A* Audit was built on a principle that inverts the criminal law: guilty until proven innocent.
Our co-founder and lead auditor @thekmj_ developed this approach through judging numerous audit contests across Sherlock and Cantina. After reviewing thousands of findings submitted by other auditors, one pattern kept appearing: findings that are only theoretically or technically correct but not exploitable. Telling the two apart requires judgment that goes beyond pattern recognition. For example, a function that can revert, but only under conditions that would never occur in practice. A front-running vector that sounds dangerous on paper but is costly for the attacker, for no real benefits. The boundary between "theoretically possible" and "definitively exploitable" is what separates the false positives from the true issues.
thekmj holds Senior Watson status on Sherlock, Cantina Residency, and has served as Judge Overseer and Bug Bounty Triager on Cantina. He has judged contests covering CDPs, AMMs, perpetuals, liquid staking, bridging, and volatility farming. 7 first-place contest finishes across three platforms, 22 high-severity vulnerabilities found across competitive contests. Protocols like Arcadia Finance have come back for repeat engagements.
This track record shapes how we approach every audit.
We spend the first 10 to 20 percent of an engagement building a mental map of the entire system. No active bug hunting during this phase: Bugs found during this phase generally surfaces from scanning for known patterns, rather than an understanding of the project. The vulnerabilities that matter surfaces from understanding the core invariants for the protocol to function, alongside ways they can be violated.
After the mapping phase, a deliberate pause. Reviewing the same codebase for days without a break causes tunnel vision: The longer one stares at code, the more one convinces themselves it works correctly (this is exactly why debugging is harder than coding!). Stepping away refreshes the lens: You come back to challenge the code instead of defending it. As thekmj puts it: "You should disrespect the code until it earns your respect."
We apply the same rigor to trust assumptions. "Trusted admin" is often too broad of a label: Each privileged role has a boundary where trust is reasonable. Outside that boundary, admin actions get the same scrutiny as everything else. One of our defining findings came from proving that an admin performing a documented action would damage the protocol, due to the action itself being designed incorrectly.
A* Audit focuses on DeFi math primitives: AMMs, lending protocols, and CDP systems. First-principles analysis, not pattern matching. We post bug breakdowns and security research here regularly.
DM open for audit inquiries.
(15/15) Auditing a price guard? Trace what every branch returns when the oracle can't give a clean answer. A guard that fails open is worse than none: it reads like protection.
A* Audit reviews DeFi math: AMM, lending, CDP. DMs open.
(1/15) A price guard's only job is to reject manipulated prices. This one computes its deviation as |x - x|. Zero, every time, by construction. It never rejected anything, on any of the five liquidity operations it was the sole defense for.
(14/14)
Auditing a protocol that reads collateral from an external venue? Find every balance read and ask what it leaves out. A* Audit reasons about backing as net equity first, then checks the code against it. DMs open.
(1/14)
The precompile returned the margin account's assets and its debt in the same call. The code decoded four fields and kept one: the asset. The protocol now computes its backing from money it owes as if it owned it.