Oak Security
Security audits Operational security review Continuous audit vCISO service Penetration testing Op-sec training Security & economic advisory Technical due diligence Research TRACE framework Pre-Audit Agent Op-Sec Academy Request a quote

Multi-expert security audits

The gold standard
in Web3 auditing

We audit every part of Web3. What sets us apart is the blinded process: several senior auditors review the same code independently, in parallel, before they compare notes. We've run over 600 engagements since 2017, and clients rate us 9+ out of 10 on average.

Get a quote Audit reports

Audit tiers

Sized to your protocol, not a template

Three tiers, one methodology. We scope and price every tier per engagement. Ask for a quote and we get back to you within one business day.

Contained scope

Foundation Audit

A senior security researcher supported by our AI-assisted tooling. Ideal for contained scopes: standard tokens, focused contract systems, pre-testnet reviews, and technical due diligence. Fast turnaround at an accessible price point.

Blinded · 2+ seniors

Seed Security Audit

At least two senior security researchers reviewing every line independently before comparing findings in the consensus meeting. Best for growing teams undertaking their first serious audit.

Blinded · 4+ seniors

Signature Security Audit

At least four senior security researchers for maximum redundancy, enabling parallel specialisation across architectural domains. Booked by the strongest teams and mature, high-TVL protocols.

Seed and Signature differ in scale, not in method. The blinded process is the constant. We also audit standard fungible and non-fungible tokens at a fixed rate, checking for standard alignment, deviations, and vulnerabilities, usually in under a week.

Our process

How do we find more issues than others?

When engaged alongside other companies, we typically outperform them. We attribute this to our blinded approach and to the caliber of our auditors.

1

Multiple auditors, relevant expertise

Each audit is done by multiple auditors with relevant expertise for your project. We emphasize redundancy, and you choose the level of redundancy you want. We staff people with different backgrounds, so a DeFi specialist finds different things than a cryptographer.

2

Independent, blinded review

Initially, the auditors work independently as if they will compile the audit report by themselves, using a wide range of tools and techniques. No auditor sees another's findings, so nobody anchors on someone else's analysis.

3

Consensus and final report

Findings come out only in the consensus meeting, followed by a collaborative phase before the final report. Think of it as two pilots and an autopilot on a plane. It looks like overkill until it saves you. We publish every final report on our GitHub.

After the audit

The report is a milestone, not the finish line

An audit covers the protocol layer. Most of the big Web3 losses start somewhere else: key management, deployment, governance, and how the team operates. We stay involved across all of it.

Operational Security Review

Close the gaps an audit cannot see: multisigs, keys, deployment, governance, incident response.

Learn more

Continuous Audit

Keep the threat model alive between audits with continuous pull-request reviews and guaranteed turnaround.

Learn more

vCISO

A long-term security steward across protocols, systems, and organisations.

Learn more

Our specializations

360° coverage of your stack

EVM (Solidity)SolanaCosmos (CosmWasm)Polkadot/Substrate (ink!)Stellar (Soroban)RustConsensus Protocols/Light ClientsVirtual MachinesCryptographic PrimitivesZK CircuitsNoirCairo (Starknet)DeFiLiquid Staking/RestakingCross-Chain Bridges/SequencersOff-chain Infrastructure

FAQ

Frequently asked questions

How much does an audit cost?

It depends. We price each audit individually, based on the size of the codebase, how complex and novel it is, and the team it needs. We get back to you within one business day of your request.

Will an audit find all vulnerabilities?

An audit is a time-boxed engagement that finds as many issues as it can in the time available. No security firm can honestly promise it finds everything. An audit is one part of your security, not all of it, and we can help you review the rest of your posture too.

Do you do incremental audits?

Yes. For minor or major updates to an already audited codebase, we offer incremental audits. Changes in one part of the code can impact other areas, so we review possible effects on the entire codebase, not just the changes. We aim to keep the same audit team for these reviews.

How long does an audit take?

The timeline depends on complexity and is provided with our initial quote. Audits range from half a week for simple projects to 12 weeks for very complex ones; most take 1 to 2 weeks. Our auditors remain available for 3 weeks after the initial report for fix verification, which is included.

When should I request a quote?

As early as you can, since lead times can run long. You do not need an audit-ready codebase for a quote. A work-in-progress version plus a description of what is still coming is enough. We also hold blanket reservations that get refined closer to the start date.

How is Oak Security different from other firms?

Our blinded process: each auditor works independently in the first phase, not sharing results, each following their own methodology within our framework. This avoids auditors biasing each other, widens the breadth of techniques applied, and lets us monitor quality consistently. Findings are merged in a consensus step, and final reports are published transparently on GitHub.

Get a quote

Tell us about your project and we will get back to you within one business day.

Subscribe to our newsletter

Security research, audit insights, and ecosystem analysis — straight to your inbox.