ZKsync OS is a new RISC-based execution system for the next generation of ZKsync. Taran Space reviewed core components across multiple engagements, including the bootloader, transaction processing, EVM implementation, cache logic, and L2 interoperability paths at the center of the rollup architecture. The work also included a dedicated cryptography review focused on elliptic-curve components and proof-adjacent logic.
Across the engagements, the review covered execution correctness, transaction lifecycle safety, implementation-level edge cases, and the cryptographic foundations supporting the system’s security model.
Stellar is a major blockchain infrastructure network for payments, tokenized assets, and financial applications. The work was delivered through public Oak Security engagements and covered Stellar Core protocol updates, with focus on correctness and consensus-sensitive changes that affect secure network operation.
Review scope included protocol logic, metering behavior, Soroban-adjacent execution, cryptographic components, and implementation details across Rust and C++ code. The work focused on changes where subtle correctness issues could affect transaction processing, resource accounting, smart-contract execution behavior, or the reliability of protocol upgrades.
Hyperlane connects blockchain networks through a modular interoperability layer for cross-chain messaging and application deployment. The review was delivered under the Oak Security brand and covered Hyperlane’s CosmWasm integration components, including Cosmos-to-EVM messaging, mailbox behavior, hooks, interchain security modules, and warp-route logic.
The work focused on cross-chain message validity, replay resistance, Merkle tree handling, multisig ISM verification, validator and threshold assumptions, fee and gas behavior, and the integration risks that appear when interoperability infrastructure spans multiple execution environments.
Snowbridge is a trustless bridge between Polkadot and Ethereum, using light-client verification instead of a trusted multisig or external validator set. Working as part of Oak Security’s team, we reviewed multiple releases, focusing on the boundaries between consensus assumptions, bridge logic, and Solidity/EVM execution.
Review scope included proof validation, replay resistance, finalized-state assumptions, and contract-side logic for accepting or rejecting cross-chain updates. The work combined cryptographic protocol review with production cross-chain infrastructure security.
Hydration is a Polkadot DeFi protocol built around shared liquidity infrastructure. In the Oak Security engagement, we reviewed Hydration’s peg-drift stableswap and oracle components, focusing on AMM invariant safety, oracle integrity, and privileged-control risks.
The review covered Substrate-based DeFi logic where pricing, liquidity movement, and administrative controls interact. Scope included stableswap behavior, oracle-dependent assumptions, edge cases around peg drift, and failure modes that could affect liquidity accounting or market correctness.
Base Azul is Base’s first independent network upgrade, introducing Base-native clients, Ethereum spec alignment, and TEE/ZK multiproof finality on the path toward stronger L2 decentralization. Taran Space participated in the Immunefi audit competition for Azul, reviewing Rust and Solidity implementation surfaces across offchain components, upgrade logic, proof integration, and verifier-related flows.
Our submission identified a memory-pressure risk in the Nitro TEE prover: overlapping honest proving jobs could accumulate checkpoint witness data inside the enclave process and trigger process aborts or dropped work. Under sustained load, this could degrade Azul’s intended 1-day TEE/ZK fast-finality path back toward the slower 7-day withdrawal finality model.
THORChain is a cross-chain liquidity network that enables native asset swaps across blockchain ecosystems. We contributed to Oak Security’s review of THORChain hard-fork-related validator and Cosmos upgrade logic, focusing on protocol-update safety for the network.
The work covered validator-scheduled upgrade behavior, Cosmos hard-fork assumptions, Go implementation details, and failure modes that could affect network coordination during protocol transitions.
Dusk is a Layer 1 network designed for regulated financial applications, combining privacy-oriented architecture with custom protocol and execution components. We contributed to Oak Security’s review of Dusk’s Rusk node and consensus-related logic, with focus on protocol correctness, node safety, and invariants that protect network operation.
The work examined failure modes that could lead to network halts, consensus failures, or economic attacks. Scope included Rust implementation details, protocol-level assumptions, and execution-layer behavior in security-critical parts of the Dusk stack.
GnoLand is a Layer 1 smart-contract platform built around Gno, an interpreted and deterministic language derived from Go. In public Oak Security engagements, we reviewed GnoLand’s smart-contract and execution infrastructure, including the on-chain Gno language interpreter.
The work covered interpreter behavior, VM and runtime assumptions, memory-management behavior around garbage collection, type-checking logic, contract execution, and the correctness of core platform components.
Dymension is a Cosmos-based network for modular appchains and RollApps, combining Cosmos SDK infrastructure with execution-layer components derived from the RDK and EVMOS stack. Across several Oak Security reports, our work covered core network logic, Cosmos SDK modules, and EVM-compatible execution surfaces involved in Dymension’s protocol architecture.
The reviews focused on chain-level correctness, upgrade and execution assumptions, module behavior, and the interaction between Cosmos-native infrastructure and EVM-facing components. The project adds a strong Cosmos, Go, and EVM protocol-security case to the portfolio.
Nym is decentralized privacy infrastructure built around a mixnet that protects network-level metadata as well as message contents. Through Oak Security, we reviewed Nym’s mixnet-related on-chain components, vesting logic, and wallet security.
The review focused on user safety, key-management risk, distribution correctness, and the contract logic supporting participation, rewards, and long-term network operation.
ZIGChain is a Cosmos-based Layer 1 focused on wealth management, DeFi infrastructure, and on-chain financial applications. The audits were published by Oak Security, with our work covering multiple ZIGChain releases across custom chain modules, the x/dex module, reward-contract logic, and updates across Cosmos SDK, CosmWasm, and EVM-compatible integration surfaces.
The work spanned application-level DeFi behavior and chain infrastructure, including swap and DEX logic, reward accounting, module validation paths, smart-contract execution assumptions, and the operational safety of financial flows built into the network.
Mythical Games builds blockchain infrastructure for games, digital assets, and player-owned economies. Our Oak Security work covered Mythical’s Polkadot parachain runtime, XCM configuration, and Ethereum-account handling primitives.
The review focused on runtime and transaction-safety risks, including cross-chain configuration assumptions, account-handling behavior, and protocol logic that affects how assets and transactions move through a Substrate-based gaming chain.
This library is a Rust implementation of Ethereum’s Simple Serialize (SSZ) format, used for consensus-critical data structures in Ethereum protocol software. The public Oak Security audit included our review of serialization correctness, safety invariants, and edge cases in code that handles structured protocol data.
Review scope covered SSZ encoding and decoding behavior, Merkleization-related assumptions, data-structure boundaries, and hardening against cases that could affect consensus-client reliability or proof-related logic.
DAO DAO provides Cosmos-based infrastructure for creating and managing decentralized organizations. Its smart-contract system supports governance, treasury operations, staking and voting modules, proposal execution, and factory extensions used by DAOs across IBC-enabled ecosystems.
Our Oak Security work covered multiple DAO DAO releases, including vesting, payroll, rewards distribution, voting, and permission-granularity components. The review focused on CosmWasm/Rust contract correctness, governance execution safety, token and delegation edge cases, and the financial flows that support DAO operations.
KILT is a Polkadot ecosystem protocol for decentralized identity, credentials, and self-sovereign data. For the Oak Security audit, we reviewed KILT’s Substrate bonding-curve pallet, focusing on runtime logic and the correctness of the economic primitive behind the module.
The review covered accounting behavior, edge cases in bonding-curve operations, runtime-level safety, and failure modes that could lead to incorrect balances, exploitable state transitions, or operational lock-up risk.
Osmosis Transmuter is a CosmWasm/Rust component for converting between multiple assets within the Osmosis ecosystem. In Oak Security’s public reviews, we examined two versions of the Transmuter contracts, focusing on multi-asset swap behavior, conversion correctness, validation paths, and edge cases that could break accounting or allow invalid asset movement.
The work covered the invariants behind specialized liquidity and conversion flows, including how token balances, swap behavior, and contract validation interact inside a production Cosmos DeFi environment.
Centauri connected the Cosmos and Polkadot ecosystems through IBC-style light-client bridging. Our Oak Security work covered Centauri’s verification logic, relayer assumptions, trust boundaries, and the security model behind moving messages and assets between Cosmos chains and DotSama networks.
A later review covered fixes for the Grandpa CosmWasm Light Client, extending the work into proof verification and finality-related bridge logic. The engagement focused on cross-chain correctness, light-client assumptions, and the failure modes that can appear when two different interoperability ecosystems meet.
Empowa / NSE Housing connects Cardano smart contracts with a real-world housing-finance application linked to the Nairobi Securities Exchange. Scope included eUTXO transaction design, order-book behavior, and business-critical contract logic used to coordinate financial activity before release.
The work moved from issue discovery through fix validation and final rechecking, with attention to real-world asset flows, regulated-market context, and the reliability expectations of financial infrastructure.
Yumi Finance builds DeFi vault infrastructure across Solana and EVM environments. Taran Space completed private security reviews covering a Solana/Anchor fixed-pool vault and a later EVM implementation, with focus on contract correctness, vault behavior, asset-accounting safety, and implementation risks around financial flows.
Scope spanned Rust-based Solana program logic and Solidity/EVM smart-contract surfaces, including the security of production financial contracts where implementation mistakes can directly affect user funds.
VIA Labs builds cross-chain messaging infrastructure for moving data and value between blockchain networks. In a Hashlock-branded engagement, we reviewed VIA Labs’ Stellar/Soroban Rust messaging stack, covering client, fee-handler, gas-handler, message-client, and message-gateway components.
Scope centered on cross-chain message safety, gateway replay protection, destination-chain binding, processed-state handling, Soroban storage behavior, signer and finality assumptions, ABI decoding, and fee/gas handling across the messaging stack.
STBL is a stablecoin infrastructure protocol for token issuance, asset management, yield distribution, and operational control. We carried out the review for Hashlock, covering STBL’s Stellar/Rust smart-contract system, including asset issuer, airdrop issuer, USST/STBL token, oracle, registry, access-control, upgrade, and yield-distribution components.
Security work focused on expired-position handling, yield and accounting fairness, token blacklist and pause behavior, vault accounting assumptions, oracle configuration, role administration, and privileged controls across the protocol’s financial flows.
MANTRA is an EVM-compatible Layer 1 built around real-world assets and on-chain financial infrastructure. Our Oak Security work covered multiple MANTRA tracks, including DEX functionality, airdrop logic, and later claimdrop-update components across the MANTRA ecosystem.
The reviews focused on DeFi execution paths, token distribution flows, smart-contract correctness, and integration surfaces across Cosmos, EVM, Solidity, Rust, and Go components. The project adds a broad real-world-asset DeFi case with both chain-level and application-level security scope.
Bifrost Finance is a Polkadot DeFi protocol focused on liquid staking and liquidity infrastructure. The Oak Security audit included our review of Bifrost’s Substrate lend-market, leverage-staking, and prices pallets.
The work covered leveraged-staking logic, pricing and oracle integration points, economic validation paths, and risks that could lead to fund loss, manipulation, denial of service, or incorrect protocol accounting.
Verification Transpiler was a JetBrains research project exploring how formally verified specifications could move closer to production software. The work extended Coq so Java code could be generated directly from Coq specifications, connecting proof-oriented development with a mainstream application runtime.
The project focused on preserving the value of mathematical specification and proof while making verified logic easier to integrate into larger software systems. It combined formal methods, language tooling, and practical compiler-style engineering around Coq and Java.
Asteroid Bridge is a Cosmos bridge project by Delphi Labs, built for moving assets and messages across connected blockchain environments. Under the Oak Security engagement, our review focused on bridge security, message-validation logic, and cross-chain trust assumptions across the bridging flow.
The work covered validation paths, asset-transfer assumptions, replay and message-integrity concerns, and the contract or protocol conditions needed to keep cross-chain movement consistent and safe.
Magma Vaults builds DeFi vault infrastructure in the Cosmos ecosystem. In the Oak Security review, we examined Magma Core, focusing on the core vault logic and protocol behavior behind the Magma Vaults codebase.
The work covered vault accounting, liquidity-handling assumptions, contract correctness, and failure modes that could affect user funds or protocol operation. A later fix review addressed a liquidity-overflow issue and was reflected in the updated public report.
Helix Bridge is cross-chain infrastructure for moving assets between blockchain networks. As part of Oak Security’s audit work, we reviewed Helix Bridge and xToken components, focusing on bridge security and cross-chain asset-transfer logic.
The review covered Solidity/EVM contract behavior, transfer validation, message and asset-flow assumptions, and the kinds of trust-boundary issues that can affect bridge correctness across chains.
Neptune is a Cosmos/Rust protocol developed by Cryptech Developments. For Oak Security, we reviewed Neptune update work focused on the security of the codebase and the correctness of protocol-update logic.
The work covered smart-contract and protocol behavior, update safety, validation paths, and failure modes that could affect protocol operation. A later report update incorporated a missed vulnerability after fix review and publication approval.
This JetBrains research project focused on formal reasoning about Operational Transformations, a core technique behind collaborative editing systems. Taran Space developed Coq and Agda proofs for transformation behavior, using proof assistants to model correctness properties in systems where multiple users edit shared state concurrently.
Proof work centered on consistency guarantees, transformation rules, and edge cases that determine whether concurrent edits converge correctly. The project applied formal verification techniques to a problem space normally hidden inside real-time collaboration software.
Timewave Computer builds cross-chain automation infrastructure for the Cosmos ecosystem. We joined Oak Security’s public reviews of Timewave’s Valence Services and Covenants, focusing on CosmWasm/Rust contract behavior, IBC integration assumptions, cross-chain service workflows, and privileged-role safety.
The work covered the correctness of automated actions that depend on interchain state and messaging, including validation paths, role boundaries, and operational controls needed for secure cross-chain execution.
Coinhall Genie is a Cosmos DeFi product built with CosmWasm smart contracts. In an Oak Security audit funded through Osmosis Grants Company, we reviewed the Genie contract logic and the security of the product flow.
The work focused on Rust/CosmWasm contract correctness, validation paths, state transitions, and risks that could affect user interactions or financial behavior inside the Genie application.
The Visual HoTT Interpreter was a JetBrains research project for exploring Homotopy Type Theory through an interactive interpreter interface. Taran Space prototyped tooling that made abstract type-theory concepts easier to inspect, experiment with, and reason about visually.
The work connected formal methods, programming-language research, and developer tooling. It focused on interpreter behavior, interactive representation of HoTT concepts, and practical experimentation with proof-oriented ideas outside a purely textual proof-assistant workflow.
RoofRide is a cross-chain DEX built around atomic swaps, designed to let users exchange assets between Layer 1 blockchains without relying on a centralized exchange or custodial intermediary. Taran Space designed and prototyped the system, including Solidity smart contracts, a web application prototype integrated with the Helios light client, and a custom off-chain P2P transport protocol for distributing and executing swap orders.
The work covered cross-chain exchange architecture, swap execution flows, Solidity contract behavior, light-client-assisted verification, and the networking layer needed to coordinate orders outside a centralized backend.
Helios is a lightweight Ethereum client that lets applications verify blockchain data directly instead of relying entirely on trusted RPC providers. Taran Space built a Helios-based integration prototype for trust-minimized Ethereum state access inside a cross-chain application flow.
The work connected light-client verification with application-layer execution, showing how a web application can use verified Ethereum data while preserving a practical user experience. Scope included Helios integration, finality and checkpoint assumptions, EVM-facing contract context, and the reliability of data used in cross-chain decision-making.
Axelar is a cross-chain General Message Passing platform that enables applications to coordinate swaps, calls, and token movement across multiple blockchain networks. Taran Space participated in the public Code4rena audit competition for Axelar Network, reviewing both Rust and Solidity contracts across the Interchain Token Service and gateway-related scope.
The work focused on cross-chain token flows, gateway behavior, message handling, and implementation risks across code that connects EVM and Cosmos environments.
Synternet, formerly Syntropy, builds infrastructure for real-time multichain data, decentralized data marketplaces, and access to indexed blockchain information. Its ecosystem centers on data-layer infrastructure for applications that need live cross-chain signals, monitoring, and execution-ready data.
Taran Space worked with the team on decentralized infrastructure research and prototyping, including designs built with Polkadot SDK, Polygon Edge, and ChainBridge. The engagement focused on protocol architecture, interoperability, and the reliability of systems that coordinate data and execution across decentralized networks.
Polkadot CLI was a custom developer-tooling project for Parity Technologies, built to make interaction with the Polkadot mainnet and custom Substrate networks faster and more practical for engineering workflows. The toolset supported DevOps-style usage, network interaction, testing, and rapid prototyping around Polkadot infrastructure.
The work covered Rust-based command-line tooling for Substrate environments, including support for EVM-compatible workflows on custom networks. It combined protocol familiarity with practical developer experience, turning low-level chain operations into repeatable tools for day-to-day engineering.
Swarp Pay builds wallet, payment, and launchpad infrastructure for token-based products. Taran Space reviewed its Solana/Anchor token program, covering token creation, sale mechanics, vesting, whitelist controls, token configuration, and operational scripts around launchpad execution.
Security work focused on token-sale flows, vesting behavior, supply accounting, purchase and claim logic, admin controls, and the operational assumptions needed to run a secure token launch. The engagement covered Rust-based Solana smart-contract logic connected to financial product workflows and user-facing asset operations.
Frame It was an NFT marketplace for trading and launching digital collectibles. In an Oak Security test audit, we reviewed the Solidity smart contracts behind its marketplace functionality, covering NFT trading flows and core contract behavior.
The work focused on marketplace logic, asset-transfer assumptions, Solidity implementation risks, and the contract-level conditions needed for secure buying, selling, and collection interaction.
Whether you're gearing up for a thorough audit or are still in the planning stages of your project, we encourage you to get in touch. Our expertise extends to architecture and security consulting, catering to a diverse range of needs. Rest assured, all inquiries are attentively processed during business hours. You can expect a response within an hour; however, we appreciate your patience if it occasionally takes a few days.
