EVM + L2 smart contract audit
EVM + L2 audits, Ethereum, Arbitrum, Optimism, Basewith a forked-mainnet PoC.
Manual line-by-line smart contract audit of Solidity, Vyper, and Yul. ERC-4337 paymasters, EIP-7702 delegation, ERC-4626 vaults, MEV-aware ordering, L2 bridges on Arbitrum, Optimism, Base, Scroll, and zkSync. Every finding ships with a forked-mainnet proof-of-exploit transaction, not a CWE row.
Proxy-pattern storage collisions ship value-leaking bugs static review misses.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
WHAT EVERY EVM AUDIT SHIPS.
Three artifacts a treasury or board reviewer asks for after deploy.
Forked-mainnet PoC, ERC and EIP conformance read at the Yul level, plus L2-specific replay surface. The artifacts every treasury and board reviewer asks for after deploy.
Solidity and Vyper reviewed line by line. The compiled Yul checked against the source for opcode-level surprises: SLOAD ordering, MSTORE corruption, jump-table abuse, return-data overflow.
Every finding reproduced as a Foundry or Echidna PoC against the actual deployed state. Reentrancy classes (single-function, cross-function, read-only), ERC-4337 paymaster takeover, ERC-4626 share inflation, MEV sandwich, EIP-7702 delegation drift.
Arbitrum, Optimism, Base, Scroll, zkSync. L1 to L2 messaging, nonce reuse on the bridge, finality assumptions on optimistic withdrawals, precompile-equivalence gaps versus L1.
EVM-SIDE FINDINGS.
EVM and L2 classes the standard checklist will not surface.
- 01Reentrancy, three flavors
Single-function, cross-function, and read-only reentrancy reproduced against forked mainnet with a Foundry exploit test.
- 02ERC-4337 paymaster takeover
Sponsorship logic where a crafted UserOperation drains the paymaster deposit or pins gas onto an unrelated bundler.
- 03EIP-7702 delegation drift
Delegated EOAs that keep authority across a session boundary, letting an old code pointer execute on new state.
- 04ERC-4626 share inflation
First-deposit donation attacks against vaults, plus rounding that quietly transfers value from late depositors to the donor.
- 05L2 bridge nonce reuse
Optimism and Arbitrum withdrawal proofs replayed against a stale message root, or sequencer ordering used to front-run finalization.
- 06MEV sandwich and JIT
Slippage tolerances and TWAP windows tuned so a searcher can wrap the victim swap profitably inside one block.
- 07Yul and assembly slips
Hand-written Yul that skips a calldata bounds check, or inline assembly that clobbers the free memory pointer.
On record
EVM AUDIT METHODOLOGY.
Four phases. Solidity, Yul, and MEV under one rubric.
Same engagement shape as the parent audit, scoped to EVM-specific surface area: storage layout and Yul opcodes, reentrancy across all three classes, MEV-aware ordering, account abstraction, and L2 cross-domain calls.
- 01Threat-model & scope
- 02Static, symbolic, fuzzing
- 03Manual exploit research
- 04Report & fix-verify
Six EVM contract shapes. Named bugs in each.
Solidity, Vyper, and Yul on EVM L1, L2s (Arbitrum, Optimism, Base, Scroll, zkSync), and EVM-compatible chains (Polygon, BSC, Avalanche). Each surface audited against the EVM-specific bugs that actually break contracts of that shape.
EVM chains in coverage
Ethereum L1 plus L2s (Arbitrum, Optimism, Base, Scroll, zkSync, Linea) and EVM-compatible chains (Polygon, BSC, Avalanche). Solidity, Vyper, and Yul reviewed by the same auditor pair.
See surfacesEVM CVEs published
Public CVE records from SL7 EVM research. Open the advisory, read the write-up. Verifiable artifacts, not customer aggregates.
Read disclosuresManual review-hours
Per EVM engagement, per auditor pair. Itemised in the sample report on request. Foundry and Echidna augmented, never tooling-only.
Request the sampleInsights
Ethereum & EVM Resources.
EVM-side audit notes: gas-griefing, delegatecall traps, and the upgrade-pattern mistakes our reviewers flag again and again.
Rule of the rig
“A finding without a forked-mainnet transaction is a guess. Every severity in our EVM audit ships with a Foundry PoC against the actual deployed bytecode, single-function, cross-function, or read-only reentrancy; ERC-4337 paymaster takeover; L2 nonce reuse. Fix-verify means the PoC reverts on the patched contract, not that the diff reads clean.”
Meet your engagement lead
One named lead from scope to close.
John Dill
vCISO at SecureLayer7
200+
engagements scoped
11
chains in coverage
14 yr
SL7 offensive lineage
EVM audits start with scope, not code. John maps your Solidity contracts, storage layout, ERC and EIP conformance, and L2 cross-domain surface into a written engagement plan, then brings in the auditor pod that signs the report.
Read the redactable sample report.
Pick a 30-minute slot. We will scope your engagement on the call.
Book a 30-min callAI in our engagements
Where AI runs. Where a human signs.
AI accelerates recon, ABI mapping, and Foundry test scaffolding. CREST-accredited researchers chain the exploit at the Solidity and Yul level and sign every finding. We publish the handoff per phase so your auditor can read it.
Common procurement questions
What buyers ask about EVM + L2 audits.
Six questions treasury, ops, and platform leads send before signing an EVM audit SOW.
Show all 6 questionsShow less
Have a procurement question not listed here?
Tested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
EVM sample audit report
See a forked-mainnet ERC-4626 PoC.
A redacted EVM audit report: every finding mapped to a forked-mainnet tx hash, every remediation tied to exact Solidity and Yul lines. ERC-4337 paymaster and L2 bridge findings included.