A smart contract audit and an off-chain pentest, run in parallel by the same firm. The boundary between them gets reviewed jointly. Booked together for preferred bundle pricing.
Most exploitable issues in modern Web3 protocols sit at the seam between smart contracts and the stack around them. EIP-712 signatures generated off-chain and consumed on-chain. API trust that gates state transitions. Backend orchestration of on-chain capital. When two separate vendors audit the two sides, no one owns that seam.
“The best way to offer security is not only saying we do smart contract audits. We added pentesting, TypeScript audits, static and dynamic analysis, and AI red teaming, with a decade of senior web2 security on the team. I've been trying to convince protocols this is the right thing to do, and it's becoming more mainstream.”
Line-by-line manual review, plus Slither, custom Foundry invariants, mutation testing, and Krait. EVM, Solana, Rust, Cairo, Sway.
Lead: Zealynx founder + auditor partner
Black-box and white-box pentest of your off-chain surface. Authentication, authorization, data exposure, and OWASP-style review, with focus on integration risk with the on-chain side.
Lead: Zealynx in-house pentester (decade of senior web2 security)
Both teams coordinate throughout. Boundary risks (signed payloads, off-chain state authority, API trust at the on-chain interface) get reviewed jointly.
In April 2026 we ran a Full-Stack Audit for Dripster, a leveraged prediction-market vault on Polygon. The on-chain contract uses EIP-712 signature-gated transitions across a 14-state position lifecycle. The off-chain backend signs those payloads and routes orders on Polymarket. We audited both tracks in parallel and closed both reports within a day of each other.
The two tracks are scoped together against your codebase and stack. Booking both as a Full-Stack Audit gets you preferred bundle pricing compared to commissioning each track separately. Exact numbers depend on scope, complexity, and timing — talk to us for a quote.
Yes. Smart contract audits and Application security are available as standalone engagements. The Full-Stack Audit is for protocols that want both reviewed together with the boundary risks coordinated.
Depends on scope and complexity. Typical engagements run 3 to 5 weeks end-to-end. The two tracks run in parallel, so the total wall-clock time is shorter than running them sequentially.
Shared scoping document, shared communication channel, and joint review of boundary risks (signed payloads, off-chain authority, API trust). You don't herd two vendors; you talk to one team.
Two reports, one per track, plus a brief joint summary of boundary findings that involve both sides. Same format as our standalone audits.
By default, yes. Zealynx publishes reports openly. Private engagements are available on request.
We surface the issue privately to your team immediately, before the report. Standard responsible disclosure timing applies to any public-facing communication.
If you want both tracks reviewed together — the contracts and the stack around them — talk to us.
