Goldberg Security Research Ltd

Ethereum and Solana security research

Ethereum and Solana protocol security reviews.

We audit Solidity and Vyper contracts on Ethereum, Solana programs, DeFi accounting, bridges, wallets, relayers, APIs, and exploit reports. You get reachable attack paths, asset impact, remediation guidance, and retest notes.

Request an audit proposal Explore services
Authorized scope only Reachable attack paths Patch and retest notes
01 Protocol code audits

Ethereum contracts, Solana programs, upgrades, and permission boundaries.

02 DeFi accounting risk

Vaults, AMMs, lending, staking, oracle drift, and liquidation math.

03 Exploit validation

PoCs, fork tests, bounty triage, patch review, and retest verdicts.

Client outcomes

Clear decisions for launch, patch, payout, or incident response.

For Ethereum and Solana teams shipping contract changes, program upgrades, DeFi releases, bridges, wallet flows, protocol integrations, or bug bounty reports.

Launch

Review launch critical paths.

Trace fund flows, privileged roles, upgrade controls, oracle dependencies, signer assumptions, and integration paths before mainnet usage.

  • Ship or hold verdict
  • Critical path review
  • Retest notes
Patch

Separate exploitable risk from noise.

Confirm reachability, preconditions, attacker costs, asset impact, and the smallest safe remediation path.

Payout

Triage bounty claims.

Reproduce reports on forked state or controlled fixtures, confirm severity, asset impact, and disclosure notes.

Investigate

Understand abnormal protocol state.

Review transactions, roles, on chain configuration, logs, and reachable exploit paths after alerts or incidents.

Services

Security work for Ethereum and Solana systems.

Specialized in Ethereum contracts, Solana programs, DeFi accounting, bridges, wallets, relayers, oracles, RPC, and API surfaces that trigger asset movement.

01 Ethereum audit

Ethereum smart contract review

Solidity and Vyper review for access control, proxy upgrades, storage layout, external calls, liquidation logic, and invariant breaks.

Best for Launches, upgrades, migrations
Output Findings, PoCs, patch notes
02 Solana audit

Solana program review

Rust and Anchor review for account validation, CPI boundaries, signer checks, PDA derivation, instruction ordering, and token flows.

Best for Programs, PDAs, CPIs, SPL flows
Output Exploit paths, fixes, retest
03 DeFi systems

Economic and accounting review

Analyze vault shares, AMM math, lending and liquidation paths, rewards, oracle assumptions, fees, and slippage.

Best for Vaults, AMMs, lending, staking
Output Loss scenarios, fork tests
04 Infrastructure

Bridge, wallet, relayer, and API review

Assess message verification, replay protection, chain routing, signer prompts, relayer authorization, RPC and API permissions, and refunds.

Best for Bridge and wallet teams
Output Trust map, risk verdicts

Launching on Ethereum or Solana?

Get a focused review before mainnet, upgrade, or bounty decision.

Request proposal

Audit surface

Where we go deep.

Ethereum contracts, Solana programs, DeFi accounting, bridges, wallets, relayers, oracles, RPC, and API paths.

01

Ethereum contracts

Review access control, proxy upgrades, storage layout, state transitions, external calls, oracle usage, and invariant breaks.

Focus: reachability, fund flow impact, minimal safe fix.

Engagement model

From scope to retest, built around the technical decision.

01

Scope

Confirm chain, repos, addresses or program IDs, asset flows, roles, permitted testing, timeline, and success criteria.

02

Map

Build the trust map: admins, signers, PDAs, proxies, oracles, relayers, state transitions, and external services.

03

Test

Validate reachability with PoCs, fork tests or Anchor fixtures, invariant reasoning, and economic impact analysis.

04

Handoff

Deliver affected code, preconditions, exploit path, severity, asset impact, remediation guidance, and verification steps.

05

Retest

Review patches, changed assumptions, regression risk, and remaining exposure before launch or disclosure.

Reporting

Reports should be engineering artifacts.

Each finding states affected code, preconditions, exploit route, asset impact, remediation, and retest evidence.

Reachability Asset impact Fix diff review Retest notes
GSR / Ethereum and Solana finding brief Technical + decision
Severity Critical fund flow break
Boundary Oracle and accounting boundary
Proof Fork or fixture reproduction
Impact User fund loss scenario
Closeout Patch diff and retest evidence 
handoff:
  status: reproducible
  engineer_action: patch_accounting_boundary
  stakeholder_action: defer_launch_until_retest
  retest: ready_after_fix

Operating standards

Authorized research with tight operational boundaries.

Work starts from approved targets and produces evidence without disrupting production systems or exposing unnecessary data.

Authorization

Explicit scope

Testing begins after target ownership, addresses, program IDs, endpoints, and permitted techniques are confirmed.

Confidentiality

Private disclosure

Findings stay with approved stakeholders. Public references require explicit consent or coordinated disclosure context.

Data minimization

Controlled evidence

PoCs demonstrate impact without unnecessary fund movement, destructive actions, or data exposure.

Start an engagement

Send the contracts, programs, or exploit report.

Include chain, repo, contract addresses or program IDs, docs, app or API links, authorization, timeline, and required decision.

Ethereum audit Solana program DeFi accounting Bridge wallet API Triage retest