White-hat web3 security

Get the security peace-of-mind you and your users deserve.

  • Ex black-hat hackers at your service - all worked for state intelligence agencies in their past (ask us about it!) 🕵️

  • Incentivized security - only pay if we successfully hack your app! Your app got hacked after our audit? Our revenue is slashed. Read more 🤝

  • Full stack protection - smart contracts, tokenomics, web2, and anti-phishing 🛡

Core services

Security advisory

End-to-end penetration testing

Smart contract
audits

Zero-knowledge, automations, & MEV bot development

Trusted by

Iron Fleet

Starkswap

Revelator

NFTPort

Art Gobblers

Peranto

Alienverse

VTVL

Argent

Testimonials

"Working with Ginger Security was a true pleasure. As one of the only auditors native to StarkNet, they brought unparalleled knowledge and expertise to the table, and it showed in the quality of their work. Their thorough understanding of the platform allowed them to delve deeper and uncover any potential security vulnerabilities, making sure that Starkswap was fully prepared for a successful launch. Their comprehensive approach, combined with the unique tools and resources available to them as a native StarkNet auditor, made for a seamless and highly effective audit process. We're extremely grateful for their support and highly recommend Ginger Security to anyone looking for a top-notch security audit in the StarkNet space.” — @brandthebuidler, StarkSwap co-founder
"We recently engaged Ginger Security to perform a comprehensive security audit of our digital wallet and we couldn't be happier with the results. The team at Ginger Security is made up of experts in the field and they provided us with thorough and actionable recommendations to improve the security of our platform. Their unique incentivized security model ensured that they had a vested interest in finding and reporting any vulnerabilities. We have been impressed with their professionalism and expertise and we are looking forward to continuing our partnership with them. I highly recommend Ginger Security to any organization looking to improve their security posture." — Bruno Guez, Revelator CEO

Publications

Team

ggballas
Senior hacker

JohnnyTime
Senior hacker

duliba
Senior hacker

0xluminita
Hacker

rav3n
Intern hacker

0xCleaner
Hacker

I've got more questions...


Simple, don't trust - incentivize.


We abide by what we call "incentivized security". We achieve that through pay-per-vulnerability and our partnership with hats.finance.


Pay-per-vulnerability - all of our audits are paid based on performance and whether we are able to find new issues and vulnerabilities in your codebase. We weren't able to find anything? You don't pay anything extra.


Partnership with hats.finance - 50% of your audit costs goes to your project's bug bounty vault on hats.finance. In short - hats.finance is a bug bounty platform where 3rd parties can put money into projects' bug bounties. In order to give you and your users even more peace-of-mind, we put our money where our mouth is. If a project that was audited by us gets hacked - we lose 50% of the money that we received for that audit.


Opening such a vault will also help gain users' trusts in the safety of your dApp.


You may rest assured knowing that we will do our absolute best to hack your app, much before any hacker in the wild will.


Schedule a call with us to hear the finer details of our incentivized security model.



Axie Infinity's smart contracts were perfectly secured and audited. Their logic and tokenomics were sound. Yet they got hacked for a mind-boggling $650M because their web2 security measures were lacking (private keys were leaked).


Countless crypto projects (including big ones like BAYC) are and were targets for simple phishing attacks and scams that resulted in loss of millions of dollars of users' funds.


An attacker will always look for the weakest link. Having had real-world black-hat experience, we know how real hackers think. Your stack is only as secure as your weakest link. When we do audits we make sure to look at EVERYTHING. Money lost is money lost. Doesn't matter if it's due to a smart contract security bug, a web2 flaw, or a simple scam run on trusting users.



Bad news: You can't. Nothing in security is ever beyond a shadow of a doubt.


Good news: You can get to a point where you'd be 99.99999...% certain in your security stance. How is that achieved? By diversifying and incentivizing.


Diversifying - the more security measures and precautions you take, the better your security stance will be. Got an audit with Company A? You can always get one with Company B as well. Why not launch a bug bounty? How about auditing your web2 components as well? Live dashboards can do no harm either... Security is an never ending endeavor. Let us help you navigate the security maze and offer you a plethora of security solutions - smart contracts and tokenomics audits, web2 pen-testing, a bug bounty vault on hats.finance, live security dashboards, and anti-phishing solutions. We will diversify your security measures to the fullest extent.


Incentivizing - most security firms would charge you a flat fee for a measly audit. You're essentially paying $20-30k for a PDF. If a security firm is charging you a flat fee, how do you know they're not simply letting their most junior auditor run some scripts on your codebase? Your auditors need to have skin in the game. At Ginger Security, we swear by incentivized security and work with other projects to make that an industry-wide practice. We only charge you based on our performance with our pay-per-vulnerability policy, and we stake 50% of the audit revenue into your project's vault on hats.finance (which we open for you). Read more about our thoughts on incentivized security above ("How can I trust you").



You may contact us to get the exact details at hello@gingersec.xyz.

Get your free consultation

Email, Zoom, pigeon-mail... it doesn't matter to us. Contact us now and get your free consultation in whichever way you prefer.

Pay Per Vulnerability

With our pay-per-vulnerability model, you get transparent, cost-effective security assessments.

Why Choose Pay-Per-Vulnerability?

  • Cost-Effective Security: You only pay for the vulnerabilities we discover and report so you receive maximum value from your investment, paying only for actionable security insights.

  • Transparency and Trust: Our process is fully transparent, providing you with detailed reports that outline each vulnerability’s severity, potential impact on your smart contracts or blockchain systems, and recommended mitigation steps.

How We Classify Vulnerabilities

Our classification process considers several factors, including:

  • Impact on Assets: Whether the vulnerability could lead to the theft, loss, or freezing of assets.

  • Effect on Protocol Operations: How the issue could disrupt or degrade the functionality of the protocol.

  • Likelihood of Exploitation: The probability that the vulnerability could be exploited, based on the complexity and required conditions.

  • Compliance with Standards: Whether the issue causes non-compliance with established blockchain applications standards or practices.

High Severity

High-severity vulnerabilities are critical issues that can lead to significant harm to your protocol. These include, but are not limited to:

  • Asset Theft: Vulnerabilities that allow unauthorized access or transfer of funds or tokens. For example, flaws in minting or transfer processes, reward distribution, trading, etc...

  • Protocol Harm: Issues that disrupt the core functionality of the protocol, such as broken access controls that allow an attacker to take over the entire system.

  • Denial of Service (DoS) Attacks: Vulnerabilities that could be exploited to make the protocol or key functions unavailable to users.

  • Frozen Assets: Bugs that may cause user or protocol assets to be locked in a contract.

Medium Severity

Medium-severity vulnerabilities are issues that, while not immediately catastrophic, could still result in significant problems if left unaddressed. These issues might impact the functionality or availability of the protocol, potentially leading to moderate financial losses or operational disruptions. Examples include:

  • Potential Asset Drainage: Risks that allow certain privileged roles to misuse their power, leading to unintended asset drainage or other harmful actions.

  • Insufficient Access Control: Weaknesses in the implementation of roles and permissions that could allow unauthorized access or actions within the protocol.

  • Inadequate Pausable Functionality: Absence of mechanisms to pause operations during emergencies, increasing the risk of unmitigated damage in the event of an attack.

  • External Dependencies: Reliance on unaudited external libraries or systems, which could introduce vulnerabilities outside of the immediate control of the protocol developers.

  • Uninitialized Variables or Functions: Potential risks arising from uninitialized variables or functions that could behave unpredictably under certain conditions.

Low & Informational Severity

Low-severity vulnerabilities are minor issues that have little impact on the protocol's security or functionality, but it would still be recommended to fix them before deployment. These might include:

  • Gas Optimizations: Opportunities to improve the efficiency of the code, potentially reducing transaction costs for users by optimizing gas consumption.

  • Lack of Test Coverage: Insufficient testing of critical functions, which could lead to overlooked issues or bugs during deployment or operation.

  • Code Clarity and Maintainability: Minor issues such as inconsistent naming conventions, hardcoded values instead of constants, unused imports, or lack of inline comments, which can make the code harder to read and maintain.

  • Non-Adherence to Best Practices: Issues like failing to follow the Checks-Effects-Interactions (CEI) pattern, which can expose the protocol to reentrancy attacks.

  • Problematic Code Patterns: Code flow that doesn't pose an immediate risk but may introduce vulnerabilities on future upgrades.

> How can I trust you?Simple, don't trust - incentivize.We abide by what we call "incentivized security". We achieve that through pay-per-vulnerability and our partnership with hats.finance.Pay-per-vulnerability - all of our audits are paid based on performance and whether we are able to find new issues and vulnerabilities in your codebase. We weren't able to find anything? You don't pay anything extra.hats.finance - 50% of your audit costs goes to your project's bug bounty vault on hats.finance. In short - hats.finance is a bug bounty platform where 3rd parties can put money into projects' bug bounties. In order to prove our commitment to our clients, we put our money where our mouth is. If a project that was audited by us gets hacked - we lose 50% of the money that we received for that audit.Opening such a vault will also help gain users' trusts in the safety of your dApp.You may rest assured knowing that we will do our absolute best to hack your app, much before any hacker in the wild will.Schedule a call with us to hear the finer details of our incentivized security model.

> Why is it important to secure my whole stack? How can you help me with it?Axie Infinity's smart contracts were perfectly secured and audited. Their logic and tokenomics were sound. Yet they got hacked for a mind-boggling $650M because their web2 security measures were lacking (private keys were leaked).Countless crypto projects (including big ones like BAYC) are and were targets for simple phishing attacks and scams that resulted in loss of millions of dollars of users' funds.An attacker will always look for the weakest link. Having real-world black-hat experience, we know how real hackers think. Your stack is only as secure as your weakest link. When we do audits we make sure to look at EVERYTHING. Money lost is money lost. Doesn't matter if it's due to a smart contract security bug, a web2 flaw, or a simple scam run on trusting users.

> How can I prove to my users, beyond a shadow of a doubt, that my app is secure?Bad news: You can't. Nothing in security is ever beyond a shadow of a doubt.Good news: You can get to a point where you'd be 99.99999...% certain in your security stance. How is that achieved? By diversifying and incentivizing.Diversifying - the more security measures and precautions you take, the better your security stance will be. Got an audit with Company A? You can always get one with Company B as well. Why not launch a bug bounty? How about auditing your web2 components as well? Live dashboards can do no harm either... Security is an endless endeavor. Let us help you navigate the security maze and offer you a plethora of security solutions - smart contracts and tokenomics audits, web2 pen-testing, a bug bounty vault on hats.finance, live security dashboards, and anti-phishing solutions. We will diversify your security stance to the fullest extent.Incentivizing - most security firms would charge you a flat fee for a measly audit. You're essentially paying $20-30k for a PDF. If a security firm is charging you a flat fee to ensure your safety, how do you know they're not simply letting their most junior auditor run some scripts on your codebase? Your auditors need to have skin in the game. At Ginger Security, we swear by incentivized security and work with other projects to make that an industry-wide practice. We only charge you based on our performance with our pay-per-vulnerability policy, and we stake 50% of the audit revenue into your project's vault on hats.finance (which we open for you). Read more about our thoughts on incentivized security above ("How can I trust you").

> What are the prices for your audits and penetration tests?You can read about all our prices and terms here.

asdf

Experienced in

EVM

Starknet

Aptos

Sui

Bitcoin
(UTXO scripting)

I want to...

Schedule now

Email you

Nothing, I don't want a free consultation with experienced blockchain hackers. Take me back... ->

Thank you

We will get back to you ASAP!