QORTRACE AUDIT · NOW ACCEPTING SUBMISSIONS

Post-Quanten-Audits
für die Onchain-Wirtschaft.

QorTrace-Audits sind ausschließlich auf post-quantenkryptographische Risiken ausgerichtet – die Bedrohung, die Ihr bestehendes Sicherheitsaudit nicht abdeckt. Über 18 Chains hinweg kartieren wir jedes Signaturschema, jede Schlüsselableitung und jede Pairing-Operation, von der Ihr Contract abhängt, bewerten dessen Quantum-Exposureund liefern ein signiertes, kundeneinsehbares Zertifikat, sobald Ihr Audit abgeschlossen ist.

Try a free preview Submit an Audit See a sample audit

ABGEDECKTE CHAINS

SCHWEREGRAD-STUFEN

C · H · M · L · Info

PQC-PRIMITIVE

10+

ECDSA · EdDSA · BLS · HKDF · …

STANDARD-DURCHLAUFZEIT

≤2 min

KI-gestützt

✓ WAS QORTRACE ABDECKT

• Jede kryptographische Primitive, von der Ihr Contract abhängt (ECDSA, EdDSA, BLS, Schnorr, HKDF, …)
• Harvest-now-decrypt-later-Exposure auf jeder Signaturfläche
• Hybrid-Signing-Bereitschaft · Domain-Separation · Downgrade-Resistenz
• PQC-Migrationsplan abgestimmt auf NIST FIPS 203 / 204 / 205
• CNSA 2.0 / DORA / FFIEC-Compliance-Nachweise

— WAS WIR NICHT ABDECKEN

• Re-entrancy, Integer-Overflow, Access-Control-Bugs
• Business-Logic-Fehler, Oracle-Manipulation, MEV-Vektoren
• Generische Solidity-Statik-Analyse

Für allgemeine Smart-Contract-Sicherheit empfehlen wir, ein QorTrace-PQC-Audit mit einem Review einer etablierten allgemeinen Sicherheits-Audit-Firma zu kombinieren. Unser Zertifikat lässt sich nahtlos neben deren Zertifikaten stapeln.

CISO / PROTOCOL LEAD?

Need a regulator-grade PQC audit?

The self-serve audits on this page cover the SaaS path — great for active dev teams, $149/$99/$199 tiers, AI + senior reviewer. If you need a signed engagement letter, a scoped cryptographic surface review (Hybrid Signature, EIP-7702, MPC Wallet), and a 2–4 week senior-cryptographer deliverable, that's the PQC Audit Suite — priced $12k–$45k per scope, bundle 2 of 3 for 15% off, all 3 for 25%.

SIGNED CERTIFICATEENGAGEMENT LETTER · SOWBUNDLE: -25% ON ALL 3

Open the PQC Audit Suite

STEP 1 · CHOOSE YOUR TIER

Two tiers, one engine.

Standard delivers a production-ready AI report in under two minutes. Deep Dive layers a senior human auditor on top — for code that's about to be deployed to mainnet, hold institutional capital, or face adversarial users.

STANDARD AUDIT

AI-powered. ~30 seconds. Production-ready report.

TURNAROUND

≤ 2 minutes

REVIEW

AI engine only

BEST FOR

Pre-launch sanity check · Solo dev · Hackathon submission

Findings ranked Critical → Info with code excerpts + remediation
10-point Trust Score on industry best-practices
Numerical Security Score (0–100)
Shareable certificate (SVG / PNG / HTML) ready to embed
Re-audit after fixes — score updates in real time

DEEP DIVE AUDIT

AI surfaces it, a senior auditor finalizes it.

TURNAROUND

1–2 weeks

REVIEW

AI + Human reviewer

BEST FOR

Mainnet launch · Treasury vault · Cross-chain bridge · Institutional clients

Everything in Standard, plus:
Manual code-path tracing & threat modelling
Economic exploit analysis (MEV, oracle abuse, governance)
Cross-contract reasoning (multi-file, upgradeability, hooks)
Branded PDF report + auditor sign-off
1× free re-audit after remediation

STEP 2 · SUBMIT

Three ways to send us code.

Paste raw code

Drop your .sol / .move / .rs / .cairo file straight into the textarea. Best for quick checks of a single contract.

GitHub URL

Paste a link to a single file, folder, or whole repo. We pull via the public GitHub API and scope to auditable extensions only.

SOON

Upload a .zip

Multi-file projects, monorepos, or anything off-platform. Up to 200KB of source per audit (Deep Dive: 600KB).

STEP 3 · SCORED

Two scores. Zero ambiguity.

Every QorTrace audit produces two numbers — auditable, reproducible, defensible to a CISO. Both are recomputed in real time as you mark findings as fixed or acknowledged in the dashboard.

SECURITY SCORE · 0–100

Penalised by severity weight.

Every open finding subtracts points from a baseline of 100. Industry-norm weights mirror Trail of Bits / Consensys Diligence:

CRITICAL−25

HIGH−10

MEDIUM−4

LOW−1

INFO0

TRUST SCORE · 0–100

10 best-practice axes. Each pass = 10 points.

Beyond exploit-class findings, we also evaluate engineering hygiene:

Access control modifiers (onlyOwner, RBAC)
Events emitted on state-changing functions
Re-entrancy protection (Guard / CEI pattern)
Safe arithmetic (Solidity 0.8+ checks, no unchecked)
Input validation (require / assert)
No hardcoded secrets or private keys
No tx.origin used for authentication
Error handling with custom errors / messages
NatSpec / docstring documentation
Test files referenced in repo

SEVERITY GLOSSARY

CRITICAL

Direct loss-of-funds, unrestricted privileged action, or universal exploit.

HIGH

Loss-of-funds path with constraints; upgradability or governance break.

MEDIUM

Defect requiring unusual conditions; significant DoS.

LOW

Best-practice deviation with minor security impact.

INFO

Code-quality / readability observation; no security impact.

STEP 4 · DELIVERED

Your shareable certificate.

Every delivered audit gets a public, branded certificate at a permanent URL. Embed it on your README, docs site, or pitch deck. Upload your project logo and we'll auto-fill it on the cert alongside the QorTrace mark — co-branded, credibility instant.

SAMPLE CERTIFICATE · DEMOVAULT.SOL · LIVE FROM /api/audit/sample-2026-vault

⛔ OPEN FULL · disabled

QorTrace Audit Certificate — DemoVault.sol

Three formats

SVG · PNG · standalone HTML page with OG tags for social previews.

Live & verifiable

Every cert URL pulls from the live audit row — anyone can verify it hasn't been tampered with.

Co-branded

Upload your logo at submission. We auto-render it next to the QorTrace mark on every cert.

COVERAGE

The full 18-chain matrix.

If your code runs on a public blockchain, we can audit it. Same engine, same scoring system, across every major smart-contract VM:

Solidity (Ethereum, Polygon, Arbitrum, Optimism, Base, BNB Chain)
Move (Aptos, Sui)
Rust / CosmWasm (Solana, Cosmos: Osmosis, Celestia, Sei, Injective)
Cairo (Starknet)
Vyper (Ethereum)
Tact / FunC (TON)
Clarity (Stacks)

INSTITUTIONAL EDGE

We see what others miss.

Quantum-readiness baked in

Every audit also checks for cryptographic primitives that NIST has flagged as quantum-vulnerable. We're the only auditor whose deliverable answers both 'is this secure today?' AND 'will this still be secure in 2030?'

Institutional vulnerability checks

Beyond OWASP-style classes, we cover patterns that bite custodians, exchanges, and treasuries: cold-key handling, signing-scheme selection, multisig threshold sanity, oracle dependency graphs, and bridge re-org safety.

Reproducible methodology

Public scoring formula. Public severity weights. Public trust-check definitions. Your auditor's findings can be cross-checked by anyone on your team — or your investors.

FAQ

The questions every team asks.

Is the AI-only Standard tier enough for mainnet?

For most pre-launch sanity checks, yes — Standard catches the same exploit classes a senior human would catch in a first-pass review. For mainnet code that holds significant capital or has adversarial economic exposure (bridges, perps, lending), upgrade to Deep Dive — our human auditors do a manual code-path trace and threat-model the economic surface.

What happens to my source code?

It's stored encrypted in our database, never logged externally, and only readable by the auditor assigned to your audit. Source is automatically purged 90 days after delivery unless you opt in to retention for re-audit support.

Can I re-audit after fixing the findings?

Yes — that's the point. Every audit is a live document. Mark findings 'fixed' or 'acknowledged' from your dashboard and your Security Score recomputes in real time. Deep Dive includes one free re-audit; Standard re-audits are flat-rated.

What languages and chains do you cover?

Solidity (all EVM chains: Ethereum, Polygon, Arbitrum, Optimism, Base, BNB), Move (Aptos, Sui), Rust/CosmWasm (Solana, Cosmos hubs), Cairo (Starknet), Vyper, Tact/FunC (TON), and Clarity (Stacks). 18 chains in total.

Do you publish findings publicly?

Never without your explicit consent. The certificate is public by default (you'll want to embed it). The full findings dashboard is private to your account. We only publish anonymised pattern statistics in our methodology research.

Can I get a co-branded report?

Yes — upload your project logo at submission and we'll auto-fill it on the certificate next to the QorTrace mark. Deep Dive customers also get their logo on the PDF report cover page.

SCHEDULE A CONSULT

Need expert eyes on your post-quantum readiness?

Book a free 30-minute consultation with the QorTrace team. We'll walk through your scan results and a migration roadmap — no commitment.

Article Feedback

Post-Quanten-Auditsfür die Onchain-Wirtschaft.