The off-chain attack surface, audited.
Black-box and white-box pentesting for dApps, wallets, APIs, and infrastructure. OWASP fundamentals plus the Web3 business logic that lives at the boundary between off-chain and on-chain.
Your contracts can be perfect. Your backend can still lose funds.
Modern Web3 protocols are most of the way off-chain. Backends sign payloads. APIs gate state transitions. Indexers feed prices to the contracts. The on-chain code is the tip; the surface area underneath it is what attackers actually exploit. Audit it like you mean it.
What’s in the audit.
OWASP plus Web3 business logic
Backends, APIs, frontends, infra
Black-box, white-box, threat modeling
Recent off-chain engagements.
Dripster Backend Pentest
Black-box and white-box review of the NestJS backend that signs EIP-712 payloads and routes orders to Polymarket.
Hyperlines Audit and Pentest
Combined backend audit and pentest of the Hyperlines insights marketplace — TypeScript, API surface, and infrastructure.
Initia Protocol Infrastructure Audit
L1 infrastructure audit covering the off-chain TypeScript services around the Initia chain.
Scoped to your stack.
Application security audits are sized to surface area (number of services, API count, infra complexity) and timeline. No fixed packages. Talk to us for a scope and quote.
Questions.
Same OWASP fundamentals, but with Web3 business logic on top. The bugs we look hardest for are at the boundary — where a backend signs an EIP-712 payload, where an API gates a state transition, or where a webhook fires an on-chain call. Generalist pentesters miss those.
Both, by default. Black-box from the perimeter gives us a real attacker's view. White-box with the codebase lets us cover the parts an outside attacker can't reach in the timebox.
TypeScript/Node (NestJS, Express, Next.js, Hono), Python (FastAPI, Django), Go, Rust backends — anywhere your off-chain stack runs. Plus the underlying infra (Postgres, Redis, queues, container hardening).
Yes. Secret management, IAM scope, container hardening, CI/CD pipeline integrity, and webhook endpoint protection are scope items, not an afterthought.
Yes — wallet security has its own page covering wallet SDKs, account abstraction, and EIP-7702 risks. The Application Security audit can include wallet integration testing as a scope item.
Written report with findings, severity rationale, reproduction steps, and remediation guidance. Plus fix verification after you implement. Published on zealynx.io by default; private engagements available.
Two to four weeks for typical scope. We scope and quote against your specific stack before you commit.
Go deeper.
Need something else?
Ready to pentest?
Send us your repos and a target date. We’ll come back with a scope and a quote within 24 hours.