TypeScript Audit

TypeScript audits, read line by line.

Source-level security audit of your TypeScript backend, dApp, or SDK. We read the code, follow the data flow, and find the bugs that type checking can't catch.

backends · dApps · SDKs · senior auditors only

Request an intro call
Why this exists

Types catch bugs. They don’t catch attackers.

TypeScript catches the bugs that look like type errors. It does nothing about race conditions, business logic abuse, or what happens when the data crossing your trust boundary is hostile. A serious TypeScript audit reads the code with the assumption that every input is adversarial — because in production, sometimes it is.

Scope

What’s in the audit.

What we check

TypeScript-specific risk classes

Type bypass at boundaries (any, unknown, casts), unsafe deserialization, prototype pollution, async race conditions, dependency vulns, and trust assumptions in npm packages.

Frameworks

NestJS, Express, Next.js, Hono, Fastify

Backend frameworks we audit regularly. Plus dApp frontends in React and Next.js where TypeScript holds the business logic.

Approach

Source-level review + runtime testing

We read the code, follow the data flow, and exercise the runtime with crafted inputs. Type definitions are documentation, not a security boundary.

Recent engagements

Recent TypeScript engagements.

TypeScript · API

Hyperlines Audit and Pentest

TypeScript audit of the Hyperlines insights marketplace — API surface, business logic, and integration risk.

Sep 2025 · Hyperlines

TypeScript · L1 infra

Initia Protocol Infrastructure

L1 TypeScript infrastructure audit covering the off-chain services around the Initia chain.

Jun 2025 · Initia

TypeScript

Spicenet TypeScript Audit

Source-level TypeScript audit of the Spicenet backend, focused on data flow and auth boundaries.

Jan 2026 · Spicenet

How pricing works

Scoped to your codebase.

TypeScript audits are sized to LOC, framework complexity, and integration surface. No fixed packages. Talk to us for a scope and quote.

Request an intro call
FAQ

Questions.

A code-level security review of TypeScript application code — backend services, dApp frontends with business logic, indexers, relayers. Source-level depth, not just outside-in pentesting.

Critical paths, yes — auth, payment, signing, state mutations. Lower-risk code gets review proportional to its blast radius. Same approach we use on smart contract audits.

TypeScript audit is source-level (we read the code). Pentest is runtime-level (we attack the running system). Both are valuable; usually you want both — book them together as a combined engagement.

We review the dependency graph for known vulnerabilities, supply-chain risk, and unmaintained packages. Deep audit of the dependency code is out of scope unless you've forked it.

Yes. Wallet SDKs, signing libraries, and integration shims are common scope items. Anywhere user keys or signed payloads flow through TypeScript code.

Two to four weeks for typical scope. Sized to lines of code, framework complexity, and the off-chain/on-chain integration surface.

From our research

Go deeper.

Discipline

TypeScript audits in Web3

Why the off-chain layer is where modern protocols actually break, and what a serious TypeScript audit covers.

Threat model

The weakest link in DeFi is the web app

How frontend and backend mistakes turn audited contracts into losing customer funds.

Scoping

How to scope a smart contract audit

A practical guide to scoping any audit engagement — applies to TypeScript codebases as much as Solidity.

Other services

Need something else?

Parent

Application security

Back to the parent service — full off-chain audit scope.

Sibling

Penetration testing

Runtime attack instead of source review — book both for full coverage.

Bundle

Full-Stack Audit

Smart contract audit + TypeScript audit in parallel, with boundary risks reviewed jointly.

Ready when you are

Ready to audit?

Send us your repo and a target date. We’ll come back with a scope and a quote within 24 hours.

Request an intro call