LAYER 01
Smart contract audits
Line-by-line manual review, plus Slither, custom Foundry invariants, mutation testing, and Krait. EVM, Solana, Rust, Cairo, Sway.
SolidityRustCairoSwayFoundrySlitherKraitHalmos
See audit packages Zealynx Security
Smart contracts. dApps. AI agents.
One security partner for the whole stack.
Manual review, dApp pentesting, and AI red-teaming. Senior auditors on every audit. Across EVM, Solana, Rust, Cairo, and Sway.
Track record
Audits
41
audits completed
TVL secured
$5B+
peak protocol value audited
Findings
311
vulnerabilities identified
Chains
5
EVM · Solana · Rust · Cairo · Sway
Trusted by 30+ protocols
Also Trusted by Security Firms
Carlos (Bloqarl), founder of Zealynx, has acted as an auditor contractor for Pashov Audit Group, Cyfrin, and Sherlock.
Differentiation
Why teams choose Zealynx.
01
Same auditor. Without the agency markup.
Hire any of the bigger names and the lead auditor on your engagement may well be Carlos anyway. He has contracted on audits for Cyfrin, Immunefi, Pashov Audit Group, and Sherlock. Hire Zealynx and you get him directly, working alongside the same senior team, with no agency layer between you and the person reading your code.
02
The full stack, audited in parallel.
Smart contracts, dApps, and AI systems reviewed at the same time, not in sequence. Auditing every layer simultaneously is faster to deliver, and every layer informs the others. The more context we have on how the system fits together, the deeper the findings get.
03
Recognized work. Public reports.
ETHSecurity Badge of Trust from TheDAO. Author of the official Uniswap v4 documentation. Founder of Zealynx Academy, a public security learning platform. Plus 41 audits public by default, read them before you sign.
What we audit
Explore all services End-to-end security.
Smart contracts, dApps, and AI systems.
LAYER 02
Application security
White-box and black-box pentesting for dApps, wallets, APIs, and infrastructure. OWASP plus Web3 business logic.
dAppsWalletsAPIsBackendsOWASPBurpThreat model
See pentest scope LAYER 03
AI and MCP audits
Prompt injection, model abuse, and Model Context Protocol server reviews. Red-team simulation with reproducible attack chains.
Prompt injectionTool abuseMCPAgentsAttack chains
Explore AI red-teaming How an audit worksFrom scope to fix review,
From scope to fix review,
every layer is published.
STEP 01Fixed price
Scope.
Share your repo and architecture notes. We return a fixed-price scope, timeline, and named lead auditor.
STEP 026 layers
Review.
Line-by-line manual review, plus Slither, Krait, hand-written Foundry invariants, and mutation testing on your test suite. Each layer is calibrated against a seeded bug before its result counts.
STEP 03Public
Report.
Every finding ships with severity, impact, reproduction steps, and a concrete fix. Severity is set by the published Impact × Likelihood matrix.
STEP 04Included
Fix review.
We re-review your patches at no extra cost and update the report to reflect the resolved state.
Testimonials
What our clients say.
We are very pleased with the collaboration with Zealynx. Their approach was very professional, always open to discussion, and helped us discover potential pain points in our smart contracts, providing suggested solutions alongside. Their commitment to the subject was evident and impressive. Hopefully, this is the first of our many collaborations.
Bojan
Krait · open source AI auditor
Krait. Open source AI auditor.
Generates tailored security prompts for every check, backed by real Solodit exploits. 90% precision against 40 public audit contests. Works with Claude Code, Cursor, Windsurf, and Codex.
▍
GRANTS · BY ZEALYNX
$100k+ in funded audits
for Web3 builders.
Open to developers, DAOs, and small teams building on supported chains. Founder-led audits. Public reports.
100% covered100%
Core Grant
up to $32,000
Free full audit for selected builders. Aimed at solo founders and small teams.
Half covered50%
Growth Grant
$16,000
Half-price audit for protocols with traction but limited security budget.
Discounted25%
Builder Grant
$8,000
Discounted audit for early-stage builders who do not yet qualify for Core.
Apply for an audit grant · Rolling intake
Zealynx Academy · free
Zealynx Academy. Free.
Build real DeFi protocols line by line. Audit real forks from past contests. Learn what it takes to launch your own.
› Tap a milestone to read the detail
Security research
Browse all research Security research.
Public write-ups on the bugs and patterns we find in production audits.
Gamified Learning in Web3: Why Ranks, Leaderboards, and Lynx Actually Work
Gamification in learning often feels hollow. Here's why Zealynx Academy's rank and leaderboard system is different — and why it produces verifiable reputation, not points for points' sake.
Read the write-up
FAQ
Frequently asked questions.
A typical Zealynx smart contract audit runs 2 to 6 weeks from kickoff to delivery. Scope, codebase size measured in nSLOC, complexity, and number of integrations drive the timeline. We share the lead auditor's calendar and a fixed delivery date before you sign the engagement.
Zealynx audits smart contracts on EVM (Solidity), Solana (Rust and Anchor), Starknet (Cairo), and Fuel (Sway). Beyond smart contracts, we audit Web2 backends, dApp frontends, TypeScript codebases, APIs, wallet integrations, AI systems, and Model Context Protocol (MCP) servers, all with the same senior review depth.
Yes. Fix review is included in every Zealynx engagement at no additional cost. We re-review your patches, verify each finding is resolved, and update the audit report to reflect the resolved state before publication.
A senior auditor leads and signs off on every file. There are no junior handoffs, no ticket queues, and no agency layer between you and the person finding the bugs. Founder Carlos Vendrell (Bloqarl), who has audited as a contractor for Cyfrin, Immunefi, Pashov Audit Group, and Sherlock, leads or co-leads every engagement.
Krait is Zealynx's open source AI auditor, one of six independent verification layers in our methodology. It runs alongside manual review, Slither static analysis, custom Foundry invariants, and mutation testing. Krait is calibrated against deliberately seeded bugs before its results are trusted, and findings always go through human verification before they reach the audit report.
Every Zealynx audit ships with a public report (private on request) containing each finding's severity, impact, reproduction steps, and a concrete fix. Severity is set by the published Impact × Likelihood matrix. You also get the full Krait scan output, the Foundry invariant test suite, the mutation testing report, and a free fix review after remediation.
Send your repository and a one-paragraph brief through zealynx.io/quote. Carlos replies personally the same day with a fixed-price scope, timeline, and named lead auditor. There is no sales call gate and no agency intermediary. Audit grants up to $32,000 are also available for qualifying builders at grants.zealynx.io.
Get a quote
Send your code. I'll reply personally.
Carlos here. Drop a repo or a one-paragraph brief and I'll get back to you the same day with a scope, timeline, and quote. No sales call gate, no agency layer. Just the auditor who'll be reading your code.