On-chain activity
Guvenkaya Security Services
Guvenkaya provides comprehensive security assessment services for both blockchain and traditional systems. The service examines smart contracts on NEAR, Solana, Aptos, Sui platforms, Substrate chains, and virtual machines. Security professionals test web applications, wallets, cloud infrastructure, and mobile apps for vulnerabilities. The service includes code review, penetration testing, DevSecOps guidance, and phishing simulations.
Guvenkaya
Guvenkaya is a security advisory firm that audits smart contracts, blockchain protocols, and high-stakes digital infrastructure, with particular depth in Rust-based and non-EVM ecosystems — including Solana, NEAR, and Substrate chains.
What It Is and the Problem It Solves
Blockchains built outside the EVM present a distinct set of security challenges. Rust's memory-safety guarantees reduce one class of bugs but introduce others — concurrency issues, integer overflow in unchecked arithmetic, unsafe cross-contract reentrancy patterns, and chain-specific runtime behaviours that generic EVM auditors often lack the tooling and intuition to catch. Guvenkaya was founded to close that gap: a firm whose entire practice is oriented around Rust-based protocols and the custody, key-management, and operational-security layers that surround them.
The firm reviews the systems and workflows that carry the highest technical, operational, or financial risk, then delivers findings alongside risk context, remediation guidance, and an executive-ready readout — bridging the gap between deep technical findings and board-level decision-making.
Core Services
Smart Contract and Protocol Security Reviews are the firm's flagship offering. Engagements cover on-chain logic — smart contracts, pallets, programs — as well as off-chain components such as indexers, relayers, and TypeScript or Rust back-ends that interact with the chain. Reviews are scoped to the code paths where a vulnerability could result in loss of funds, privilege escalation, or protocol manipulation.
Custody and Key Management Review addresses the operational layer beneath the contracts: how private keys are generated, stored, rotated, and used in ceremony. This includes multi-party computation setups, hardware security module configurations, and signing workflows for custodians and institutions.
AI and AI-Agent Security is a newer practice line covering LLM-powered applications, retrieval-augmented generation (RAG) workflows, and autonomous on-chain agents. As AI-driven bots and co-pilots become more prevalent in DeFi, Guvenkaya has signalled active investment in this area through published research on security issues in AI-generated applications.
Penetration Testing and Infrastructure Security extends the firm's reach into network-level and cloud infrastructure assessments — external and internal testing across hybrid environments.
Risk Assessment and Technical Due Diligence provides executive-grade security posture evaluations and pre-investment security assessments for funds and acquirers evaluating protocol targets.
Secure Architecture and Process Design is a pre-launch consultation service: Guvenkaya can be engaged before code is written to design systems and operational workflows that are difficult to attack from the outset, including key-ceremony rehearsals and incident-response playbooks.
Solana-Specific Work
Guvenkaya's public audit portfolio — 26 reports published in the Guvenkaya/public-reports GitHub repository — is dominated by NEAR Protocol engagements, reflecting the firm's origins in that ecosystem. Solana is represented by at least one published report: a security review of Cleopetra, a Solana-based trading bot written in TypeScript. The Rust expertise that underpins the NEAR practice transfers directly to Solana programs, which are also written in Rust (or Anchor, which compiles to it), making the firm a credible auditor for Solana projects even as the public Solana portfolio grows.
Notable Clients and Track Record
The 26-report public portfolio spans a range of projects across NEAR and adjacent ecosystems. Sweat Economy received the most sustained attention — nine separate assessments — covering distinct features and protocol upgrades over time, consistent with the kind of ongoing retainer relationship large protocols use to cover iterative development. Other audited protocols include Spin Finance, Defuse Labs, Potlock, Jump DeFi, Sailor Lend, Ample Protocol, DeFiShards, Virto Network (a Substrate-based chain), and Templar.
The firm reports that its work covers 24 million or more end users and over $20 billion in secured volume — figures reflecting the aggregate TVL and user bases of its client protocols, not assets under Guvenkaya's direct management.
Team and Background
Guvenkaya was founded by Timur Guvenkaya, who previously established and led the Rust, Substrate, and NEAR security practice at Halborn — one of the best-known blockchain security firms in the industry. At Halborn, he secured protocols with over $600 million in combined TVL, including Composable Finance, Nodle, and Octopus Network. Before blockchain security, he worked at Invicti Security, where he designed a JWT analysis engine deployed by Fortune 500 companies, banks, and government agencies including Verizon, Ford, and NASA. Team members hold backgrounds at Kraken, EY, Cisco, Binance, and ING.
Certifications across the team include OSCP (Offensive Security Certified Professional), OSWE (web exploitation), CREST CRT, CEH, and AWS security credentials — covering both on-chain and traditional infrastructure attack surfaces.
Tokens and Assets
Guvenkaya is a professional services firm and does not issue or manage any native token. Engagements are fee-based consulting relationships.
Audit Status
As a security firm, Guvenkaya is the auditor rather than the auditee. No public third-party assessment of the firm's own operational security practices was identified in research.
Solana Ecosystem Fit
Security auditing is foundational infrastructure for the Solana ecosystem. The Solana Foundation's 2026 STRIDE framework and the accompanying Solana Incident Response Network (SIRN) underscore growing institutional demand for credentialed security partners across the network. Guvenkaya's Rust-native expertise positions it to serve Solana programs (written in Rust or Anchor), AI-driven on-chain agents, and the custody infrastructure that institutions use to interact with the network. For Solana projects that sit outside the EVM audit mainstream — complex program architecture, custom virtual machines, or cross-chain bridge work — Guvenkaya's specialist positioning is a meaningful differentiator from generalist audit shops.
Contents
- What It Is and the Problem It Solves
- Core Services
- Solana-Specific Work
- Notable Clients and Track Record
- Team and Background
- Tokens and Assets
- Audit Status
- Solana Ecosystem Fit
Solana Token Markets
