Goldberg Security Research Ltd

Independent Web3 security research

Manual audits for smart contracts and DeFi systems.

We review Solidity code, protocol accounting, bridges, wallet flows, APIs, and exploit reports. You get ranked findings, proof paths, patch guidance, and retest criteria.

Request an audit proposal Explore services
Authorized testing only Evidence backed findings Retest handoff
01 Manual code review

Solidity, protocol logic, integrations, and asset movement.

02 Exploit proof where it matters

PoCs and fork tests for real impact, not checklist noise.

03 Clean fix path

Engineers get patch guidance and retest criteria they can use.

Client outcomes

Get a clear verdict on launch, patch, payout, or incident risk.

Built for smart contract releases, DeFi accounting changes, bridge integrations, wallet and API flows, bounty triage, and incident follow up.

Launch

Find launch blockers early.

Review fund loss paths, privilege escalation, accounting drift, oracle assumptions, and integration failure modes before users depend on the system.

  • Ship or hold verdict
  • Critical flow review
  • Retest criteria
Patch

Patch the exposures that matter.

Separate exploitable code paths from theoretical issues across access control, accounting, oracle, and integration logic.

Payout

Validate bounty reports.

Reproduce the claim, measure asset impact, assign severity, and confirm whether the issue deserves payout or escalation.

Investigate

Trace suspicious behavior.

Review transactions, roles, configuration, and reachable exploit paths when protocol state or user funds look wrong.

Services

Web3 audit services focused on exploitable risk.

Scope the asset flows that can cost money: contract logic, protocol accounting, bridges, wallets, APIs, exploit reports, and fixes.

01 Audit sprint

Smart contract audit

Manual Solidity review of state transitions, access control, upgrades, external calls, and invariant assumptions.

Best for Launches, upgrades, migrations
Output Findings, PoCs, patch guidance
02 Economic review

DeFi accounting review

Review vault shares, reward math, fee logic, oracle inputs, liquidation paths, staking flows, and AMM behavior.

Best for Vaults, AMMs, lending, staking
Output Loss scenarios, fork tests
03 Integration review

Bridge, wallet, relayer, and API review

Test message validation, signer flows, SDK routing, refund paths, relayer authorization, and API permissions.

Best for Bridge and product teams
Output Trust map, risk verdicts
04 Triage and retest

Exploit validation and retest

Verify bug bounty reports, suspicious transactions, risky diffs, fixes, and residual exposure.

Best for Alerts, claims, retests
Output Exploit verdict, closeout notes

Upcoming launch?

Get a scoped proposal before the next critical release.

Request proposal

Audit surface

Asset risk spans code, math, and integrations.

Reviews follow how funds move through contracts, oracles, bridges, wallets, APIs, and operational roles.

01

Smart contracts and protocol code

Review access control, upgradeability, state transitions, accounting logic, external calls, and invariant assumptions.

Focus: exploit paths, invariant breaks, patchable findings.

Engagement model

From scope to retest, built around the release decision.

01

Scope

Define target repos, deployed addresses, authorization, critical flows, timeline, and success criteria.

02

Map

Trace roles, assets, integrations, trust boundaries, oracle inputs, state transitions, and external dependencies.

03

Test

Validate exploitability with targeted proofs, fork tests, invariant reasoning, and economic impact analysis.

04

Handoff

Deliver ranked findings, executive framing, reproduction steps, remediation guidance, and retest criteria.

05

Retest

Review fixes, note residual risk, and help the team close the loop before launch or public disclosure.

Reporting

Reports should tell engineers what to fix.

Each finding explains what breaks, how to reproduce it, which assets are exposed, and how to verify the fix.

Reproducible PoCs Asset impact Patch guidance Retest criteria
GSR / Finding brief Technical + executive
Severity Critical asset flow risk
Boundary Vault share price accounting
Proof Mainnet fork reproduction
Impact Passive user loss scenario
Closeout Patch and retest checklist 
handoff:
  status: reproducible
  engineer_action: patch_accounting_boundary
  stakeholder_action: defer_launch_until_retest
  retest: ready_after_fix

Operating standards

Credible research, strict boundaries, clean communication.

Engagements are structured to protect client systems, minimize disruption, and produce evidence that can be used by both engineers and decision makers.

Authorization

Bounded work only

Testing begins after scope, target ownership, and permitted techniques are understood.

Confidentiality

Responsible handling

Details are shared with authorized stakeholders and are not published without permission or coordinated disclosure context.

Data minimization

Evidence without excess

Evidence is minimized, redacted where possible, and collected only to demonstrate impact.

Start an engagement

Send the contract, integration, or exploit report you need reviewed.

Include target repos, deployed addresses, docs, app or API links, authorization context, timeline, and the decision you need support on.

Audit sprint Exploit triage Launch readiness Retest