelling

STRIDE-based threat model generated from the contract structure and reviewed manually. Implementation-specific threats identified before any scanning begins.

02

Unit Test Hardening

Gambit mutation testing assesses whether the existing test suite catches known vulnerability patterns. Coverage gaps flagged as findings.

03

Code Review

Static analysis (Slither), symbolic execution (Mythril), and call graph generation. All runs on air-gapped infrastructure —no source code transmitted to third-party services.

04

Code Quality

Fifty-plus item type-specific checklist covering CEI pattern, access control, events, NatSpec, floating pragma, and BSSC SCS v1 requirements.

05

Fuzzing

Echidna invariant candidates generated and validated by the auditor. Property-based fuzzing targets the invariants mostlikely to reveal economic attack paths.

06

Evidence Packages

The development team has 10 business days to respond to each finding. Seven response statuses are tracked: Resolved, Partially Resolved, Acknowledged Will Resolve, Acknowledged Not Resolved, No Response, and two intermediate states.

 

VSS is available for clarifying questions throughout this period. Every change submitted as a fix is reviewed against the original finding before the status is updated.

07

Observability

Per-finding Tenderly and Forta monitoring configurations delivered with the report. Clients load these before mainnetdeployment.

08

Formal Verification (Critical findings)

Halmos symbolic model checking for the most critical invariants identified in Steps 1–7. Mathematical proof that the property holds for all possible inputs — not just tested inputs.

09

Final Report & Attestation

BVSS-scored findings. Triple classification against BSSC SCS v1, OWASP SCS, and SWC Registry. SHA-256 file integrity checksums. Structured for regulatory submission to CIMA, VARA, MiCA, BMA, FCA, and MAS. Re-verification of fixes included.

City Skyline View

ANALYSIS TECHNIQUES

Four complementary methods.
No single-tool audits.

Each technique finds a different class of vulnerability. Running them together and reconciling the results , which is the manual work, is where real audit value is created. A report that is just a Slither output dump is not an audit.

Static Analysis

Analyses control flow, data flow, and state variable interactions without executing the contract. Highly effective at detecting reentrancy, access control failures, arithmetic issues, and event logging gaps. Produces SWC-classified findings with source line references.

Symbolic Execution

Explores all possible execution paths through mathematical constraint solving. Finds reachability violations, assertion failures, and integer boundary conditions that static analysis misses. Particularly effective for SWC-101, SWC-107, and SWC-115 patterns.

Formal Verification

Mathematically proves that specific invariants hold across all possible inputs and states. Used on critical protocol logic "the contract balance never falls below total depositor claims", where probabilistic testing is insufficient. All formal verification runs locally; no code transmitted to cloud provers without explicit consent.

Manual Expert Review

Business logic flaws, economic attack paths, and design-level vulnerabilities require human judgment. Covers trust assumption violations, oracle manipulation scenarios, flash loan attack surfaces, governance manipulation, and the gap between what the code does and what the documentation says it should do.

VSS and AI

VSS uses AI-augmented analysis tools as part of the audit pipeline. All findings are manually reviewed and verified by the lead auditor. Automated outputs are starting points for expert analysis, not conclusions.

  • GitHub
  • LinkedIn

Violet Sky Security SEZC provides technical smart contract security assessments and cybersecurity advisory services. Reports and assessments are not legal advice, regulatory opinions, or guarantees of security. No audit eliminates all risk. Findings reflect the codebase at the agreed audit commit hash only. Clients requiring legal or regulatory opinion should engage qualified legal counsel. BVSS scoring framework developed by Halborn (halborn.com/bvss). © 2026 Violet Sky Security SEZC · Cayman Islands Special Economic Zone 

bottom of page