The OpenZeppelin Security Audit
Providing trust and confidence for leading Blockchain and Smart Contract systems
The OpenZeppelin Advantage
In 2015, we pioneered smart contract security by introducing the OpenZeppelin Contracts library, which was soon followed by establishing the industry’s first professionalized security audit group.
We are dedicated to our clients, the security of their code, and instilling trust and confidence within their communities. With an elite team that brings together unparalleled expertise in PhD-level mathematics, cryptography, low-level EVM operations, and finance, we are the gold standard in securing the industry’s most complex and widely-used projects. Our talent – and the collaborative OpenZeppelin Security Audit approach – is why clients retain us for multi-year relationships.
95%
Of our clients
hire us again
$50B+
TVL secured
1M+
LoC Reviewed
1000+
High and critical
vulnerabilities uncovered
In 2015, we pioneered smart contract security by introducing the OpenZeppelin Contracts library, which was soon followed by establishing the industry’s first professionalized security audit group.
We are dedicated to our clients, the security of their code, and instilling trust and confidence within their communities. With an elite team that brings together unparalleled expertise in PhD-level mathematics, cryptography, low-level EVM operations, and finance, we are the gold standard in securing the industry’s most complex and widely-used projects. Our talent – and the collaborative OpenZeppelin Security Audit approach – is why clients retain us for multi-year relationships.
Securing the most critical protocols
Audits performed by us
19
High & critical vulns uncovered
5
Relationship started
2020
Audits performed by us
4
High & critical vulns uncovered
3
Relationship started
2020
Audits performed by us
2
High & critical vulns uncovered
1
Relationship started
2020
Data collected as of December 31st, 2023
Our team secures leading decentralized exchanges and aggregators.
Engaging with various platforms including AMMs like Bancor V3 and Balancer, the UniswapX order settlement protocol, the Beefy swap router, and the Panoptic options trading platform, which leverages Uniswap V3 liquidity positions, demonstrating our proficiency in V3 concentrated liquidity mathematics. Furthermore, we've completed over 13 audits for 1inch, the premier DEX aggregator.
Audits performed by us
16
High & critical vulns uncovered
9
Relationship started
2022
Audits performed by us
5
High & critical vulns uncovered
34
Relationship started
2022
Audits performed by us
10
High & critical vulns uncovered
14
Relationship started
2023
Data collected as of December 31st, 2023
We secure L1-L2 bridges, ZK-verifier contracts, and optimistic rollups.
We've identified critical vulnerabilities across a range of areas, including fraud-proof verification, cross-domain transactions, fee mismanagement, and reward system abuses.
Notably, critical issues were discovered in the Linea ZK-verifier, the Scroll message-passing bridge, among other ZK-rollups.
Audits performed by us
44
High & critical vulns uncovered
19
Relationship started
2019
Audits performed by us
3
High & critical vulns uncovered
0
Relationship started
2019
Audits performed by us
2
High & critical vulns uncovered
2
Relationship started
2023
Data collected as of December 31st, 2023
We are the key security partner for leading lending protocols like Compound, Radiant, Venus, and Morpho Blue.
Our researchers have identified several critical vulnerabilities in lending protocols with billions in TVL, including potential bad debt creation in AAVE V3 and stolen rewards in Radiant V2. Serving as Compound's main security partner, we’ve helped establish them as one of the safest platforms in the space.
Audits performed by us
20
High & critical vulns uncovered
17
Relationship started
2020
Audits performed by us
1
High & critical vulns uncovered
0
Relationship started
2022
Data collected as of December 31st, 2023
Our team expertise extends across the most sophisticated Oracle systems.
These include Chainlink and UMA Protocol, and Oracle-dependent components used by platforms like Compound and Synthetix Oracle manager, which utilize Pyth, Chainlink, and Uniswap V3 TWAP oracles. As UMA's primary security partner, we've conducted over 10 audits, revealing critical vulnerabilities in its optimistic verification system and cross-chain components. Additionally, we've identified high-severity issues in Polymarket's integration with UMA.
Audits performed by us
3
High & critical vulns uncovered
7
Relationship started
2022
Audits performed by us
1
High & critical vulns uncovered
0
Relationship started
2024
Data collected as of December 31st, 2023
Our first-hand experience auditing multiple Account-Abstraction implementations positions us as leaders in Account Abstraction security.
We worked with the Ethereum Foundation on three audits of Account Abstraction’s EIP-4337, identifying over seven high+ severity issues, enhancing Ethereum protocol’s security. Our discoveries encompassed deposit record manipulations, incorrect gas calculations, and invalid aggregated signature verifications, among others. We also audited Pimlico’s ERC20 token paymaster implementation, allowing users to pay transactions in any ERC20. During this audit, our researchers dived deep into the ERC 4337 paymaster reputation rules.
Audits performed by us
9
High & critical vulns uncovered
12
Relationship started
2021
Audits performed by us
2
High & critical vulns uncovered
0
Relationship started
2023
Data collected as of December 31st, 2023
We are the security partner for the leading stablecoins.
Back in 2018, we audited Tether, the most used stablecoin in the world. In 2019, our team found a live critical vulnerability affecting MakerDao, the issuer of DAI. Today, we are Origin’s main security partner, performing over 7 audits including the Origin dollar, a yield-bearing decentralized stablecoin. During our engagement with Origin, we added value through multiple findings, including critical findings that would have resulted in yield theft. We also secure Mountain Protocol, issuers of USDM, a yield-bearing rebasing stablecoin backed by T-Bills.
Audits performed by us
2
High & critical vulns uncovered
0
Relationship started
2022
Data collected as of December 31st, 2023
Financial Institutions entering the blockchain space face unique challenges regarding security, compliance, and operations.
We partner with leading financial institutions across North America, Latin America, Europe, and Asia as their trusted blockchain advisors. We also audited and provided operational infrastructure for the issuance of the A$DC Australian Dollar stablecoin by the ANZ Bank.
Audits performed by us
11
High & critical vulns uncovered
13
Relationship started
2023
Audits performed by us
4
High & critical vulns uncovered
2
Relationship started
2021
Data collected as of December 31st, 2023
We secure the leading Gaming and NFT protocols.
We are the authors of the world’s most widely used implementation of ERC721, used by the most popular protocols working with NFTs.
Our work in NFTs encompasses audits for some of the most widely known issuers and exchanges, including Yuga Labs, creators of BAYC, and OpenSea.
In the gaming space, we are The Sandbox’s security partner, performing over 15 audits to their protocol. Other gaming experience includes Decentraland’s MANA token as well as the PoolTogether protocol, finding critical issues that prevented loss of funds due to user duplication in their prize pools.
The OpenZeppelin
client centered approach
Client Engagement
We communicate and collaborate with you
in every stage to ensure both business and code objectives are achieved securely and efficiently.
Team Structure
- 2+ Blockchain Security Researchers
- Technical Manager
- Project Manager
The team is supported by Cryptographers, Advanced Testing Engineer and Security Analyst based on the project requirements.
The OpenZeppelin client centered approach
Pre-Audit
Our security researchers prepare in advance for the audit by leveraging our internal knowledge base, reviewing your project documentation and running your test suite to deepen our understanding of the codebase. A dedicated technical manager will also consult with you on technical details to optimize audit readiness and quality.
An initial assessment by our proprietary Code Inspector, which detects over 60% of low-severity issues, helps focus our team efforts on identifying the most critical vulnerabilities.
Run Code Inspector on your code for freeSecurity Audit
We conduct a comprehensive review of your system's architecture and codebase, with each line of code inspected by at least two security researchers. We adopt a collaborative approach, engaging directly with the developers throughout the audit to thoroughly understand the technical design and business logic. When necessary, our researchers engage in advanced testing techniques, including fuzzing and invariant testing, to ensure system integrity.
Finally, we offer tailored recommendations to resolve issues, striking a balance between best practices and your system's specific needs.
Fix Review
The fix review process is as important as the audit itself.
The security researchers meticulously review the fixed issues and engage with the developer in discussing the nuances of your codebase, which leads to gaining a better understanding of your systems.
Upon review, the final audit report is delivered through the Defender platform, allowing your team to track issues and resolutions, and interact directly with auditors for faster and more efficient communication.
Remaining on Top
Once we have audited your project, we become experts in your code. We keep an open communication channel with your team for any future consultation needs.
The OpenZeppelin Security Audit often results in multi-year collaborative relationships.
Request a Security AuditWe protect decentralized systems (Language is your choice)
Solidity is the cornerstone of Ethereum smart contracts, powering decentralized applications (DApps) that redefine our digital world.
Trusted by
OpenZeppelin’s Solidity difference
Our Solidity smart contract audits go beyond mere code review; they are a comprehensive safeguard for your DApp's integrity and user trust. With a meticulous blend of static analysis, manual inspection, and automated tools, we dissect every line of code to unearth vulnerabilities, review code design and system architecture, and ensure compliance with the latest Ethereum Improvement Proposals (EIPs). Let us fortify your Solidity contracts against the known and the unforeseen.
Trusted by
Cairo—a revolutionary language for creating provably secure smart contracts—brings about a new era of blockchain possibilities, including zk-Rollups and more efficient layer 2 solutions.
Trusted by
OpenZeppelin’s Cairo difference
Our Cairo smart contract audits are at the forefront of this innovation, offering specialized services to ensure your Cairo contracts are both powerful and impenetrable.
Some examples of issues found include severe protocol issues for Starknet including one which incorrectly allowed anyone to invoke functions only specific users should be able to, as well as a number of other issues such as in the case of the Snapshot protocol, regarding their voting system accounting as well as many others.
Trusted by
Rust's promise of memory safety and concurrency without compromise makes it a formidable choice for blockchain applications seeking unparalleled security and performance.
Trusted by
OpenZeppelin’s Rust difference
Our Rust security audits and reviews harness Rust's strengths to secure your blockchain infrastructure, focusing on Layer 2 networks and other innovative platforms that push the boundaries of scalability and efficiency.
We also delve deep into the auditing of Zero-Knowledge Proofs (ZKP) and other cryptographic primitives, that leverage Rust's inherent safety features but also embody the cutting-edge of blockchain security techniques.
One of the noteworthy findings in this category is a bug which was found in the bus-mapping segment of the Scroll ZK system which could be exploited to censor transactions, impair the Sequencer's functionality, and potentially compromise the L2.
Trusted by
Go, with its simplicity and efficiency, powers some of the most critical infrastructure elements of blockchain networks.
Trusted by
OpenZeppelin’s Go! difference
Our Go audit service is designed to address the unique challenges of Go-based blockchain projects.
By combining thorough code reviews and security best practices, we ensure your system stands up to the demands of operational availability, scalability and security.
Trusted by
“Collaborating with OpenZeppelin on our security audit was a productive and positive experience. We appreciated their thoroughness and attention to detail.”
Yoav Weiss, Security at Ethereum Foundation
"OpenZeppelin has been perfoming excellent work on behalf of the protocol."
Robert Leshner, CEO at Compound
"We can't wait to see what developers are going to build on Base next, with additional peace of mind provided by OpenZeppelin."
Jessie Pollak, Lead at Coinbase