LightFluxIgnite
Securing distributed ledger systems through rigorous vulnerability analysis and comprehensive smart contract examination
Back in 2019, a friend asked us to review their smart contract. Turns out, it had seventeen vulnerabilities. We still think about that sometimes.
What started as a favor between developers became something more deliberate. Now we spend our days doing what we accidentally discovered we're good at: finding the security issues others miss in blockchain systems.
Four of us were working on different blockchain projects around Taiwan in 2018. Nothing glamorous—mostly backend work, some contract deployment, the usual debugging that takes twice as long as you expect.
One evening, over terrible coffee at a Yilan café, someone mentioned how their client's token contract got drained. The exploit was obvious in hindsight. Always is. We started talking about all the contracts we'd seen with similar problems.
By mid-2020, we'd informally reviewed maybe thirty contracts for various people. Word travels in tech circles. Someone would recommend us to someone else. Pretty soon, we were doing more security work than our actual jobs.
So we made it official in early 2021. Set up shop properly, established testing protocols, built out our methodology. We're still in that same building in Yilan, though the coffee's marginally better now.
We don't rush audits. A proper review takes the time it takes. We've turned down projects because the timeline wouldn't allow for thorough testing. Your users deserve better than a hasty security check.
Security reports shouldn't require a PhD to understand. We explain vulnerabilities in plain language, show you exactly where the issues are, and discuss realistic remediation options. No jargon walls.
No security audit catches everything. We're honest about that. What we can promise is systematic analysis using proven methods, detailed documentation, and straightforward answers about what we find.
We start by understanding what your contract actually does. Not what it's supposed to do—what it does. We map out all functions, trace data flows, identify external calls, and document state changes.
This phase usually takes three to five days depending on contract complexity. It's not glamorous work, but it's essential. You can't find security issues if you don't understand the system first.
We run both automated tools and manual analysis. The tools catch common patterns—reentrancy risks, integer overflows, access control issues. But they miss context-specific vulnerabilities that only emerge from understanding your business logic.
Manual review is where we find the interesting problems. The ones that come from how functions interact, or edge cases in state transitions, or assumptions that seemed reasonable but create attack vectors.
Finding a potential issue isn't enough. We verify it. We write actual exploit code, deploy to test networks, and demonstrate the vulnerability. This eliminates false positives and shows exactly how an attacker could exploit the weakness.
Sometimes a theoretical vulnerability turns out to be unexploitable in practice. Other times, what looks like a minor issue enables complete contract compromise. Testing tells us which is which.
Our reports include severity ratings, detailed explanations, proof-of-concept exploits, and specific fix recommendations. We also note any architectural concerns that might not be vulnerabilities now but could become problems as the system evolves.
After you implement fixes, we verify them. Many teams include us in their deployment planning for major updates, which helps catch issues before they hit mainnet.
We're a small team. That's deliberate. Every audit gets reviewed by multiple people who've been doing this work for years.
Lead Security Analyst
Former backend developer who got interested in security after debugging one too many production incidents. Now spends most days reading Solidity and occasionally remembering to eat lunch.
We treat every contract like someone's going to try to break it. Because someone will. The question isn't whether vulnerabilities exist—they almost always do. The question is whether we can find them before an attacker does.
Most security issues come from complexity. The more moving parts, the more ways things can go wrong. We help teams understand where that complexity creates risk and how to manage it.
Expect regular updates, honest assessments, and occasional difficult conversations. If we find something concerning, we'll tell you directly. We're here to help you ship secure systems, not to make you feel good about insecure ones.
Most of our long-term clients started with a single audit and now involve us early in development. That works better for everyone. Security isn't something you add at the end—it's part of the architecture from day one.
If you're building on blockchain and want an honest security assessment, get in touch. We'll review your needs and let you know if we're a good fit.
Contact Us