# Recon — Complete AI-Readable Content

> Smart contract security audits powered by invariant testing

## Company Overview

Recon provides smart contract security audits powered by invariant testing (property-based fuzzing). Our team of experienced security researchers combines manual code review with automated invariant test suites that systematically explore your contract's state space — catching vulnerabilities that traditional security audits miss.

We specialize in DeFi protocol security: lending markets, liquid staking, tokenized vaults (ERC-4626), DEX protocols, governance systems, and cross-chain bridges. Our auditors have found critical vulnerabilities in protocols managing billions in TVL — including reentrancy bugs, oracle manipulation vectors, liquidation logic flaws, rounding errors that bypass caps, integer overflow causing permanent DOS, and insolvency from incorrect accounting.

### Why Choose Recon for Your Smart Contract Audit
- **Invariant testing finds bugs manual review misses** — we generate millions of random transaction sequences testing your protocol's critical properties
- **You keep the test suite** — every audit includes a reusable invariant test suite that runs in CI, catching regressions forever
- **DeFi-native expertise** — our team includes a top Code4rena judge, the creator of EchidnaToFoundry, and engineers who've built and secured DeFi protocols firsthand
- **Cloud-powered fuzzing** — Recon Pro runs Echidna, Medusa, Halmos, and Foundry in the cloud with zero infrastructure overhead
- **Formal verification** — Halmos symbolic execution provides mathematical security guarantees for arithmetic properties
- **Continuous security** — not just a point-in-time audit; your test suite runs in CI on every commit, catching regressions forever
- **50+ critical and high severity bugs found** — across lending, staking, vault, governance, and bridge protocols
- **Get a Proposal in 24 Hours** — transparent pricing, fixed quotes within 48 hours of codebase review

### Trust Signals
- **$3B+** — Aggregate TVL protected across DeFi protocols including lending, staking, vaults, and governance
- **$20M+** — Funds saved through critical bug findings and vulnerability prevention using Recon Pro cloud fuzzing
- **12.5k+** — Cloud fuzzing campaigns run with Recon Pro — stateful fuzzing with Echidna, Medusa, Halmos, and Foundry
- **50+** — Critical and high severity vulnerabilities found across DeFi protocols through smart contract security audits and invariant testing

[Request an Audit](https://tally.so/r/w2Vqxb) — Get Your smart contract security audit quote within 48 hours

### Chains and Languages Supported
Solidity smart contracts on all EVM-compatible chains: Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, Fantom, Gnosis Chain, zkSync, Scroll, Linea, Blast, Mode, and more. We support Foundry, Hardhat, and custom build configurations.

### What We Audit
- **DeFi protocols**: Lending markets, DEX, liquid staking, yield vaults (ERC-4626), stablecoin systems, governance, bridges
- **Token contracts**: ERC-20, ERC-721, ERC-1155, custom token standards, vesting, airdrop contracts
- **Infrastructure**: Multisig wallets, cross-chain bridges, oracle integrations, upgradeable proxy contracts
- **Vulnerability classes**: Reentrancy, flash loan attacks, oracle manipulation, integer overflow, access control, sandwich extraction, rounding errors, state machine bugs, liquidation cascading, storage collision, denial of service

### Key Links
- Website: https://getrecon.xyz
- Documentation: https://book.getrecon.xyz
- Audit Reports: https://github.com/Recon-Fuzz/audits
- Request an Audit: https://tally.so/r/w2Vqxb — Get a quote within 48 hours
- Telegram: https://t.me/GalloDaSballo — Talk to our security researchers directly

---

## Services

### Smart Contract Security Audit Services
*Thorough manual review combined with invariant testing — the most rigorous approach to smart contract security available today.*
URL: https://getrecon.xyz/services/smart-contract-audit

#### Why Invariant-Powered Audits Find More Bugs
Traditional audits rely on manual review alone. Our approach pairs experienced security researchers with invariant test suites that systematically explore your contract's state space. This means we catch not just the obvious bugs, but edge cases that only surface under complex multi-transaction sequences — the kind that cause real exploits in production.

#### Audit Methodology Comparison
Not all audit approaches are equal. Here's how invariant-powered audits stack up against alternatives.

| Approach | State Space Coverage | Multi-Tx Sequences | Ongoing Protection | Cost Efficiency |
| --- | --- | --- | --- | --- |
| Invariant Testing + Manual Review (Recon) | Exhaustive | Yes — stateful fuzzing | Yes — reusable test suite | High — catches more per dollar |
| Traditional Manual Audit | Limited to reviewer skill | Rarely tested | No — point-in-time | Medium |
| Automated Scanners (Slither, etc.) | Pattern-based only | No | No | Low cost but low coverage |
| Formal Verification | Mathematical proof | Yes — if modeled | Breaks on code changes | Very expensive |

#### What You Get
Every Recon audit includes a detailed findings report, severity classification, remediation guidance, and a full invariant test suite you keep. The test suite continues protecting your codebase after the audit — run it in CI, extend it as you ship new features, or use Recon Pro to run it in the cloud.

#### Chains and Languages Supported
We audit Solidity smart contracts across all major EVM-compatible chains: Ethereum, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, and more. Our tooling supports Foundry, Hardhat, and custom build setups.

#### Frequently Asked Questions
**Q: How much does a smart contract audit cost?**
A: Audit pricing depends on codebase size, complexity, and scope. A typical engagement for a focused protocol (1,000-5,000 nSLOC) ranges from $30K-$80K. Contact us for a tailored quote — we'll review your codebase and provide a fixed price within 48 hours.

**Q: How long does an audit take?**
A: Most audits take 2-4 weeks depending on codebase complexity. We can accommodate faster timelines for time-sensitive launches. The invariant test suite is delivered alongside the audit report.

**Q: What's included in the audit deliverables?**
A: You receive a detailed findings report with severity ratings, detailed descriptions, remediation recommendations, and proof-of-concept exploits for critical and high findings. You also get a full [invariant test suite](/learn/invariant-testing) that you keep and can run indefinitely.

**Q: Do you audit protocols that are already deployed?**
A: Yes. We regularly audit live protocols before upgrades, new feature deployments, or as part of ongoing security programs. We can fork mainnet state for realistic testing.

**Q: Do you need a smart contract audit?**
A: If your contract holds user funds, has admin roles, is upgradeable, or integrates with external protocols, you need an audit. See our [full decision checklist](/blog/do-you-need-smart-contract-audit) to determine the right type of security review for your situation.

**Q: What makes Recon different from other audit firms?**
A: We combine top-tier manual review with invariant testing for comprehensive [smart contract security](/learn/smart-contract-security). This means you get both expert human judgment and systematic state-space exploration. Our team includes a top Code4rena judge, the creator of EchidnaToFoundry, and engineers who've protected hundreds of millions in TVL.

**Q: How do I choose the best smart contract auditor?**
A: Look for firms that deliver executable test suites, not just PDF reports. Ask for [case studies with real bugs found](/blog/how-we-found-real-vulnerabilities-with-fuzzing) and verify they do invariant testing. Check whether they've got experience on your chain and framework. A good auditor should also help you understand [whether you need an audit at all](/blog/do-you-need-smart-contract-audit) and what level of engagement fits your [budget](/blog/smart-contract-audit-cost-pricing-guide).

**Related search terms:** smart contract audit, smart contract security audit, solidity audit, code review, security audit, blockchain audit, smart contract audit cost, smart contract audit services, best smart contract auditor

#### Ready to Secure Your Protocol?
Get a quote for your smart contract audit in 48 hours. [Send Audit Request](https://tally.so/r/w2Vqxb)

### DeFi Protocol Security Audit
*DeFi-native security researchers who understand composability risks, economic attacks, and protocol-specific vulnerability patterns.*
URL: https://getrecon.xyz/services/defi-security-audit

#### DeFi Requires DeFi-Native Auditors
DeFi protocols face unique threats that generic auditors miss: oracle manipulation, flash loan attacks, composability risks, economic exploits, and governance vulnerabilities. Our team has first-hand experience building and securing DeFi protocols — from lending markets to liquid staking to tokenized vaults.

#### DeFi Vulnerability Categories
Invariant testing is particularly effective for DeFi because it can explore complex multi-step attack paths that manual review alone would miss.

| Vulnerability Category | Example | How Invariant Testing Catches It |
| --- | --- | --- |
| Price Manipulation | Oracle stale price / TWAP manipulation | Fuzzes price feeds across extreme ranges while testing protocol invariants |
| Reentrancy | Cross-function / cross-contract reentrancy | Stateful sequences automatically test callback patterns |
| Economic Exploits | Donation attacks, sandwich extraction | Tests value conservation invariants across arbitrary transaction orderings |
| Access Control | Missing role checks, privilege escalation | Actor-based testing ensures unauthorized callers cannot break invariants |
| Rounding Errors | Share inflation, precision loss in yields | Arithmetic invariants catch rounding issues across millions of operations |
| Liquidation Logic | Cascading liquidations, bad debt accumulation | Stress-tests liquidation paths under extreme market conditions |

#### Protocols We've Secured
Our DeFi audit portfolio includes Liquity (BOLD v2), Centrifuge (ERC-7540 vaults), Badger DAO, Corn, Credit Coop, Apollon, Beraborrow, and more. We've helped protect over $3 billion in aggregate TVL across lending, staking, vault, and governance protocols.

#### Frequently Asked Questions
**Q: Do you have experience with lending protocol audits?**
A: Yes. We've audited lending protocols including Liquity v2 (BOLD), and have deep experience with Aave, Compound, and custom lending architectures. Our invariant suites specifically test solvency, liquidation, and interest rate invariants.

**Q: Can you audit DeFi protocols with complex composability?**
A: Absolutely. Our invariant testing approach is designed for composability — we test how your protocol behaves when interacting with external contracts, oracles, and other DeFi primitives under adversarial conditions.

**Q: Do you test for economic attacks like flash loan exploits?**
A: Yes. Our invariant test suites include value conservation properties that catch economic attacks including flash loan exploits, sandwich extraction, donation attacks, and other value extraction vectors.

**Q: How do you handle protocols with upgradeable or proxy contracts?**
A: We audit the implementation contracts and verify that upgrade paths don't introduce storage collisions or break existing invariants. We can also write invariant tests that validate behavior across upgrades.

**Q: How much does a DeFi security audit cost?**
A: DeFi audit pricing depends on protocol complexity and scope. A focused DeFi protocol (1,000-5,000 nSLOC) typically runs $30K-$80K for combined manual review and invariant testing. Larger protocols with multiple integrations can reach $120K+. See our [full pricing breakdown](/blog/smart-contract-audit-cost-pricing-guide) for details by audit type.

**Related search terms:** defi audit, defi security audit, protocol security, defi security, lending audit, dex audit, DeFi protocol security, DeFi vulnerability, DeFi audit pricing, oracle manipulation audit, liquidation audit

#### Secure Your DeFi Protocol
Talk to our DeFi security specialists about your protocol's needs. [Send Audit Request](https://tally.so/r/w2Vqxb)

### Invariant Testing & Fuzzing Services
*We write the invariant tests that catch the bugs your manual audit missed — then hand you a test suite you can run forever.*
URL: https://getrecon.xyz/services/invariant-testing-services

#### What Is Invariant Testing?
Invariant testing (also called [property-based testing](/learn/property-based-testing) or fuzzing) defines properties that must always hold true in your smart contract — like "total assets must equal sum of all deposits minus withdrawals" or "no user can withdraw more than they deposited." A fuzzer then generates millions of random transaction sequences trying to break these properties. If it finds a violation, you have a concrete exploit path to fix.

#### Recon vs Other Approaches
Here's how Recon's invariant testing compares to alternative security approaches.

| Approach | Bug Classes Found | Ongoing Value | Setup Time | Maintenance |
| --- | --- | --- | --- | --- |
| Recon Invariant Testing | Logic, economic, state machine, arithmetic | Reusable test suite + CI integration | 1-3 weeks | Low — extend as you ship |
| Manual Audit Only | Depends on reviewer expertise | Point-in-time report | 2-4 weeks | Re-audit for changes |
| Static Analysis | Known patterns only | Fast but shallow | Minutes | High false-positive rate |
| Formal Verification | Mathematically proven properties | Breaks when code changes | Months | Very high — re-prove everything |

#### How It Works
1. We analyze your codebase and define the critical invariants with your team. 2. We scaffold the test suite using the Recon framework — Echidna, Medusa, [Halmos](/learn/halmos), or Foundry depending on your needs. 3. We run the suite in the cloud using Recon Pro, iterating until we reach full coverage. 4. We deliver the test suite with documentation so your team can maintain and extend it. 5. You run it in CI on every commit, catching regressions before they ship.

#### Cloud-Powered with Recon Pro
Recon Pro lets you run invariant tests in the cloud with no infrastructure management. Queue runs, view results, share with your team — all from the browser. During engagements, unlimited cloud runs are included so we can iterate rapidly.

#### Frequently Asked Questions
**Q: What is invariant testing for smart contracts?**
A: Invariant testing defines properties (invariants) that must always be true in your contract, then uses a fuzzer to generate millions of random transaction sequences trying to violate them. It's a form of [property-based testing](/learn/property-based-testing) and the most effective way to find logic bugs, economic exploits, and edge cases that manual review misses.

**Q: How long does an invariant testing engagement take?**
A: Typically 1-3 weeks for a focused scope. Complex protocols may take longer. The deliverable is a full test suite you own — not just a report.

**Q: What fuzzing tools do you use?**
A: We use Echidna, Medusa, [Halmos](/learn/halmos), and Foundry fuzz testing depending on the project's needs. Our Recon framework scaffolds test suites across all of these tools from a single property definition.

**Q: Can I run the invariant tests after the engagement ends?**
A: Yes. You own the test suite. Run it locally, in CI, or in the cloud with Recon Pro. Extend it as you add features.

**Q: How does invariant testing compare to unit testing?**
A: Unit tests verify specific scenarios you think of. Invariant tests verify properties across millions of random scenarios the fuzzer generates — including ones you'd never think to write. They're complementary: unit tests for known cases, invariant tests for unknown unknowns.

**Q: How do I write my first invariant test?**
A: Start by identifying a property that should always hold — like 'total shares times price per share equals total assets.' Then scaffold a test harness using Chimera, define the property as a boolean function, and run it with a fuzzer. Our [step-by-step tutorial](/blog/how-to-write-first-invariant-test) walks you through writing three properties for a Solidity vault in under 30 minutes.

**Related search terms:** invariant testing, property-based testing, smart contract fuzzing, fuzzing services, invariant test suite, formal verification, continuous security testing, Echidna fuzzing, Medusa fuzzer

#### Get Invariant Testing for Your Protocol
Talk to our fuzzing engineers about building a test suite for your codebase. [Send Audit Request](https://tally.so/r/w2Vqxb)

### Solidity Smart Contract Audit
*Deep Solidity expertise combined with automated invariant testing — covering every EVM chain from Ethereum to L2s.*
URL: https://getrecon.xyz/services/solidity-security-audit

#### Solidity-Specific Expertise
Our team includes a top Code4rena judge, the creator of EchidnaToFoundry, and engineers who've built and secured Solidity codebases handling hundreds of millions of dollars. We know Solidity's edge cases intimately — from storage layout quirks to ABI encoding pitfalls to compiler-version-specific behaviors.

#### Common Solidity Vulnerability Types
Our audits and invariant test suites specifically target these Solidity vulnerability patterns.

| Vulnerability | Severity | How We Detect It |
| --- | --- | --- |
| Reentrancy (cross-function, cross-contract) | Critical | Stateful fuzzing with callback simulation |
| Integer overflow/underflow | High | Arithmetic invariants tested across extreme values |
| Access control misconfigurations | Critical | Actor-based testing with unauthorized callers |
| Storage collision (proxies/upgrades) | High | Storage layout validation + upgrade testing |
| Unchecked return values | Medium | Manual review + pattern detection |
| Front-running / tx ordering | High | Random transaction ordering in fuzzer |
| Denial of service (gas griefing) | Medium | Gas-bounded invariant testing |
| Logic errors in state machines | High | State transition invariants with full coverage |

#### EVM Chains Supported
We audit Solidity contracts deployed on Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, Fantom, Gnosis Chain, zkSync, Scroll, Linea, Blast, Mode, and any EVM-compatible chain. Our testing infrastructure supports mainnet forking for realistic state simulation.

#### Tooling Integration
We work with your existing development setup — Foundry, Hardhat, or custom configurations. Our Recon framework integrates with your build pipeline so the invariant test suite runs seamlessly alongside your existing tests.

#### Frequently Asked Questions
**Q: Which Solidity versions do you support?**
A: We audit all Solidity versions from 0.4.x through the latest 0.8.x releases. Our tooling handles legacy codebases, including pre-SafeMath contracts, with specialized support.

**Q: Do you audit across all EVM chains?**
A: Yes. We audit Solidity contracts on Ethereum, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, and any EVM-compatible chain. We can fork any chain's state for testing.

**Q: Can you audit Solidity contracts that use inline assembly or Yul?**
A: Yes. Our researchers have deep EVM-level expertise and regularly audit contracts with inline assembly, Yul blocks, and custom precompile interactions.

**Q: Do you support Foundry and Hardhat projects?**
A: Yes. We work with both Foundry and Hardhat setups, as well as custom build configurations. Our invariant test suites are delivered in the framework your team already uses.

**Related search terms:** solidity audit, solidity security audit, evm audit, ethereum audit, solidity smart contract audit, reentrancy audit, access control audit, EVM security

#### Get Your Solidity Audit Started
Send us your codebase for a quote within 48 hours. [Send Audit Request](https://tally.so/r/w2Vqxb)

### Smart Contract Fuzzing Services
*Cloud-powered fuzzing infrastructure that runs Echidna, Medusa, Halmos, and Foundry — 12,500+ campaigns and counting.*
URL: https://getrecon.xyz/services/fuzzing-smart-contracts

#### What Is Smart Contract Fuzzing?
Fuzzing generates random inputs and transaction sequences to test your smart contracts for unexpected behavior. Stateful fuzzing (what Recon specializes in) maintains contract state across sequences, enabling it to find complex multi-step bugs that simpler testing approaches miss entirely.

#### Fuzzing Tools Comparison
We use the right tool for each job. Here's how the major smart contract fuzzers compare.

| Tool | Type | Strengths | Best For |
| --- | --- | --- | --- |
| Echidna | Property-based fuzzer | Mature, corpus-driven, grammar-based input generation | Complex stateful protocols, production-grade invariant suites |
| Medusa | Property-based fuzzer | Parallel execution, fast coverage, Go-based | Large codebases that benefit from parallelism |
| Halmos | Symbolic execution | Mathematical completeness, bounded model checking | Arithmetic properties, formal guarantees for bounded inputs |
| Foundry Fuzz | Stateless fuzzer | Fast iteration, integrated with Foundry workflow | Quick property checks, unit-test-adjacent fuzzing |

#### Recon Pro: Cloud Fuzzing Infrastructure
Recon Pro removes the infrastructure burden from fuzzing. Queue campaigns, monitor progress, view coverage reports, and share results — all from the browser. No Docker setup, no cloud provisioning, no DevOps overhead. We've run over 12,500 cloud fuzzing campaigns for teams building on Ethereum, L2s, and beyond.

#### Stateful vs Stateless Fuzzing
Stateless fuzzing tests individual functions with random inputs. Stateful fuzzing chains multiple function calls together, maintaining contract state between calls — mimicking how contracts are actually used in production. This is critical for finding bugs that only appear after specific sequences of actions, like the multi-step exploits behind most major DeFi hacks.

#### Frequently Asked Questions
**Q: What is smart contract fuzzing?**
A: Smart contract fuzzing automatically generates random transaction sequences to test your contracts for vulnerabilities. It's a form of [property-based testing](/learn/property-based-testing) where stateful fuzzing maintains state across calls, finding complex bugs that unit tests and manual review miss.

**Q: What's the difference between stateful and stateless fuzzing?**
A: Stateless fuzzing tests individual functions in isolation with random inputs. Stateful fuzzing chains multiple calls together, maintaining contract state — this finds multi-step exploits that stateless fuzzing can't reach.

**Q: Can I run fuzzing in the cloud?**
A: Yes. Recon Pro provides cloud fuzzing infrastructure — queue campaigns, view results, and share with your team without managing any infrastructure. We've run 12,500+ cloud campaigns.

**Q: How does fuzzing compare to formal verification?**
A: Fuzzing is faster to set up and more practical for real-world codebases. Formal verification provides mathematical guarantees but is expensive, slow, and breaks when code changes. Most teams get better ROI from fuzzing. Tools like [Halmos](/learn/halmos) offer a middle ground with bounded symbolic execution.

**Q: How much code coverage does fuzzing achieve?**
A: With a well-written invariant test suite, we typically achieve 90-100% line coverage and high branch coverage. Recon Pro provides detailed coverage reports so you can see exactly what's been tested.

**Related search terms:** smart contract fuzzing, fuzz testing, echidna fuzzing, medusa fuzzer, property-based testing, invariant fuzzing, cloud fuzzing, stateful fuzzing, Halmos symbolic execution, Foundry fuzz testing

#### Start Fuzzing Your Smart Contracts
Talk to our fuzzing engineers or try Recon Pro. [Send Audit Request](https://tally.so/r/w2Vqxb)

---

## Audit Portfolio

Our security audit portfolio includes DeFi protocols across lending, liquid staking, tokenized vaults (ERC-4626), governance, stablecoin systems, and cross-chain infrastructure. Each smart contract security audit combines manual code review by experienced security researchers with comprehensive invariant testing, stateful fuzzing via Recon Pro, and formal verification with Halmos.

- **Liquity** — [Audit Report](https://github.com/Recon-Fuzz/audits/blob/main/bold-report.md)
- **Beraborrow** — [Audit Report](https://1570492309-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FffzDCMBDa391vIMqruBP%2Fuploads%2FDLz8dzCO2O7SWGHBDJkj%2FRecon%20Beraborrow.pdf?alt=media&token=6b328d0d-d65f-4f27-913b-d4a867889af7)
- **Quill Finance** — [Audit Report](https://github.com/Recon-Fuzz/audits/blob/main/Quill_Finance_Report.md)
- **Balancer DAO** — [Audit Report](https://github.com/Recon-Fuzz/audits/blob/main/Balancer_Report.md)
- **Kleidi** — [Audit Report](https://github.com/Recon-Fuzz/audits/blob/main/Kleidi_Report.md)
- **Apollon** — [Audit Report](https://github.com/Recon-Fuzz/audits/blob/main/Apollon_Report.md)
- **Credit Coop** — Private security audit report

All audit reports: https://github.com/Recon-Fuzz/audits
[Request an Audit](https://tally.so/r/w2Vqxb) — Get a quote for your smart contract security audit within 48 hours

---

## Notable Vulnerability Findings

Real bugs found by Recon's security researchers through smart contract security audits and invariant testing. Each finding includes severity classification, description, and proof-of-concept evidence — demonstrating how stateful fuzzing with Echidna, Medusa, and manual code review work together to catch critical and high severity DeFi vulnerabilities including reentrancy, oracle manipulation, liquidation bugs, overflow, and access control flaws.

- **Cap Money** — [Agent health changes after realizeRestakerInterest](https://github.com/Recon-Fuzz/cap-invariants/blob/main/README.md#m-01-med-agent-health-changes-after-realizerestakerinterest) (Medium severity): Smart contract fuzzing found accounting desync vulnerability in DeFi staking protocol — stateful fuzzing with Recon Pro. [Fuzzing logs and proof](https://getrecon.xyz/shares/9e26f083-5fb1-40bd-987d-ce184d1f8676)
- **Spine Finance** — [Permanent DOS and loss of funds when Y reaches 0](https://github.com/Recon-Fuzz/audits/blob/main/Spine_Finance_Review.MD#h-02) (Critical severity): Critical vault vulnerability causing permanent loss of funds — invariant testing with a lossy vault identified this edge case in the DeFi lending protocol. [Fuzzing logs and proof](https://getrecon.xyz/shares/c669e7f5-9650-4979-b0c8-863331a6737f/report)
- **Badger** — [Insolvency due to Incorrect Accounting](https://gist.github.com/GalloDaSballo/564e16b9cfa9bcf998e3778fdb297045#critical) (Critical severity): Critical DeFi vault accounting vulnerability in remBADGER — invariant testing caught insolvency risk before exploitation. [Fuzzing logs and proof](https://getrecon.xyz/shares/76293e5b-de71-4636-b67b-501c32a7dc57)
- **TapiocaDAO** — [Overflow causes Permanent DOS in twTAP](https://github.com/code-423n4/2024-02-tapioca-findings/issues/55) (High severity): Integer overflow vulnerability causing permanent denial of service — the only security researcher who wrote a proof-of-concept exploit. [Fuzzing logs and proof](https://getrecon.xyz/shares/d62b2bb7-98cf-400c-85af-b1cfb254a5e7)
- **Centrifuge** — [Rounding errors allows bypassing caps](https://getrecon.substack.com/p/lessons-learned-from-fuzzing-centrifuge-059) (Medium severity): Invariant Tests helped prevent a notoriously hard to detect edge case. [Fuzzing logs and proof](https://getrecon.xyz/shares/bdafeee2-9a2c-45f4-90aa-420f5bc01ff6)
- **Corn** — [Insolvency due to Incorrect Accounting](https://gist.github.com/GalloDaSballo/1810dbd7e4a339647fc66d190c1d1e51) (Critical severity): Invariant Testing quickly found a mistake in accounting and helped ensure all subsequent changes were safe. [Fuzzing logs and proof](https://staging.getrecon.xyz/shares/9653d22a-e2e1-453c-8c67-b23912a578e3)
- **Credit Coop** — [Rounding allows bypassing minting cap](https://gist.github.com/nican0r/38a7135b02ec608a290bfea1d263ef6f) (Medium severity): Invariant testing helped identify a rounding issue allowing a minting cap to be bypassed. [Fuzzing logs and proof](https://github.com/Recon-Fuzz/audits?tab=readme-ov-file#invariant-testing)
- **TapiocaDAO** — [Incorrect decoding in decodeLockTwpTapDstMsg](https://github.com/code-423n4/2024-02-tapioca-findings/issues/69) (Medium severity): Showing how Invariant tests could have caught this. [Fuzzing logs and proof](https://getrecon.xyz/shares/eb700590-2f8c-4039-9288-eaff5e0090fe)

---

## Team

Our security researchers bring deep expertise in smart contract auditing, invariant testing, DeFi protocol security, Solidity development, formal verification, and property-based fuzzing. The team includes competitive audit judges, open-source tooling creators, and engineers who have built and secured DeFi protocols managing hundreds of millions in TVL — spanning lending, staking, vaults, governance, and cross-chain bridges.

- **Alex** — Security researcher. Top C4 Judge. Former Badger Lead Dev. Bug findings across major DeFi protocols.. [Twitter](https://x.com/GalloDaSballo) | [GitHub](https://github.com/GalloDaSballo)
- **Antonio** — Security researcher. Creator of EchidnaToFoundry. Author of the most-read articles on invariant testing.. [Twitter](https://x.com/agfviggiano) | [GitHub](https://github.com/aviggiano)
- **Nican0r** — Lead Invariants Engineer. Lead Invariants Engineer. Centrifuge, Liquity, Corn, and more.. [Twitter](https://x.com/nican0r) | [GitHub](https://github.com/nican0r)
- **Kn0t** — Lead Invariants Engineer. Lead Invariants Engineer. Driving R&D and next-gen fuzzing tools at Recon.. [Twitter](https://x.com/0xknot) | [GitHub](https://github.com/0kn0t)
- **0xsi** — Software engineer && Invariants Engineer. Lead Software Engineer. Built core Recon Pro and cloud fuzzing features.. [Twitter](https://x.com/_0xsi) | [GitHub](https://github.com/Simon-Busch)
- **Deivitto** — Security Researcher, Senior Full Stack Engineer, UX & AI Engineer. Security Researcher. Full-stack engineer bridging security and AI tooling.. [Twitter](https://x.com/deaborgin) | [GitHub](https://github.com/Deivitto)

---

## Client Testimonials

What DeFi protocol teams say about working with Recon for smart contract security audits and invariant testing engagements.

> "We worked with the phenomenal
@getreconxyz
 team to get invariant testing coverage for the
@centrifuge
  ERC-7540 implementation, leveraging their Recon Pro platform.
  Looking forward to seeing where
@getreconxyz
 goes next, they have ambitious plans to take invariant testing to the next level!"
> — **Jeroen**, CTO at [Centrifuge](https://centrifuge.io)

> "We first met Alex during some excellent security discussions re: Liquity v1. The breadth and depth of his audit of our v2 exceeded expectations - particularly impressive for a solo effort. He uncovered several technical, arithmetic and economic issues and discussed them with us in detail. I'd highly recommend his manual reviews for any DeFi team that takes their security seriously."
> — **Rick**, Cofounder at [Liquity](https://www.liquity.org)

> "Recon has allowed us to speed up the development of invariant tests immensely. We are able to create and execute test suites in the cloud effortlessly with virtually no boilerplate code. I highly recommend using Recon to automate your fuzzing setup."
> — **James**, Lead Dev at [Badger DAO](https://badger.com)

> "The recon team is continuously innovating to make invariant testing vastly more accessible to projects, which makes a meaningful difference in security outcomes. They bring their broad expertise in and passion for web3 security to any engagement above and beyond the specified scope."
> — **Dapp**, Cofounder at [Corn](https://usecorn.com)

> "Engaging with Alex&Lourens showed great proactiveness to answer deep-technical Qs along the process and help to discuss together items that require deeper drilling on invariants, really valuable not only their ability to answer Qs, but educating you on the process and empowering your team for better understanding of invariants on your architecture!"
> — **Petrovska**, Cofounder at [Onchainification](https://onchainification.xyz)

> "Alex has an incredible eye for detail, leaving no stone unturned during our audit. His review helped us gain confidence in our codebase before going to a competitive audit. I would highly recommend Alex's security services to anyone building smart contract systems."
> — **Elliot**, Founder at [Solidity Labs](https://soliditylabs.io)

> "We worked together with Alex to review a Safe module for our DAO multi-sig. We really valued his proactiveness and quick response times so that we could ship in a timely manner. 🚀"
> — **Xeonus**, Balancer Maxis at [Balancer DAO](https://balancer.fi)

> "The ROI on our engagement with Recon was extremely high. They built an invariant test suite that uncovered hard-to-spot high-severity issues and gave us a powerful tool to ship with confidence.

Moving forward, invariant testing will be core to our smart contract development at Credit Coop. When we do our next audit, Recon will have to be a part of the picture."
> — **Thomas Hepner**, Cofounder & CTO at [Credit Coop](https://creditcoop.xyz)

> "Alex had the most transparent and interactive process of any auditor I've worked with. He was very proactive and provided in-depth analysis even beyond what was initially requested. In the end, our team was able to iterate on findings a lot quicker than we'd estimated, while also learning a huge amount along the way"
> — **Naps62.eth**, Cofounder & CTO at [Quill Finance](https://quill.finance)

[Request an Audit](https://tally.so/r/w2Vqxb) — Join these teams in securing your DeFi protocol with invariant testing

---

## Products

### Recon Pro — Cloud Fuzzing Platform
URL: https://getrecon.xyz/pro

Recon Pro is a cloud fuzzing platform for smart contract security testing. Run Echidna, Medusa, Halmos, and Foundry fuzz testing campaigns in the cloud — no Docker setup, no DevOps overhead. Queue invariant testing campaigns, monitor coverage, view detailed reports, and share results with your team from the browser.

**Key stats:** Over 12,500 stateful fuzzing campaigns run. Used by DeFi protocols managing $3B+ in TVL.

**Use cases:**
- Run invariant test suites during smart contract audits with unlimited cloud runs
- Continuous security testing in CI/CD — catch regressions before they ship to production
- Pre-audit fuzzing to maximize coverage before your security audit engagement
- Team collaboration — share fuzzing results and coverage reports across security researchers

[Request access to Recon Pro](https://tally.so/r/w2Vqxb)

### Recon Extension — VS Code Extension
URL: https://getrecon.xyz/extension

VS Code extension for scaffolding and running invariant tests locally. Write property-based tests for your Solidity smart contracts with guided setup, auto-generated test harnesses, and one-click execution. Integrates with Recon Pro for cloud fuzzing when you need more compute.

[Get the Recon Extension](https://getrecon.xyz/extension)

---

## How We Work

Recon supports your team at every stage of smart contract development — from early invariant test scaffolding through pre-audit coverage maximization, solo manual review, and full audit support with cloud fuzzing.

### Development Stages We Support

**Early Stage**
- Define key invariants & scaffold testers for your Solidity smart contracts
- Grow invariants alongside your codebase as your DeFi protocol evolves

**Pre-Audit**
- Reach 100% coverage with test repros using Echidna, Medusa, and Foundry
- Hand auditors meaningful states & broken properties for deeper smart contract security review

**Solo Review**
- Manual review by top security researchers with DeFi vulnerability expertise
- Paired with invariant testing for deeper coverage across lending, staking, and vault protocols

**Audit Stage**
- Add properties flagged by reviewers in real-time during your smart contract audit
- Reproduce bugs as invariant tests for regression safety across protocol upgrades
- Cloud runners for rapid fix testing — no weekend delays with Recon Pro fuzzing infrastructure

### Our Service Offerings

- **Manual Review**: A thorough smart contract security audit by top security researchers. Line-by-line Solidity code review focused on DeFi vulnerability patterns: reentrancy, oracle manipulation, access control, and liquidation bugs. Ideally paired with invariant testing for maximum coverage.
- **Invariant Test Writing**: Property-based testing written by an experienced fuzzing engineer. We define critical protocol invariants for DeFi security: solvency, access control, liquidation, and oracle integrity. Then we scaffold a comprehensive test suite with Echidna or Medusa, run formal verification with Halmos, and cloud-fuzz with unlimited Recon Pro campaigns during the engagement.
- **Recon Pro**: Cloud fuzzing as a service. Run smart contract fuzzing campaigns with Echidna, Medusa, Halmos, and Foundry for continuous security testing. No infrastructure setup, real-time coverage reports, and team collaboration built in. Over 12,500 campaigns run protecting DeFi protocols across lending, staking, vaults, and governance.

**Pricing:** Smart contract audit pricing depends on codebase size, complexity, and scope. A typical invariant testing engagement for a focused DeFi protocol (1,000–5,000 nSLOC) ranges from $30K–$80K. [Request a quote](https://tally.so/r/w2Vqxb) — we review your codebase and provide a fixed price within 48 hours.

---

## Protocols That Trust Recon

Recon has provided smart contract security audits and invariant testing engagements for leading DeFi protocols:

- **Liquity** (BOLD v2) — Decentralized lending protocol. [Audit report](https://github.com/Recon-Fuzz/audits/blob/main/bold-report.md)
- **Centrifuge** — Real-world asset tokenization with ERC-7540 vault implementation
- **Badger DAO** — Bitcoin DeFi yield vaults and smart contract security
- **Corn** — DeFi protocol with complex accounting and staking mechanisms
- **Balancer DAO** — DEX governance and Safe multisig module security audit
- **Credit Coop** — DeFi lending with invariant-tested minting cap protections
- **Apollon** — DeFi protocol security audit with comprehensive invariant coverage
- **Beraborrow** — Berachain-native lending protocol security assessment
- **Kleidi** — Smart contract wallet security audit
- **Quill Finance** — DeFi protocol with transparent interactive audit process
- **TapiocaDAO** — Cross-chain DeFi with LayerZero integration (competitive audit via Code4rena)

[Request an Audit](https://tally.so/r/w2Vqxb) — Join these protocols in securing your codebase with Recon


---

## Why Choose Recon Over Traditional Audit Firms

| Feature | Recon | Traditional Audit Firm | Automated Scanner |
| --- | --- | --- | --- |
| Manual code review by security researchers | Yes — top Code4rena judge, DeFi-native experts | Yes — varies by firm | No |
| Invariant testing / property-based fuzzing | Yes — every engagement includes a full test suite | Rarely offered | No |
| Stateful fuzzing with Echidna, Medusa, Halmos | Yes — cloud-powered via Recon Pro | No | No |
| Reusable test suite you keep | Yes — run in CI forever, extend as you ship | No — point-in-time report only | No |
| Cloud fuzzing infrastructure | Yes — Recon Pro, 12,500+ campaigns | No | N/A |
| DeFi-specific vulnerability expertise | Deep — lending, staking, vaults, governance, bridges | Varies | Pattern-matching only |
| Pricing transparency | Fixed quote within 48 hours | Often weeks to quote | Free/cheap but shallow |

[Request an Audit](https://tally.so/r/w2Vqxb) — Get a quote for your smart contract security audit within 48 hours


---

## Audit Process & Timeline

### How a Recon Smart Contract Security Audit Works
1. **Scoping** — Send your codebase via our [audit request form](https://tally.so/r/w2Vqxb). We review scope, complexity, and nSLOC count. You receive a fixed-price quote within 48 hours.
2. **Kickoff** — We onboard your team, establish communication channels, and align on critical invariants and protocol-specific security concerns.
3. **Manual Review** — Our security researchers perform line-by-line Solidity code review, focusing on DeFi-specific vulnerability patterns: reentrancy, oracle manipulation, access control, economic exploits, liquidation logic, and rounding errors.
4. **Invariant Testing** — We scaffold a comprehensive invariant test suite using Echidna, Medusa, or Foundry. We define properties that must always hold and run millions of stateful fuzzing transactions against your contracts using Recon Pro cloud fuzzing.
5. **Report Delivery** — You receive a detailed findings report with severity classification (Critical, High, Medium, Low), proof-of-concept exploits, remediation guidance, and the full invariant test suite.
6. **Fix Review** — We verify your fixes and confirm no regressions. The invariant test suite catches issues in your remediation.
7. **Ongoing Protection** — Keep the invariant test suite. Run it in CI on every commit. Use Recon Pro for cloud fuzzing as you ship new features.

### Typical Timelines
- **Focused scope** (1,000–3,000 nSLOC): 2–3 weeks, $30K–$50K
- **Medium scope** (3,000–5,000 nSLOC): 3–4 weeks, $50K–$80K
- **Large scope** (5,000+ nSLOC): 4–6 weeks, custom pricing

[Request an Audit](https://tally.so/r/w2Vqxb) — Get your tailored quote within 48 hours


---

## Frequently Asked Questions About Smart Contract Audits

**Q: How much does a smart contract audit cost?**
A: Smart contract audit pricing depends on codebase size, complexity, and scope. At Recon, a typical engagement for a focused DeFi protocol (1,000–5,000 nSLOC) ranges from $30K–$80K. We provide a fixed-price quote within 48 hours of reviewing your codebase. [Request a quote](https://tally.so/r/w2Vqxb).

**Q: What is invariant testing and why does it matter?**
A: Invariant testing defines properties that must always hold true in your smart contract, then uses a fuzzer to generate millions of random transaction sequences trying to break them. It catches vulnerabilities that manual code review alone misses — particularly complex multi-step exploits like reentrancy chains, oracle manipulation, and economic attacks.

**Q: What is the best smart contract audit firm for DeFi?**
A: The best audit firm depends on your protocol's needs, but for DeFi protocols that care about ongoing security, Recon stands out because every audit includes a reusable invariant test suite. Unlike traditional audit firms that deliver a point-in-time report, Recon gives you a testing tool that protects your codebase in CI forever. Our team includes a top Code4rena judge and the creator of EchidnaToFoundry.

**Q: What is smart contract fuzzing?**
A: Smart contract fuzzing generates random inputs and transaction sequences to test contracts for unexpected behavior. Stateful fuzzing maintains contract state across calls, finding complex multi-step bugs. Recon uses Echidna, Medusa, Halmos, and Foundry for cloud-powered fuzzing via Recon Pro.

**Q: How long does a smart contract audit take?**
A: Most Recon audits take 2–4 weeks depending on codebase complexity. Invariant testing runs in parallel with manual review using Recon Pro cloud fuzzing infrastructure.

**Q: Do you audit DeFi protocols on Layer 2 chains?**
A: Yes. We audit Solidity smart contracts on all EVM-compatible chains including Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, zkSync, Scroll, Linea, and more. We can fork any chain's state for realistic security testing.

**Q: What is formal verification for smart contracts?**
A: Formal verification uses mathematical proofs to guarantee that smart contract properties hold for all possible inputs. Recon uses Halmos for bounded symbolic execution — it provides formal verification guarantees within defined bounds while being practical enough for real-world DeFi codebases. We combine formal verification with stateful fuzzing for the most thorough smart contract security coverage.

**Q: Do you audit zero-knowledge proof contracts?**
A: Yes. We review ZK circuit logic, verifier contracts, and the interaction between on-chain and off-chain ZK components. Our security researchers combine zero-knowledge proof expertise with invariant testing to verify correctness properties in ZK-based DeFi protocols.

**Q: What is continuous security testing?**
A: Continuous security testing means your smart contracts are protected beyond the initial audit. Recon delivers a reusable invariant test suite that runs in CI on every commit, catching regressions before deployment. Combined with Recon Pro cloud fuzzing, your protocol has ongoing protection as the codebase evolves — not just a point-in-time security audit report.

**Q: Can you audit cross-chain bridges?**
A: Yes. We audit cross-chain bridge contracts, LayerZero integrations, and multi-chain DeFi deployments. Our invariant testing framework supports mainnet forking across all EVM chains, enabling realistic cross-chain security testing for bridge protocols.

[Request an Audit](https://tally.so/r/w2Vqxb) — Talk to our security researchers about your smart contract audit needs


---

## Recon Security Audit Methodology

### Smart Contract Vulnerability Detection

Recon's security audit methodology combines three complementary approaches to find vulnerabilities in Solidity smart contracts:

**1. Manual Code Review** — Expert security researchers perform line-by-line code review targeting DeFi-specific vulnerability patterns: reentrancy (cross-function, cross-contract, read-only), oracle manipulation (TWAP, spot price, stale feeds), access control misconfigurations, integer overflow and underflow, storage collision in proxy contracts, flash loan attack vectors, sandwich extraction, liquidation cascading, rounding errors in share calculations, state machine bugs, and denial of service via gas griefing.

**2. Invariant Testing & Property-Based Fuzzing** — We define critical protocol invariants — solvency, conservation of value, access control boundaries, state transition correctness — and use stateful fuzzing to explore the contract's state space. Echidna generates millions of random transaction sequences; Medusa parallelizes execution for large codebases; Foundry fuzz testing provides fast iteration.

**3. Formal Verification & Symbolic Execution** — Halmos performs bounded symbolic execution, providing mathematical guarantees that properties hold for all inputs within defined bounds. This catches arithmetic bugs, overflow conditions, and edge cases that even extensive fuzzing might miss.

### DeFi Protocol Categories We Audit

| Category | Examples | Key Invariants |
| --- | --- | --- |
| Lending Markets | Aave-style, Compound-style, custom | Solvency, liquidation thresholds, interest accrual |
| Liquid Staking | stETH-style, ERC-7540 | Share/asset ratio, withdrawal accounting |
| Yield Vaults | ERC-4626, custom | Share inflation protection, deposit/withdraw symmetry |
| DEX Protocols | AMM, CLMM, order books | Constant product, fee accounting, LP share value |
| Governance | Governor, timelock, multisig | Vote counting, proposal execution, quorum |
| Stablecoin Systems | CDP, algorithmic, backed | Peg maintenance, collateral ratio, liquidation |
| Cross-Chain Bridges | LayerZero, message passing | Message integrity, replay protection, asset conservation |

[Request an Audit](https://tally.so/r/w2Vqxb) — Get a Proposal in 24 Hours


---

## When Should You Get a Smart Contract Audit?

You need a smart contract security audit if:
- **Pre-launch** — Audit before mainnet deployment to catch critical vulnerabilities before they're exploitable
- **Before a competitive audit** — Use invariant testing to maximize the value of your code review by catching low-hanging bugs first
- **Upgrade or migration** — Audit new code before pushing upgradeable proxy changes or migrating to a new version
- **Post-exploit** — After an incident, audit to find remaining vulnerabilities and build invariant tests that prevent recurrence
- **Regulatory or insurance** — Demonstrate due diligence with a professional smart contract security audit report
- **TVL milestone** — As your protocol's TVL grows, the risk profile changes. Re-audit and extend invariant coverage to match
- **New DeFi integration** — Adding oracle feeds, lending hooks, or cross-chain bridges introduces composability risk that needs security review

Don't wait for an exploit. [Request an Audit](https://tally.so/r/w2Vqxb) — Recon provides smart contract security audits with invariant testing that protects your protocol long after the engagement ends.


---

## Advanced Security Capabilities

### Formal Verification & Symbolic Execution
Recon uses Halmos for bounded symbolic execution and formal verification of smart contract properties. Unlike traditional fuzzing, symbolic execution provides mathematical guarantees that properties hold for all inputs within defined bounds. We combine this with stateful fuzzing for the most thorough security coverage available.

### Continuous Security Testing
Smart contract security doesn't end with a point-in-time audit. Recon provides continuous security through:
- **Reusable invariant test suites** — run in CI on every commit, catching regressions before deployment
- **Recon Pro cloud fuzzing** — queue campaigns on-demand as your codebase evolves
- **Post-launch monitoring** — extend test suites as new features ship, new integrations are added, or the DeFi landscape changes

### Cross-Chain & Bridge Security
We audit cross-chain bridges, LayerZero integrations, and multi-chain DeFi deployments. Our invariant testing framework supports mainnet forking across all EVM chains — Ethereum, Arbitrum, Optimism, Base, Polygon, BSC, Avalanche, zkSync, and more — enabling realistic cross-chain security testing.

### Zero-Knowledge Proof System Audits
For protocols using ZK proofs, we review circuit logic, verifier contracts, and the interaction between on-chain and off-chain components. Our security researchers combine ZK expertise with invariant testing to verify correctness properties.

[Request an Audit](https://tally.so/r/w2Vqxb) — Talk to our security researchers about your protocol's advanced security needs


---

## Smart Contract Audit Firms — How Recon Compares

### Recon vs OpenZeppelin
OpenZeppelin is the industry standard for smart contract libraries and security audits. They've secured $110B+ TVL and work with institutional clients. Recon differentiates with invariant testing: every Recon audit delivers a reusable test suite, while OpenZeppelin provides point-in-time reports. For DeFi protocols that need ongoing protection through property-based fuzzing, Recon provides better long-term value per dollar spent on security.

### Recon vs Trail of Bits
Trail of Bits created Echidna and Slither — foundational tools for smart contract security. Recon builds on these same tools (Echidna, Medusa, Halmos) but packages them into a cloud fuzzing platform (Recon Pro) that makes invariant testing accessible. Trail of Bits offers broader cybersecurity services; Recon focuses exclusively on smart contract and DeFi security.

### Recon vs Cantina
Cantina operates as an AI-native security platform with a large researcher network. Recon offers a more focused, senior-led approach: smaller team, deeper engagement, and a cloud fuzzing deliverable you keep. Cantina's strength is scale; Recon's strength is depth of invariant testing coverage.

[Request an Audit](https://tally.so/r/w2Vqxb) — Get a tailored proposal for your smart contract security audit


---

## Service Pages Overview

Recon offers smart contract security services across five specialized service pages, each targeting specific DeFi security needs:

- **[Smart Contract Security Audit Services](https://getrecon.xyz/services/smart-contract-audit)** — Professional smart contract security audits powered by invariant testing. Keywords: smart contract audit, smart contract security audit, solidity audit, code review, security audit, blockchain audit, smart contract audit cost, smart contract audit services, best smart contract auditor
- **[DeFi Protocol Security Audit](https://getrecon.xyz/services/defi-security-audit)** — Specialized DeFi security audits with invariant testing. Keywords: defi audit, defi security audit, protocol security, defi security, lending audit, dex audit, DeFi protocol security, DeFi vulnerability, DeFi audit pricing, oracle manipulation audit, liquidation audit
- **[Invariant Testing & Fuzzing Services](https://getrecon.xyz/services/invariant-testing-services)** — Professional invariant testing and property-based fuzzing services for smart contracts. Keywords: invariant testing, property-based testing, smart contract fuzzing, fuzzing services, invariant test suite, formal verification, continuous security testing, Echidna fuzzing, Medusa fuzzer
- **[Solidity Smart Contract Audit](https://getrecon.xyz/services/solidity-security-audit)** — Expert Solidity smart contract audits with invariant testing coverage. Keywords: solidity audit, solidity security audit, evm audit, ethereum audit, solidity smart contract audit, reentrancy audit, access control audit, EVM security
- **[Smart Contract Fuzzing Services](https://getrecon.xyz/services/fuzzing-smart-contracts)** — Professional smart contract fuzzing with Echidna, Medusa, Halmos, and Foundry. Keywords: smart contract fuzzing, fuzz testing, echidna fuzzing, medusa fuzzer, property-based testing, invariant fuzzing, cloud fuzzing, stateful fuzzing, Halmos symbolic execution, Foundry fuzz testing

Each service page includes detailed methodology comparisons, DeFi vulnerability tables, FAQ sections with FAQPage schema, and direct [audit request CTAs](https://tally.so/r/w2Vqxb).


---

## Ready to Secure Your Protocol?

Whether you need a smart contract security audit, invariant testing for your DeFi protocol, or cloud fuzzing infrastructure — our security researchers are ready to help.

**Get started:**
1. **Request an Audit** — [Send your audit request](https://tally.so/r/w2Vqxb) and get a tailored quote within 48 hours
2. **Talk to Us** — [Message us on Telegram](https://t.me/GalloDaSballo) to discuss your protocol's security needs
3. **Try Recon Pro** — [Start cloud fuzzing](https://getrecon.xyz/pro) your Solidity smart contracts today
4. **Read the Docs** — [Recon documentation](https://book.getrecon.xyz) for invariant testing guides and setup
5. **View Audit Reports** — [Public audit reports](https://github.com/Recon-Fuzz/audits) showcasing our DeFi security work

## Contact

- **Request an Audit**: https://tally.so/r/w2Vqxb
- **Telegram**: https://t.me/GalloDaSballo
- **Website**: https://getrecon.xyz
- **Recon Pro**: https://getrecon.xyz/pro
- **VS Code Extension**: https://getrecon.xyz/extension
- **Documentation**: https://book.getrecon.xyz
- **Audit Reports**: https://github.com/Recon-Fuzz/audits


---

## All Content in Markdown Format

The following links serve each page as clean markdown with YAML frontmatter — optimized for AI retrieval and citation.

### Service Pages (5 pages)
- [Smart Contract Security Audit Services](https://getrecon.xyz/api/md/services/smart-contract-audit) — Professional smart contract security audits powered by invariant testing.
- [DeFi Protocol Security Audit](https://getrecon.xyz/api/md/services/defi-security-audit) — Specialized DeFi security audits with invariant testing.
- [Invariant Testing & Fuzzing Services](https://getrecon.xyz/api/md/services/invariant-testing-services) — Professional invariant testing and property-based fuzzing services for smart contracts.
- [Solidity Smart Contract Audit](https://getrecon.xyz/api/md/services/solidity-security-audit) — Expert Solidity smart contract audits with invariant testing coverage.
- [Smart Contract Fuzzing Services](https://getrecon.xyz/api/md/services/fuzzing-smart-contracts) — Professional smart contract fuzzing with Echidna, Medusa, Halmos, and Foundry.

### Blog Posts (19 articles)
### Why Invariant Testing Matters for DeFi Security
Unit tests check what you think of. Invariant tests check what you don't. Here's why every DeFi protocol needs invariant testing and how it has saved millions in real engagements.
Read more: https://getrecon.xyz/blog/why-invariant-testing-matters-defi-security
Markdown: https://getrecon.xyz/api/md/blog/why-invariant-testing-matters-defi-security

### How We Found Real Vulnerabilities with Fuzzing
A technical deep-dive into real vulnerabilities we've found through fuzzing, from critical accounting bugs to subtle rounding exploits. Includes the properties that caught them.
Read more: https://getrecon.xyz/blog/how-we-found-real-vulnerabilities-with-fuzzing
Markdown: https://getrecon.xyz/api/md/blog/how-we-found-real-vulnerabilities-with-fuzzing

### Getting Started with Recon Pro Cloud Fuzzing
A step-by-step guide to running your first cloud fuzzing campaign with Recon Pro. Go from zero to fuzzing in minutes, with no infrastructure to manage.
Read more: https://getrecon.xyz/blog/getting-started-recon-pro-cloud-fuzzing
Markdown: https://getrecon.xyz/api/md/blog/getting-started-recon-pro-cloud-fuzzing

### The Anatomy of a Critical DeFi Bug: Insolvency Through Incorrect Accounting
A single rounding error in share accounting can drain an entire vault. Walk through the anatomy of a real critical DeFi bug and learn why invariant testing is the only reliable way to catch it.
Read more: https://getrecon.xyz/blog/anatomy-critical-defi-bug-insolvency-accounting
Markdown: https://getrecon.xyz/api/md/blog/anatomy-critical-defi-bug-insolvency-accounting

### Property Design Patterns for DeFi Lending Protocols
A practical catalog of invariant property patterns for lending protocols — from solvency and utilization bounds to liquidation health checks — with Solidity code for each.
Read more: https://getrecon.xyz/blog/property-design-patterns-defi-lending
Markdown: https://getrecon.xyz/api/md/blog/property-design-patterns-defi-lending

### Echidna vs Medusa: A Practical Comparison for Security Researchers
A hands-on comparison of Echidna and Medusa for smart contract fuzzing. We cover performance, configuration, corpus management, and when to choose each tool.
Read more: https://getrecon.xyz/blog/echidna-vs-medusa-practical-comparison
Markdown: https://getrecon.xyz/api/md/blog/echidna-vs-medusa-practical-comparison

### 5 Smart Contract Vulnerabilities That Unit Tests Will Never Catch
Unit tests check what you expect. But the most dangerous vulnerabilities hide in the unexpected — cross-function reentrancy, rounding accumulation, and more. Here are five categories unit tests will never catch.
Read more: https://getrecon.xyz/blog/smart-contract-vulnerabilities-unit-tests-miss
Markdown: https://getrecon.xyz/api/md/blog/smart-contract-vulnerabilities-unit-tests-miss

### How to Set Up Continuous Security Testing with CI/CD and Fuzzing
Stop treating security as a one-time audit. Learn how to integrate Chimera-based fuzzing into your CI/CD pipeline with GitHub Actions so every pull request gets fuzzed automatically.
Read more: https://getrecon.xyz/blog/continuous-security-testing-cicd-fuzzing
Markdown: https://getrecon.xyz/api/md/blog/continuous-security-testing-cicd-fuzzing

### Understanding Rounding Errors in DeFi: How Small Bugs Lead to Big Exploits
In Solidity, there are no decimals — only integers and the illusion of precision. Learn how 1 wei rounding errors compound into protocol-draining exploits and how to defend against them.
Read more: https://getrecon.xyz/blog/rounding-errors-defi-small-bugs-big-exploits
Markdown: https://getrecon.xyz/api/md/blog/rounding-errors-defi-small-bugs-big-exploits

### What to Expect from a Smart Contract Security Audit in 2025
The smart contract audit has evolved far beyond a manual code review. Here is what a modern audit looks like in 2025 — and what you should demand from your auditor.
Read more: https://getrecon.xyz/blog/what-to-expect-smart-contract-audit-2025
Markdown: https://getrecon.xyz/api/md/blog/what-to-expect-smart-contract-audit-2025

### Stateful Fuzzing Explained: Why Sequence Matters in Smart Contract Testing
Most smart contract bugs only manifest after a specific sequence of transactions. Stateful fuzzing explores these sequences automatically — here is how it works and why it matters.
Read more: https://getrecon.xyz/blog/stateful-fuzzing-explained-sequence-matters
Markdown: https://getrecon.xyz/api/md/blog/stateful-fuzzing-explained-sequence-matters

### The True Cost of Not Auditing: Lessons from $20M+ in Prevented Losses
DeFi lost over $1.7 billion to exploits in 2024. Here is the business case for auditing, backed by real data from Recon engagements that prevented over $20M in potential losses.
Read more: https://getrecon.xyz/blog/true-cost-not-auditing-prevented-losses
Markdown: https://getrecon.xyz/api/md/blog/true-cost-not-auditing-prevented-losses

### From Zero to Fuzzing: A Beginner's Guide to the Chimera Framework
A hands-on beginner tutorial for the Chimera framework. Go from an empty project to running invariant tests with Foundry, Echidna, and Medusa — no prior fuzzing experience required.
Read more: https://getrecon.xyz/blog/zero-to-fuzzing-beginners-guide-chimera
Markdown: https://getrecon.xyz/api/md/blog/zero-to-fuzzing-beginners-guide-chimera

### Towards the Scientific Audit
Audits today are artisanal. Two auditors reviewing the same code follow different paths and produce different results. This inconsistency is the gap attackers exploit. Here is how we make audits scientific.
Read more: https://getrecon.xyz/blog/towards-the-scientific-audit
Markdown: https://getrecon.xyz/api/md/blog/towards-the-scientific-audit

### AI Smart Contract Audits: Beyond the Hype
Everyone claims AI auditing. Most mean they ran an LLM on your code. Here is what AI-powered smart contract auditing actually looks like when built on top of invariant testing and formal methods.
Read more: https://getrecon.xyz/blog/ai-smart-contract-audits
Markdown: https://getrecon.xyz/api/md/blog/ai-smart-contract-audits

### Do you need a smart contract audit?
If your contract holds user funds, controls access to funds, or governs protocol parameters that affect funds, you need an audit. Here's how to decide what type fits your situation.
Read more: https://getrecon.xyz/blog/do-you-need-smart-contract-audit
Markdown: https://getrecon.xyz/api/md/blog/do-you-need-smart-contract-audit

### How much does a smart contract audit cost in 2025?
A smart contract audit costs between $15,000 and $120,000 for most DeFi protocols. Here's a full breakdown of pricing by audit type, what drives cost, and how to get the most value from your budget.
Read more: https://getrecon.xyz/blog/smart-contract-audit-cost-pricing-guide
Markdown: https://getrecon.xyz/api/md/blog/smart-contract-audit-cost-pricing-guide

### How to write your first invariant test
A hands-on tutorial that walks you through writing three invariant properties for a simple ERC-20 vault, then running them with Foundry and Echidna. Working test suite in 30 minutes.
Read more: https://getrecon.xyz/blog/how-to-write-first-invariant-test
Markdown: https://getrecon.xyz/api/md/blog/how-to-write-first-invariant-test

### Smart contract fuzzing tools compared: Echidna, Medusa, Halmos, and Foundry
Four tools dominate smart contract fuzzing. Each approaches the problem differently, and picking the wrong one wastes time. Here's how to match the right fuzzer to your project — or use all four together.
Read more: https://getrecon.xyz/blog/smart-contract-fuzzing-tools-compared
Markdown: https://getrecon.xyz/api/md/blog/smart-contract-fuzzing-tools-compared

### Case Studies (5 engagements)
- [Liquity](https://getrecon.xyz/api/md/case-studies/liquity) — How Recon's invariant testing audit of Liquity v2 exceeded expectations, uncovering technical, arithmetic, and economic issues in one of DeFi's most anticipated launches.
- [Centrifuge](https://getrecon.xyz/api/md/case-studies/centrifuge) — How Recon built invariant testing coverage for Centrifuge's ERC-7540 implementation using Recon Pro, catching rounding errors that bypass caps.
- [Corn](https://getrecon.xyz/api/md/case-studies/corn) — How Recon found a critical insolvency bug in Corn's DeFi protocol through invariant testing, and confirmed all subsequent changes remained safe.
- [Badger](https://getrecon.xyz/api/md/case-studies/badger) — How Recon prevented a critical remBADGER accounting bug at Badger DAO through invariant testing, protecting hundreds of millions in TVL.
- [Credit Coop](https://getrecon.xyz/api/md/case-studies/credit-coop) — How Recon's invariant testing uncovered high-severity issues at Credit Coop with extremely high ROI, making invariant testing core to their development.

### Glossary (35 terms)
- [Invariant Testing](https://getrecon.xyz/api/md/learn/invariant-testing) — Invariant testing is a smart contract testing methodology that verifies properties (invariants) that must always hold true, regardless of the sequence of transactions or state changes applied to the system.
- [Fuzzing](https://getrecon.xyz/api/md/learn/fuzzing) — Fuzzing is an automated testing technique that feeds random, unexpected, or malformed inputs to a program to discover bugs, crashes, and security vulnerabilities that manual testing would miss.
- [Echidna](https://getrecon.xyz/api/md/learn/echidna) — Echidna is a Haskell-based smart contract fuzzer for Ethereum that uses [property-based testing](/learn/property-based-testing) to find violations of user-defined invariants in Solidity code.
- [Medusa](https://getrecon.xyz/api/md/learn/medusa) — Medusa is a Go-based smart contract fuzzer that uses parallel execution and coverage-guided fuzzing to find invariant violations in Solidity contracts at high speed.
- [Halmos](https://getrecon.xyz/api/md/learn/halmos) — Halmos is a symbolic execution tool for EVM smart contracts that mathematically proves whether properties hold for all possible inputs, providing formal guarantees beyond fuzzing.
- [Property-Based Testing](https://getrecon.xyz/api/md/learn/property-based-testing) — Property-based testing is a software testing methodology where developers define general properties that should always hold, and a test generator automatically creates inputs to verify those properties.
- [Smart Contract Audit](https://getrecon.xyz/api/md/learn/smart-contract-audit) — A smart contract audit is a systematic security review of blockchain smart contract code to identify vulnerabilities, logic errors, and potential attack vectors before deployment.
- [Formal Verification](https://getrecon.xyz/api/md/learn/formal-verification) — Formal verification is the use of mathematical methods to prove that a smart contract's behavior conforms to its specification for all possible inputs and states.
- [Chimera Framework](https://getrecon.xyz/api/md/learn/chimera-framework) — Chimera is Recon's open-source framework for writing invariant tests that are simultaneously compatible with Echidna, Medusa, and Foundry, eliminating tool lock-in.
- [Stateful Fuzzing](https://getrecon.xyz/api/md/learn/stateful-fuzzing) — Stateful fuzzing is a fuzzing technique that maintains contract state across a sequence of function calls, testing how transactions interact with each other over time.
- [Mutation Testing](https://getrecon.xyz/api/md/learn/mutation-testing) — Mutation testing evaluates test suite quality by introducing small code changes (mutations) and checking whether existing tests detect them.
- [Coverage-Guided Fuzzing](https://getrecon.xyz/api/md/learn/coverage-guided-fuzzing) — Coverage-guided fuzzing is a technique where the fuzzer tracks which code paths are executed and prioritizes inputs that explore new, untested paths.
- [Symbolic Execution](https://getrecon.xyz/api/md/learn/symbolic-execution) — Symbolic execution analyzes smart contracts by treating inputs as mathematical symbols rather than concrete values, exploring all possible execution paths simultaneously.
- [Fuzz Testing](https://getrecon.xyz/api/md/learn/fuzz-testing) — Fuzz testing (fuzzing) is the automated process of providing random, semi-random, or mutated inputs to software in order to trigger unexpected behavior, crashes, or security vulnerabilities.
- [Smart Contract Security](https://getrecon.xyz/api/md/learn/smart-contract-security) — Smart contract security covers the practices, tools, and methodologies used to identify and prevent vulnerabilities in blockchain smart contracts before and after deployment.
- [Reentrancy](https://getrecon.xyz/api/md/learn/reentrancy) — Reentrancy is a smart contract vulnerability where an external call allows an attacker to re-enter the calling function before its state updates are complete, enabling repeated unauthorized actions such as draining funds.
- [Flash Loan Attack](https://getrecon.xyz/api/md/learn/flash-loan-attack) — A flash loan attack exploits uncollateralized loans that must be borrowed and repaid within a single transaction, using the large capital to manipulate protocol state for profit.
- [Oracle Manipulation](https://getrecon.xyz/api/md/learn/oracle-manipulation) — Oracle manipulation is an attack where an adversary distorts the price data that a smart contract relies on, typically by exploiting spot price feeds or low-liquidity pools.
- [Slippage Protection](https://getrecon.xyz/api/md/learn/slippage-protection) — Slippage protection is a mechanism that prevents trades from executing at prices significantly worse than expected, guarding users against price impact and sandwich attacks.
- [Access Control](https://getrecon.xyz/api/md/learn/access-control) — Access control in smart contracts is the system of permissions and roles that restricts which addresses can call privileged functions, preventing unauthorized actions.
- [Integer Overflow](https://getrecon.xyz/api/md/learn/integer-overflow) — Integer overflow occurs when an arithmetic operation produces a value that exceeds the maximum (or falls below the minimum) value a fixed-size integer type can represent, wrapping around to an incorrect result.
- [Front-Running](https://getrecon.xyz/api/md/learn/front-running) — Front-running is an attack where a malicious actor observes a pending transaction in the mempool and submits their own transaction with a higher gas price to execute first, profiting at the victim's expense.
- [Proxy Pattern](https://getrecon.xyz/api/md/learn/proxy-pattern) — The proxy pattern is a smart contract architecture that enables upgradeability by separating a contract's storage (proxy) from its logic (implementation), using delegatecall to forward calls.
- [Time-Weighted Average Price (TWAP)](https://getrecon.xyz/api/md/learn/time-weighted-average-price) — A TWAP oracle computes the average price of an asset over a defined time window, smoothing out short-term volatility and resisting single-block price manipulation.
- [Liquidation Mechanism](https://getrecon.xyz/api/md/learn/liquidation-mechanism) — A liquidation mechanism is the process by which a lending protocol closes undercollateralized positions by selling collateral to repay debt, maintaining overall protocol solvency.
- [Coverage Classes](https://getrecon.xyz/api/md/learn/coverage-classes) — Coverage classes are the set of all meaningfully distinct execution paths through a smart contract, enumerated by analyzing branching conditions.
- [AI Auditing](https://getrecon.xyz/api/md/learn/ai-auditing) — AI auditing uses artificial intelligence to automate parts of the smart contract security review process, including property generation, coverage analysis, and vulnerability detection, producing executable test suites rather than just text-based findings.
- [Automated Auditing](https://getrecon.xyz/api/md/learn/automated-auditing) — Automated auditing applies automated tools and techniques — static analysis, fuzzing, formal verification, and AI-powered property generation — to systematically find smart contract vulnerabilities without relying solely on manual code review.
- [Foundry](https://getrecon.xyz/api/md/learn/foundry) — Foundry is a Solidity development framework by Paradigm that provides fast compilation, built-in fuzz testing via forge test and forge fuzz, and native support for invariant testing.
- [Solidity](https://getrecon.xyz/api/md/learn/solidity) — Solidity is the primary programming language for writing smart contracts on Ethereum and other EVM-compatible blockchains, with versions ranging from 0.
- [DeFi](https://getrecon.xyz/api/md/learn/defi) — DeFi (decentralized finance) is the ecosystem of financial applications built on blockchains, replacing traditional intermediaries with smart contracts for lending and trading.
- [Lending Protocol](https://getrecon.xyz/api/md/learn/lending-protocol) — A lending protocol is a DeFi application that lets users supply assets to earn interest and borrow assets against collateral, with solvency enforced by smart contract invariants and liquidation mechanisms.
- [Vault Security](https://getrecon.xyz/api/md/learn/vault-security) — Vault security covers the patterns and testing strategies for protecting ERC-4626 tokenized vaults and custom vault implementations against share inflation and rounding exploits.
- [Staking Security](https://getrecon.xyz/api/md/learn/staking-security) — Staking security covers the protection of staking protocols — liquid staking, restaking, and validator set management — against slashing bugs, withdrawal exploits, and LST depeg risks.
- [Governance Security](https://getrecon.xyz/api/md/learn/governance-security) — Governance security covers the protection of on-chain governance systems — voting, proposals, timelocks, and quorum mechanisms — against manipulation and unauthorized execution.

### Comparisons (8 analyses)
- [Recon vs OpenZeppelin](https://getrecon.xyz/api/md/compare/recon-vs-openzeppelin) — Compare Recon and OpenZeppelin for smart contract audits.
- [Recon vs Cyfrin](https://getrecon.xyz/api/md/compare/recon-vs-cyfrin) — Compare Recon and Cyfrin for smart contract security.
- [Echidna vs Medusa](https://getrecon.xyz/api/md/compare/echidna-vs-medusa) — Echidna vs Medusa: compare the two leading smart contract fuzzers.
- [Invariant Testing vs Unit Testing](https://getrecon.xyz/api/md/compare/invariant-testing-vs-unit-testing) — Compare invariant testing and unit testing for smart contract security.
- [Fuzzing vs Formal Verification](https://getrecon.xyz/api/md/compare/fuzzing-vs-formal-verification) — Compare fuzzing and formal verification for smart contract security.
- [Static Analysis vs Fuzzing](https://getrecon.xyz/api/md/compare/static-analysis-vs-fuzzing) — Compare static analysis and fuzzing for smart contract security.
- [Manual Audit vs Automated Testing](https://getrecon.xyz/api/md/compare/manual-audit-vs-automated-testing) — Compare manual audits and automated testing for smart contract security.
- [AI Audit vs Manual Audit](https://getrecon.xyz/api/md/compare/ai-audit-vs-manual-audit) — Compare AI-powered and manual smart contract audits.