ポスト量子監査
オンチェーン経済のために。
QorTrace監査は ポスト量子暗号リスクに限定してスコープされています — 既存のセキュリティ監査ではカバーされない脅威です。18チェーン全体で、コントラクトが依存するすべての署名スキーム、鍵導出、ペアリング操作をマッピングし、その 量子エクスポージャーをスコアリングし、監査完了時に署名付きの顧客閲覧可能な証明書を提供します。
- • コントラクトが依存するすべての暗号プリミティブ(ECDSA、EdDSA、BLS、Schnorr、HKDF、…)
- • すべての署名表面でのHarvest-now-decrypt-laterエクスポージャー
- • ハイブリッド署名対応性 · ドメイン分離 · ダウングレード耐性
- • NIST FIPS 203 / 204 / 205に基づくPQC移行プレイブック
- • CNSA 2.0 / DORA / FFIECコンプライアンス証拠
- • リエントランシー、整数オーバーフロー、アクセス制御バグ
- • ビジネスロジックの欠陥、オラクル操作、MEVベクター
- • 汎用Solidity静的解析
一般的なスマートコントラクトセキュリティについては、QorTrace PQC監査と確立された一般セキュリティ監査会社によるレビューを組み合わせることをお勧めします。当社の証明書は彼らの証明書とシームレスに重ねられます。
Need a regulator-grade PQC audit?
The self-serve audits on this page cover the SaaS path — great for active dev teams, $149/$99/$199 tiers, AI + senior reviewer. If you need a signed engagement letter, a scoped cryptographic surface review (Hybrid Signature, EIP-7702, MPC Wallet), and a 2–4 week senior-cryptographer deliverable, that's the PQC Audit Suite — priced $12k–$45k per scope, bundle 2 of 3 for 15% off, all 3 for 25%.
Two tiers, one engine.
Standard delivers a production-ready AI report in under two minutes. Deep Dive layers a senior human auditor on top — for code that's about to be deployed to mainnet, hold institutional capital, or face adversarial users.
AI-powered. ~30 seconds. Production-ready report.
Pre-launch sanity check · Solo dev · Hackathon submission
- Findings ranked Critical → Info with code excerpts + remediation
- 10-point Trust Score on industry best-practices
- Numerical Security Score (0–100)
- Shareable certificate (SVG / PNG / HTML) ready to embed
- Re-audit after fixes — score updates in real time
AI surfaces it, a senior auditor finalizes it.
Mainnet launch · Treasury vault · Cross-chain bridge · Institutional clients
- Everything in Standard, plus:
- Manual code-path tracing & threat modelling
- Economic exploit analysis (MEV, oracle abuse, governance)
- Cross-contract reasoning (multi-file, upgradeability, hooks)
- Branded PDF report + auditor sign-off
- 1× free re-audit after remediation
Three ways to send us code.
Paste raw code
Drop your .sol / .move / .rs / .cairo file straight into the textarea. Best for quick checks of a single contract.
GitHub URL
Paste a link to a single file, folder, or whole repo. We pull via the public GitHub API and scope to auditable extensions only.
Upload a .zip
Multi-file projects, monorepos, or anything off-platform. Up to 200KB of source per audit (Deep Dive: 600KB).
Two scores. Zero ambiguity.
Every QorTrace audit produces two numbers — auditable, reproducible, defensible to a CISO. Both are recomputed in real time as you mark findings as fixed or acknowledged in the dashboard.
Penalised by severity weight.
Every open finding subtracts points from a baseline of 100. Industry-norm weights mirror Trail of Bits / Consensys Diligence:
10 best-practice axes. Each pass = 10 points.
Beyond exploit-class findings, we also evaluate engineering hygiene:
- Access control modifiers (onlyOwner, RBAC)
- Events emitted on state-changing functions
- Re-entrancy protection (Guard / CEI pattern)
- Safe arithmetic (Solidity 0.8+ checks, no unchecked)
- Input validation (require / assert)
- No hardcoded secrets or private keys
- No tx.origin used for authentication
- Error handling with custom errors / messages
- NatSpec / docstring documentation
- Test files referenced in repo
Direct loss-of-funds, unrestricted privileged action, or universal exploit.
Loss-of-funds path with constraints; upgradability or governance break.
Defect requiring unusual conditions; significant DoS.
Best-practice deviation with minor security impact.
Code-quality / readability observation; no security impact.
Your shareable certificate.
Every delivered audit gets a public, branded certificate at a permanent URL. Embed it on your README, docs site, or pitch deck. Upload your project logo and we'll auto-fill it on the cert alongside the QorTrace mark — co-branded, credibility instant.
SVG · PNG · standalone HTML page with OG tags for social previews.
Every cert URL pulls from the live audit row — anyone can verify it hasn't been tampered with.
Upload your logo at submission. We auto-render it next to the QorTrace mark on every cert.
The full 18-chain matrix.
If your code runs on a public blockchain, we can audit it. Same engine, same scoring system, across every major smart-contract VM:
- Solidity (Ethereum, Polygon, Arbitrum, Optimism, Base, BNB Chain)
- Move (Aptos, Sui)
- Rust / CosmWasm (Solana, Cosmos: Osmosis, Celestia, Sei, Injective)
- Cairo (Starknet)
- Vyper (Ethereum)
- Tact / FunC (TON)
- Clarity (Stacks)
We see what others miss.
Every audit also checks for cryptographic primitives that NIST has flagged as quantum-vulnerable. We're the only auditor whose deliverable answers both 'is this secure today?' AND 'will this still be secure in 2030?'
Beyond OWASP-style classes, we cover patterns that bite custodians, exchanges, and treasuries: cold-key handling, signing-scheme selection, multisig threshold sanity, oracle dependency graphs, and bridge re-org safety.
Public scoring formula. Public severity weights. Public trust-check definitions. Your auditor's findings can be cross-checked by anyone on your team — or your investors.
The questions every team asks.
For most pre-launch sanity checks, yes — Standard catches the same exploit classes a senior human would catch in a first-pass review. For mainnet code that holds significant capital or has adversarial economic exposure (bridges, perps, lending), upgrade to Deep Dive — our human auditors do a manual code-path trace and threat-model the economic surface.
It's stored encrypted in our database, never logged externally, and only readable by the auditor assigned to your audit. Source is automatically purged 90 days after delivery unless you opt in to retention for re-audit support.
Yes — that's the point. Every audit is a live document. Mark findings 'fixed' or 'acknowledged' from your dashboard and your Security Score recomputes in real time. Deep Dive includes one free re-audit; Standard re-audits are flat-rated.
Solidity (all EVM chains: Ethereum, Polygon, Arbitrum, Optimism, Base, BNB), Move (Aptos, Sui), Rust/CosmWasm (Solana, Cosmos hubs), Cairo (Starknet), Vyper, Tact/FunC (TON), and Clarity (Stacks). 18 chains in total.
Never without your explicit consent. The certificate is public by default (you'll want to embed it). The full findings dashboard is private to your account. We only publish anonymised pattern statistics in our methodology research.
Yes — upload your project logo at submission and we'll auto-fill it on the certificate next to the QorTrace mark. Deep Dive customers also get their logo on the PDF report cover page.
Book a free 30-minute consultation with the QorTrace team. We'll walk through your scan results and a migration roadmap — no commitment.
Was this article helpful?
We use strictly-necessary cookies to run the app. With your consent we also use analytics cookies to understand how QorTrace is used so we can improve it. Cookie Policy · Privacy Policy