Skip to content
Unlisted / Security
Adversarial Security Reviews

Find what others miss.

Unlisted Security provides deep security reviews for smart contracts, backend systems, infrastructure, and full-stack applications. We uncover hidden vulnerabilities, broken assumptions, logic flaws, and attack paths that standard checklists miss — before they become exploits, outages, or costly failures.

Request a Security ReviewView Sample Report
to first findings
5 days
manual review
100%
reviewers per engagement
2
unlisted ▸ recon ▸ live
REC
Scope
12 surfaces
Depth
Adversarial
Findings
6 pending
  • CRITICALUSR-001
    smart-contract / vault.sol
    Cross-contract reentrancy via fee hook
    Attacker can re-enter settle() through plugin callback before balance update.
recon --surface=all --mode=adversarial
Live recon stream
illustrative · not a real scan
DeFi ProtocolsVaults & StrategiesBridgesOraclesPrediction MarketsStaking SystemsL2 SequencersCustody BackendsPayment RailsOrder BooksRestaking OperatorsMPC WalletsGovernance SystemsDeFi ProtocolsVaults & StrategiesBridgesOraclesPrediction MarketsStaking SystemsL2 SequencersCustody BackendsPayment RailsOrder BooksRestaking OperatorsMPC WalletsGovernance Systems
The thesis

The biggest risks are
rarely sitting in plain sight.

Most serious vulnerabilities are not isolated bugs. They appear in the seams — where systems connect, where permissions overlap, where one team's assumptions become another team's exploit primitive.

We review the entire system as one connected attack surface, because real attackers do not care where one component ends and another begins.

  • 01seam

    Between contracts and backend logic

    Off-chain state assumed about on-chain state — until both diverge.

  • 02seam

    Between permissions and assumptions

    A role exists on paper. The check that enforces it does not.

  • 03seam

    Between services

    Trust boundaries silently widen as new services join the mesh.

  • 04seam

    Between intent and behavior

    What the system was designed to do versus what an attacker can make it do.

What we review

Smart contract audits & adversarial security reviews.

Five surfaces. One review. We pick the depth and combination that fits the system you actually run.

/ 01

Smart Contract Audits

On-chain protocols, reviewed line by line and as a system.

  • Access control issues
  • Accounting bugs
  • Broken invariants
  • Payout and settlement flaws
  • +4 more
Read more
/ 02

Backend Security Reviews

Server-side code, APIs, queues, workers, and business logic.

  • Authentication and authorization flaws
  • Privilege escalation
  • Insecure API design
  • Business logic abuse
  • +5 more
Read more
/ 03

Application Security Reviews

Full-stack web and mobile apps reviewed end-to-end.

  • Account takeover risks
  • Session handling issues
  • Permission model failures
  • Admin panel abuse paths
  • +4 more
Read more
/ 04

Infrastructure & Cloud Security

The systems your application actually runs on.

  • Exposed services
  • Misconfigured cloud permissions
  • Weak IAM boundaries
  • Leaked secrets
  • +4 more
Read more
/ 05

Architecture & Threat Modeling

How your system fails, before it has the chance.

  • Trust boundaries
  • Critical assets
  • Attack surfaces
  • Failure modes
  • +4 more
Read more
/ 06 — bespoke

Hybrid & system-wide engagements

Most real systems do not fit cleanly into one box. We routinely scope engagements that combine smart contracts, backend services, and the infrastructure they sit on into a single connected review.

Discuss a custom scope
How we work

An engagement built like an attack — and a review.

We do not run a tool, generate a PDF, and disappear. Every engagement is structured around the same six steps, scaled to the size and risk of the system.

  1. 01step

    Recon

    We start by understanding the system the way an attacker would — surfaces, integrations, money flow, trust boundaries, who can touch what.

    Output → Trust map · scope memo
  2. 02step

    Threat modeling

    We enumerate the attackers and the abuse cases they would actually pursue. Then we list the assumptions your system silently depends on.

    Output → Threat model · assumption list
  3. 03step

    Adversarial review

    Manual, line-by-line review of code, configuration, and infrastructure — guided by the threat model, not a checklist.

    Output → Findings draft · invariants
  4. 04step

    Reproduction

    Where useful, we build proofs-of-concept. We confirm exploitability and severity, never inflated, never hand-waved.

    Output → PoCs · severity calibration
  5. 05step

    Report

    Every finding ships with impact, exploit path, affected components, severity, likelihood, and a recommended remediation.

    Output → Final report · readout call
  6. 06step

    Remediation review

    We re-review your fixes. Closing a finding is part of the engagement, not an upsell.

    Output → Verified fix sign-off
Sample report

Findings, not security theater.

Every report is engineered to be acted on. Each finding is explained by impact, exploit path, affected components, severity, likelihood, and a concrete fix — no template padding, no generic OWASP filler.

  • Severity calibrated against your real threat model
  • Reproducible exploit paths, not speculation
  • Fix recommendations that match your stack
  • Engineering-ready remediation review pass included
Open the sample report
Engagement / USR-2025-Q4
Acme Protocol — Full-system review
Final · v1.2
Critical
1
High
3
Medium
3
Low
1
  • USR-001CRITICALCross-contract reentrancy in vault settle()Smart Contract
  • USR-002HIGHAuth bypass via stale impersonation sessionBackend
  • USR-003HIGHWithdrawal limit race during retriesBackend
  • USR-004HIGHOracle staleness check missing on settlementSmart Contract
  • USR-005MEDIUMPublic ListBucket on signed-upload prefixInfrastructure
  • USR-006MEDIUMPR runner inherits production deploy roleInfrastructure
  • USR-007MEDIUMAdmin search exposes soft-deleted PIIApplication
  • USR-008LOWInsufficient rate limiting on password resetApplication
Frequently asked

The honest answers to the questions teams actually ask.

  • Standard audits review code against a checklist. We review systems against an attacker. We start with a threat model, look for the assumptions your system silently relies on, and then read the code with those failure modes in mind. Most of our highest-impact findings live in the integration seams a checklist will never inspect.

  • No. We are most useful when a system has more than one moving part — contracts plus a backend, contracts plus a sequencer, an app plus a webhook integration, a custodian plus an exchange. We treat the whole thing as one connected attack surface.

  • Most engagements run two to five weeks depending on scope. We agree on the surfaces, run threat modeling and adversarial review in parallel, deliver a findings report, walk through it on a call, and re-review your fixes. Larger engagements are split into phases with interim findings.

  • Yes. Mutual NDA is standard for every engagement and we are happy to sign yours. We never name clients publicly without explicit written consent.

  • Yes — and that is often where we add the most value. Threat modeling and architecture reviews on a pre-launch system are dramatically cheaper than discovering structural issues post-launch.

  • Engagements are scoped per-project, not per-line. We size based on the surfaces in scope, the depth of review, and whether reproductions and follow-up reviews are included. We will give you a fixed quote before any work begins.

Engagements opening Q1–Q2

Find what others miss.
Before attackers do.

Tell us what you're building. We'll come back with a focused scope, a fixed quote, and a sample of the kinds of risks we expect to find on a system like yours.

Request a Security ReviewView Sample Report