Sway Audit

Sway audits, on Fuel.

Senior manual review of Sway contracts, scripts, and predicates on the Fuel network. UTXO accounting, predicate logic, and Fuel-to-Ethereum bridge integration.

Fuel · UTXO model · senior auditors only · reports public by default

Request an intro call
Why this exists

UTXO is a different problem than EVM accounts.

Sway looks like Rust and reads like a familiar smart contract language, but Fuel’s UTXO execution model isn’t EVM with a new compiler. Asset handling, predicate scripts, and the contract-vs-script split create failure modes that don’t exist in account-based VMs. Our Sway audits are explicit about which assumptions translate from EVM and which don’t.

Scope

What’s in the audit.

What we check

Sway and Fuel-specific risk classes

UTXO accounting bugs, asset-id confusion, predicate script logic, script vs contract trust boundaries, and the message-bridge integration with Ethereum.

Tools

Forc, Fuel test harness, manual review

Forc-based test runners, native Fuel test harnesses for state machine coverage, and our manual pass over the asset and predicate logic where Sway's UTXO model creates new failure modes.

Targets

Fuel mainnet and testnet deployments

Sway contracts, scripts, and predicates running on the Fuel virtual machine. DEXes, lending markets, and message-bridge integrations.

Recent engagements

Recent Sway engagement.

Fuel · Sway

Microchain DEX (Mira Binned Liquidity AMM)

Sway audit of a binned-liquidity AMM on Fuel — bin math, UTXO accounting, predicate scripts, and the rebalance flow.

Sep 2025 · Microchain

How pricing works

Scoped to your codebase.

Sway audits are sized to contract count, predicate complexity, and bridge integration surface. Talk to us for a scope and quote.

Request an intro call
FAQ

Questions.

We did one of the first published Sway audits — the Mira Binned Liquidity AMM on Fuel for Microchain (Sep 2025). Sway is still an early ecosystem, and we're one of the few audit firms with shipped work on it.

Fuel uses a UTXO model (closer to Bitcoin / Cardano) rather than account-based state. Asset handling, predicate scripts, and the contract-vs-script distinction are first-class concerns that don't have direct EVM analogues.

Yes. Bridge-side trust assumptions, withdrawal proofs, and the L1 settlement contract integration are reviewed alongside the Sway code.

Both in scope. Script logic (one-shot computation that's part of a transaction) and predicate logic (replacing signatures for arbitrary spending rules) are reviewed with the same depth as contracts.

Yes, but we tag tool-specific assumptions explicitly. The ecosystem is moving fast, and the report calls out anything that depends on toolchain behavior rather than language semantics.

Two to four weeks for typical scope. We scope and quote against your specific codebase before you commit.

From our research

Go deeper.

Year in review

2025 exploit lessons: $3.4B in DeFi losses and what they revealed

The cross-ecosystem patterns from 2025's exploits — applicable to any smart contract language, Sway included.

Comparison

Move vs Rust vs Solidity for smart contracts

What different language safety models give you, what they take away, and how the auditor's job changes per language.

Methodology

Defense in depth: our audit workflow

The layered process we apply to every engagement, regardless of language.

Other services

Need something else?

Parent

Smart contract audits

Back to the parent service — see all languages, methodology, and recent engagements.

Sibling language

Solidity audit

Solidity on Ethereum and EVM chains — our most populated language vertical.

Subscription

Security Audit Subscription

Ongoing weekly review during development — Sway or any other language.

Ready when you are

Ready to audit?

Send us your repo and a target date. We’ll come back with a scope and a quote within 24 hours.

Request an intro call