A DeFi protocol came to us with a working v0 contract suite that wouldn't pass a serious audit. We rewrote it on OpenZeppelin foundations, applied formal verification to the critical paths, and shipped to production after passing four independent audits.
The client had a v0 protocol that worked in testnet, a launch date their treasury was committed to, and a first audit report that came back with a wall of high-severity findings. Re-engagement with the audit firm would have meant another six-week wait. The path forward was either to patch the existing code and risk a partial fix, or to commit to a clean rewrite on a defensible foundation.
The leadership team chose the rewrite. They came to us because they wanted contracts that wouldn't be the source of the protocol's first incident.
We replaced custom-rolled access control, pausing, upgradeability, and ERC implementations with OpenZeppelin's audited primitives. Where we needed custom logic, we built on top of those primitives rather than reinventing them. Every contract had a single, named owner, a clear upgrade path (or explicit immutability), and explicit role-based access on every state-changing function.
Before the first line of new Solidity, we wrote the threat model: economic attacks (flash loan, oracle manipulation, rounding, slippage), governance attacks, upgrade-path attacks, integration attacks (integrators calling us in unexpected ways). Each threat got a corresponding test family in Foundry.
Unit tests are the floor, not the ceiling. We wrote invariants — properties that must hold across any sequence of valid calls — and let Foundry's fuzzer hunt for violations. By the end of the build we had over 30 protocol invariants under continuous fuzz testing in CI.
For the highest-stakes functions — swap math, fee accrual, share-token issuance — we used Certora to prove key properties hold for all inputs. Formal verification is expensive in author-hours, so we scoped it tightly to the parts of the system where a math bug equals stolen funds.
We engaged four audit firms in sequence, with disjoint specialties: one for general Solidity, one for economic/oracle, one for governance and upgradeability, one for integration risk. Each round produced findings that the next round didn't catch — proving the value of independent audits versus a single firm.
"In Solidity, the cheapest line of code is the one you didn't write. OpenZeppelin contracts are not a shortcut — they are the senior engineering decision."
Four independent audits passed. Production launch hit the date the treasury was committed to. The protocol shipped without a known high-severity bug. Post-launch, the protocol has run uneventfully — which in DeFi is the only result that matters.
The team also kept the engineering hygiene we put in. Months after launch, new features still ship through the threat model, the invariant suite, and the multi-audit cadence. That cultural transfer is the part of the engagement we are most proud of — the contracts will outlast our involvement.
We treat smart-contract code as a production system that fails publicly and irreversibly. That posture — paranoid, OZ-first, threat-modeled, invariant-tested, multi-audited — is what makes an engagement either a successful launch or an Etherscan post-mortem. There is no third option in DeFi.
DeFi rewrites, audit prep, formal verification on critical paths. NDA standard.
