About Cimora

Who we are, how we work, and why the name

Our Story

Cimora began in the Andes. Its founders live in the high country of South America — the same mountains where, for centuries, curanderos have brewed cimora from the San Pedro cactus. Strip away the mysticism and the shaman's real craft is exact and unglamorous: see the sickness no one else can, name it, draw it out, and leave the body whole and protected. Diagnosis. Removal. Protection.

That's our craft too — we just practice it in code.

A smart contract carries real money and real danger, and almost all of it stays invisible until the moment it isn't. We're the ones who look where you can't: we trace every path, surface the hidden flaw, and remove it before an attacker ever sees it. The oldest work in the Andes, on the newest rails in the world.

Cimora — we see what's hidden, so your protocol stays whole.

Principals

Daniel Kuppitz

Daniel Kuppitz

Founder & Principal

Daniel spent years as a lead Solidity engineer, shipping protocol code at several companies. The same kind of code he now takes apart for a living.

The security obsession wasn't taught, it was earned: bugs of his own that made it to production, and money of his own in protocols that got drained. Somewhere along the way a habit formed — audit every protocol yourself before trusting it with a single token. Cimora is that habit, turned into a practice.

GitHubX

Our Approach

What makes a Cimora audit different.

Specialized passes

Security, logic, economics, and code quality each get their own review pass over your code. Different questions need different eyes.

Verified findings only

Every finding is re-checked against the code before it goes in the report. No auto-scanner dumps, no false-positive padding. If we can't defend it, you never see it.

Principal ownership

The principal who scopes your audit reads your code and signs the report.

A report you can act on

Severity, file, line, fix. Then a verification round to confirm the patches hold.

Three rules we don't break

We take the time a codebase needs. A rushed audit is a useless audit, so we'd rather turn down an engagement than compress it.

We tell you what we found, not what you want to hear. That includes the part where your test suite passes for the wrong reasons.

We write findings to be acted on, not admired. Most audit reports are padded with informational findings so the page count justifies the invoice. Ours aren't. If we only find four things, you get four things, and they'll matter.

Sound like what you need? Tell us about your project or write to hello [at] cimora [dot] io.