Our Methodology

A structured approach to finding vulnerabilities and delivering actionable reports

Audit Process

From initial scoping to final report delivery, here's what to expect.

01

Scoping & Agreement

We review your codebase, discuss scope, and provide a detailed estimate. Once agreed, we formalize the engagement with a clear agreement.

02

Code Review

Parallel specialized analysis across security, logic, economics, and quality dimensions. All findings are reviewed and verified.

03

Initial Report

A PDF report with every finding: severity, location, the code in question, and how to fix it. Written to be acted on, not filed away.

04

Fix Window

21-day window for your team to address findings. We're available for questions and clarification throughout this period.

05

Fix Verification

We review all fixes, verify remediations, and update finding statuses. One round of verification is included.

06

Final Report

Updated report with fix verification results. Ready for publication or internal documentation.

What We Look For

Our audits cover four key dimensions, each receiving specialized focus.

Security

  • Reentrancy vulnerabilities
  • Access control flaws
  • Oracle manipulation
  • Flash loan attacks
  • MEV vulnerabilities
  • Front-running risks
  • Signature replay
  • Integer overflow/underflow

Logic

  • Rounding errors
  • Boundary conditions
  • State transition flaws
  • Off-by-one errors
  • Precision loss
  • Order of operations
  • Invariant violations
  • Edge case handling

Economics

  • Incentive alignment
  • Value extraction paths
  • Game theory attacks
  • Economic griefing
  • Token economics
  • Fee manipulation
  • Liquidity attacks
  • Protocol insolvency

Quality

  • Documentation gaps
  • Naming conventions
  • Code organization
  • Test coverage
  • Unused code
  • Complexity issues
  • Maintainability
  • Best practices

Severity Definitions

Findings are categorized by severity to help prioritize remediation efforts.

Critical

Direct loss of funds or complete protocol compromise. Requires immediate action before deployment.

High

Significant loss of funds under specific conditions or major protocol dysfunction. Should be fixed before deployment.

Medium

Limited loss, griefing potential, or protocol inefficiency. Recommended to fix.

Low

Best practice violations, minor issues, or improvements. Consider fixing.

Informational

Style suggestions, documentation improvements, or observations. Optional to address.

Deliverables

What lands in your inbox at the end.

PDF Report

Professional document with all findings

Severity Ratings

Clear prioritization for remediation

Recommendations

Actionable remediation guidance

Fix Verification

One round included in every audit

Questions about any of this? hello [at] cimora [dot] io — we answer scoping questions before there's any engagement.