Book. Secure. Relax.
We're a security partner for Web3 protocols. The audit is the core of what we do. Operational security reviews, continuous audits, and a vCISO keep you covered the rest of the time.
Trusted by the best
Our approach
Security doesn't end at the report
A protocol audit can come back clean while the deployment key sits in a Slack message. A multisig can be implemented perfectly while the signing ceremony is a mess. Most failures cross layers, so our coverage does too.
Protocols
White papers, specs, mechanisms, governance, source code. The design-level threats and the invariants that have to hold. This is where our audits live.
Systems
How the protocol is built and run: infrastructure, CI/CD, deployment, key management. A compromised CI job is how a clean codebase ships a malicious release.
Organisations
Who can actually touch the assets, and how the team works day to day. The human side, where a lot of the real risk lives.
The useful question isn't "which service do you need?" It's "which parts of your threat surface are covered, and which aren't?" Our TRACE threat modelling framework maps every engagement to what it covers.
Services
One partner, every layer
Security Audits
Foundation, Seed, and Signature audits of smart contracts, consensus algorithms, virtual machines, and bridges, run with our blinded process.
Learn more Systems + OrganisationsOperational Security Review
A review of everything an audit leaves out: multisig design, key management, deployment, governance, and incident response.
Learn more ContinuousContinuous Audit
Keep your threat model current between audits. Pull-request reviews with a guaranteed turnaround, plus priority scheduling when you need a full audit.
Learn more All pillarsvCISO Service
An on-demand security leader who owns your threat model. The person your founders call before an architecture decision, or when something breaks.
Learn more SystemsPenetration Testing
Web3-native pentests of wallets, browser extensions, web interfaces, and backends that hold keys. Real testing, not a checklist.
Learn more OrganisationsOperational Security Training
Security training for technical and non-technical team members, built around the attacks actually hitting Web3 teams.
Learn more AdvisorySecurity & Economic Advisory
Design reviews of white papers and architectures, plus economic modeling to harden your protocol.
Learn more AdvisoryTechnical Due Diligence
Viability, technical maturity, code quality, and IP risk. The same review VCs and foundations ask us to run on teams.
Learn moreMethodology
TRACE. One threat model, three layers.
TRACE is our threat modelling methodology for teams that don't have a clean security perimeter. We built it through our Web3 work and published it openly under CC BY 4.0.
Pre-Audit Agent
Point it at a repository and it hands back an audit-readiness score, the risky spots, a sense of the complexity, and the audit package that fits, before you ever talk to us. Open to beta users for now.
About the agentOp-Sec Academy
A free, open library on the operational side of security: multisig design, key management, governance, and TRACE. The part audits don't reach.
Visit the AcademyIn partnership with SEAL
SEAL operational security certification
We're an accredited firm for the Security Alliance (SEAL) operational security certification program. We assess your protocol against the SEAL framework, and when you pass, SEAL issues a verifiable on-chain attestation through the Ethereum Attestation Service.
The certification covers the operational side, where most of the real losses start. An attestation says you've put the practices in place. It doesn't claim your code is bug-free, and we wouldn't either.
Accredited assessment firm Our specializations
We audit all components of Web3
Research
The State of Web3 Security
Four years of data: 23,818 published audit findings from 22 firms, and 218 real-world exploit incidents worth US$7.76 billion in losses. We built it with rekt.news.
Most Web3 losses don't start in the code
A perfectly audited contract won't help you if the deployer key leaks. Here's what an operational security review actually looks at.
Read article ResearchThe State of Web3 Security 2022 – Q1 2026: six key findings
What 23,818 audit findings and 218 exploit incidents tell us about where Web3 actually loses money.
Read article TRACEIntroducing TRACE: threat modelling without a perimeter
Why we built our own threat modelling methodology, what the five model objects are, and why it works beyond Web3.
Read articleGet a quote
Tell us about your project and we will get back to you within one business day.
Testimonials
What our clients say
“We’re deeply grateful to Oak Security for their audit of Cube by SatLayer, our Babylon liquid staking protocol. The audit covered our CosmWasm contracts for deployment on Babylon Genesis, and we were consistently impressed by Oak’s deep technical insight into the Cosmos stack and CosmWasm. Having worked with various auditors, we found Oak’s thoroughness, clarity of communication, and practical recommendations to be a cut above. We would absolutely recommend Oak Security to any team building in Cosmos or on Babylon.”
“If more projects had auditors like Oak Security, the industry would be in a substantially better place. I can’t overstate how much myself, Maciej and the whole team appreciate their incredible input. Once again, amazing work!”
“We’ve worked with the Oak team extensively while launching and upgrading Noble. They have caught some subtle issues and have been a great partner in helping us ship quality secure products. We love working with the team too and have been recommending them to folks looking!”
“Oak’s unique approach to auditing has helped secure Stride’s liquid staking design, custom SDK modules and CosmWasm contracts. Oak emulates potential adversaries by red teaming, pitting auditors against each other in an incentivized competition to uncover vulnerabilities. The team is professional, experienced and a pleasure to work with.”
“The Oak Security team has been extremely helpful in streamlining the whole audit process for our grants projects and reducing their time to market on Osmosis. We’ve also received positive feedback from our grantees as they’ve told us Oak Security has been a pleasure to work with.”
“Oak Security conducted an audit for us at Nym, examining over 500 lines of our mathematically complex CosmWasm mixnet reward contract. Refer to “Reward Sharing for Mixnets” to get an impression of the contract’s complexity. Oak Security identified bugs that had been overlooked by a less talented security auditor. With the help of Oak Security, we have successfully remedied these bugs.”
“Oak Security’s comprehensive audits of Sei Chain, CosmWasm bindings as well as modifications of both Cosmos SDK and Tendermint have been indispensable towards the journey to superior security for Sei. Their thorough and insightful approach has given an unparalleled sense of assurance in the solidity of Sei’s systems. Oak Security’s professionalism, expertise, and dedication have truly set them apart. Oak Security has our highest recommendation.”
“We were deeply impressed by the thoroughness of Oak Security’s audit of Snowbridge, our light-client-based bridge between Ethereum and Polkadot. They created a comprehensive threat model outlining the various complex components and risks involved in the bridge and uncovered several critical vulnerabilities during the audit, which shows their profound understanding of the technologies involved. We are extremely satisfied with Oak Security’s professional approach and recommend them wholeheartedly for their exceptional blockchain security expertise.”
“At Filecoin, we engaged Oak Security for a 6-week security audit of our Ethereum Virtual Machine (EVM) implementation. During this engagement, their diligent team showed a deep understanding of the intricate details of the EVM, such as differences in the opcode implementation and gas accounting. Oak Security identified several important issues providing clear, actionable solutions that greatly improved our system’s resilience and security. Their expertise in the field is evident, and their contribution to our project has been invaluable. We highly recommend Oak Security for any organization seeking best-in-class cybersecurity solutions.”
“Stargaze has worked with Oak Security on several audits. Oak is one of the few teams that understand CosmWasm in and out. They were able to discover issues in our contracts that evaded our most senior engineers. We always feel a lot more confident with our code after an Oak audit. They are also always available and respond to questions in a timely fashion.”
“We’ve worked with Oak Security on a number of occasions, for both CosmWasm smart contracts and Cosmos SDK blockchain codebases. They’ve been one of the most reliable and thorough firms we’ve gotten to work with and we frequently recommend Oak Security to our partners.”
“The team of @SecurityOak are unsung heros in the @CosmWasm ecosystem. Dedication, expertise and humbleness makes it pure joy working with them. The value they add by strengthening the framework behind the scenes makes them a SAFU gem for all of us.”
Meet our team
50+ senior security researchers
Our researchers hold Master's and PhDs in Computer Science, Cryptography, Economics, Engineering, and Finance. We work with a distributed pool of the industry's best security experts, allowing us to expand on demand. Below are selected profiles.
Dr. Stefan Beyer
Co-Founder & Managing Director
- Leads Oak Security’s operational security services and blockchain infrastructure reviews.
- 20+ years in distributed systems and cybersecurity; smart contract auditor since 2017.
- PhD in Operating Systems; expert in consensus protocols like PBFT.
Philip Stanislaus
Co-Founder & Managing Director
- MPhil in Economics from Cambridge; active in blockchain engineering since 2018.
- Architected Polkadot pallets, Cosmos SDK modules, and bridges across ecosystems.
- Oversees internal audit processes and security standards at Oak Security.
Christian Vari
Head of Audit Operations
- Master’s in Cybersecurity and Blockchain; specialized in distributed systems, Rust, and Go.
- 150+ audits including Cosmos SDK, Interchain Security, Stellar, CosmWasm VM, Filecoin EVM, and Move contracts.
- Former engineer at IBM/HCL working on distributed systems and schedulers.
Kateryna Yakovenko
Delivery Manager
- Business Analyst & Project Manager with a degree in Applied Mathematics.
- Coordinates auditors and clients and serves as the bridge between them to deliver audits and audit reports.
- Led digital system design for the Ukrainian Border Guard Service.
Bernd
Lead Blockchain Security Auditor
- Completed 100+ audits across DeFi, wallets, bridges, and VMs (e.g., FEVM).
- Top-ranked on Code4rena, Sherlock, and CodeHawks, with 17 top-3 placements including 7 first-place finishes.
- Specialized in Solidity, Rust, Go, the Cosmos ecosystem, and complex bridging protocols.
Jakub Heba
Senior Blockchain Security Auditor
- 9+ years in cybersecurity, including 3.5 years in Web3 security and blockchain auditing.
- Conducted 130+ audits across smart contracts, L1 blockchains, and off-chain components.
- Expert in low-level exploit development, penetration testing, and niche blockchain languages.
Values
Why teams choose Oak
Founder-led
Without VC funding, we have focused on sustainable growth without compromising on quality.
Agile
Our global pool of vetted senior security researchers allows us to expand on demand.
Relentless
Redundancy by design. Our work is conducted by multiple security researchers independently and simultaneously.
Reliable
We've been in the game since 2017, with many of the industry's top security experts, including PhD economists and cryptographers.
In the press
